sycana AI Logosycana AI

Privacy Policy

Last Updated: January 20, 2026

At sycana AI ("we," "our," or "us"), we are committed to protecting the privacy and security of your data, particularly regarding Protected Health Information (PHI). This Privacy Policy outlines our practices for collecting, using, maintaining, protecting, and disclosing information in accordance with HIPAA and other applicable laws.

1. Our Role as a Business Associate

When you allow us to process PHI on your behalf, we act as a "Business Associate" under the Health Insurance Portability and Accountability Act (HIPAA). Our use and disclosure of PHI are governed by the Business Associate Agreement (BAA) entered into between us and your organization ("Covered Entity"). In the event of a conflict between this Privacy Policy and the BAA, the BAA controls regarding PHI.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, organization name, and billing details.
  • Customer Data (PHI): Patient records, referral documents, faxes, and other clinical data uploaded to the sycana AI Platform.

2.2 Application Usage Data

We collect metadata about how authorized users interact with our platform (e.g., login times, features used) to improve system performance and security. This usage data does NOT include PHI content.

3. How We Use Information

We use information only for the following purposes:

  • To provide, maintain, and improve the sycana AI Platform services.
  • To perform our obligations under the BAA and Service Agreement.
  • To detect, prevent, and address technical issues or security breaches.
  • To comply with legal obligations.

Important: We do NOT sell your data. We do NOT use your private PHI to train public-facing AI models or LLMs shared with other customers.

4. Data Security

We implement defense-in-depth security measures to protect your information:

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Control: Strict Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA).
  • Audits: Regular security assessments and SOC 2 Type II compliance reviews.

5. Data Retention

We retain Customer Data only for as long as required to provide the Services or as required by law. Upon termination of the Service Agreement, we will return or destroy PHI in accordance with the terms of our BAA.

6. Changes to this Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

7. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer at:

Email: privacy@sycana.ai
Address: Security Dept, sycana AI, San Francisco, CA.

© 2026 sycana AI. All rights reserved.