Privacy Policy

1. Information we collect

1.1 Account and billing information

When you request a demo, pilot conversation, or service scope, SMEG may collect:

• Name, work email, work phone, job title, and organization name.
• Billing contact information if a paid engagement is created. Payment-processing details will be handled through an approved payment processor if/when enabled.

1.2 Service-use data

If an approved paid pilot/service is executed after BAA and intake approval, SMEG may collect:

• Therapy notes and supporting documentation that you submit through the approved intake path for documentation-risk review. To the extent these contain PHI, they are governed by your executed Business Associate Agreement and the SMEG HIPAA Notice — not this Privacy Policy.
• Usage telemetry: pages viewed, features used, request timestamps, error logs. Telemetry is associated with your account, not with individual patients.
• Device and connection metadata: IP address, browser user-agent, language, OS.

1.3 Lead-magnet and form submissions

If you complete the audit-readiness worksheet, risk estimator, or a contact form, SMEG uses the fields you submit to respond and follow up. The public worksheet does not transmit PHI and should not include patient-specific details.

1.4 Cookies and analytics

The current marketing site is designed to avoid PHI collection. If analytics or cookies are added, they should be limited to site operations and privacy-respecting measurement; this policy will be updated if material tracking changes.

2. How we use information

• Provide agreed services. Respond to inquiries, scope pilots, run approved documentation-risk review, and provide reports when contracted.
• Operate and improve. Diagnose errors, secure the platform, prevent abuse, build aggregate de-identified product insights.
• Communicate with you. Service notices, billing, security alerts, and (where you've opted in) product updates and documentation-risk updates.
• Comply with legal obligations. Respond to lawful requests, audit demands, and safety obligations.

SMEG does not use your data for any purpose materially different from those above without first notifying you.

3. Third-party processors we use

SMEG will use only approved vendors for hosting, communications, payment processing, and any PHI-handling workflow. PHI-handling vendors require appropriate contracts/BAAs before PHI is exchanged.

SMEG maintains a current list of Subprocessors and will provide written notice before adding a new Subprocessor that materially changes risk to customers' data. Email smeg@suprememedicalevaluationgroup.com with subject "Subprocessor list" to receive the current list.

4. How we share information

SMEG shares information only:

• With Subprocessors as listed above, under written contracts.
• With your authorized users within your organization.
• If required by law, valid legal process, or to protect rights and safety, with notice to you where lawful.
• In connection with a corporate transaction (merger, acquisition, financing, or sale of assets), with successor obligations to honor this Policy.

SMEG does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act ("CCPA").

5. Retention

SMEG retains personal information only as long as necessary to provide the Service and meet legal obligations. Account information persists for the life of the account plus a reasonable wind-down period. Service-use telemetry is aggregated or deleted within 13 months. PHI retention is governed by the executed BAA and is generally aligned with the customer's record-retention obligations under state nursing-home and Medicare regulations.

6. Your rights

Regardless of where you live, SMEG honors the following requests for the personal information we control:

• Access. A copy of the personal information we hold about you.
• Correction. Update inaccurate information.
• Deletion. Erase personal information, subject to legal-hold exceptions.
• Portability. Receive a machine-readable export.
• Opt out of sale / sharing. SMEG does not sell or share for behavioral advertising; the Global Privacy Control signal is honored as a valid request.
• Withdraw consent for marketing communications at any time via the unsubscribe link or by emailing smeg@suprememedicalevaluationgroup.com.

For PHI access, amendment, restriction, or accounting of disclosures, the request flows through your Covered Entity; see /legal/hipaa.

7. Security

SMEG implements reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Specific HIPAA-aligned controls are described at /legal/hipaa. No system is perfectly secure; SMEG will notify you in accordance with applicable law in the event of a security incident affecting your personal information.

8. International transfers

SMEG processes information primarily in the United States. Where personal information is transferred from outside the U.S., SMEG relies on the customer's lawful basis for transfer and, where required, executes the European Commission's Standard Contractual Clauses or equivalent safeguards.

9. Children's privacy

The Service is intended for adult skilled-nursing and clinical workforce users. SMEG does not knowingly collect personal information from individuals under the age of 18 outside the context of a Covered Entity's clinical record (where it is governed by HIPAA and the BAA, not this Policy).

10. Changes to this policy

SMEG will post material changes to this Policy on this page and update the "Effective" date above. Where required by law, SMEG will provide additional notice (e.g., email to account contacts) for material changes.

11. Contact

Privacy questions, requests, and complaints:

• Email: smeg@suprememedicalevaluationgroup.com (subject line: "Privacy request")
• Phone: (818) 468-4099
• Mail: Supreme Medical Evaluation Group, LLC, 5786 Pawstand Avenue, Las Vegas, NV 89000