PaiKnight

Last updated: June 19, 2026

Privacy Policy

PaiKnight LLC 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702 privacy@paiknight.com

Defined Terms

As used in this Privacy Policy:

  • “PaiKnight” means PaiKnight LLC, a Delaware limited liability company, and its officers, directors, employees, contractors, and agents.
  • “Provider” means any dental practice, oral-surgery practice, or other healthcare entity that has entered into a Services Agreement and a Business Associate Agreement with PaiKnight and uses the Services on behalf of its patients.
  • “Authorized Users” means Provider personnel (e.g., dentists, office managers, front-desk staff) and PaiKnight internal staff (e.g., case handlers, team leads, account managers, compliance officers, and administrators) who access the Services under a Provider or PaiKnight account.
  • “Services” means the PaiKnight revenue-cycle-management coordination platform, including the Provider Portal, the Internal Operations Console, all associated APIs, and any related websites, applications, communications, and support.
  • “PHI” has the meaning given in 45 C.F.R. § 160.103: individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate in connection with the provision of health care.
  • “Patient” means an individual whose dental or oral-surgery care is the subject of a reimbursement coordination case managed through the Services on behalf of a Provider.

1. Who We Are and Scope of This Policy

PaiKnight is a U.S.-based administrative and coordination platform that helps dental and oral-surgery Providers navigate insurer reimbursement for high-value, medically necessary procedures — including pre-authorization, benefits verification, letters of medical necessity, single case agreements, gap exceptions, and administrative appeals. PaiKnight is headquartered at 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702.

This Privacy Policy describes how PaiKnight collects, uses, and shares personal information about:

  • Provider Authorized Users (Provider employees and PaiKnight employees and contractors) who create or use accounts to access the Services; and
  • Website visitors and marketing leads who interact with PaiKnight’s public website(s) or marketing channels.

This Privacy Policy does NOT govern Protected Health Information (PHI). See Section 2 immediately below for the critical distinction between PHI and personal data covered by this Policy.

2. Critical Boundary — PHI vs. Personal Data Under This Policy

2.1 How PaiKnight Handles PHI

PaiKnight acts solely as a HIPAA Business Associate of the Provider (a Covered Entity). When PaiKnight accesses, processes, or transmits PHI on behalf of a Provider, it does so under a signed Business Associate Agreement (“BAA”) with that Provider, pursuant to 45 C.F.R. Parts 160 and 164 (the HIPAA Privacy Rule and Security Rule). PaiKnight’s access to PHI is limited to what is necessary to perform administrative coordination Services on behalf of the Provider.

PaiKnight does NOT issue a Notice of Privacy Practices (“NPP”). The NPP is the obligation of the Provider, as a Covered Entity, to its Patients. Patients who have questions about how their PHI is handled should contact their dental or oral-surgery Provider directly and review the Provider’s NPP.

2.2 What This Policy Does Cover

This Privacy Policy covers non-PHI personal information that PaiKnight collects in its own right, including:

  • Account and identity information about Authorized Users (Provider personnel and PaiKnight employees and contractors);
  • Usage, device, and technical data generated when Authorized Users access the Services; and
  • Contact and marketing information about website visitors and prospective Provider customers (leads).

For the avoidance of doubt, Patients are not end-users of the Services and are not the subject of this Policy. Patient data within the Services is PHI governed exclusively by HIPAA, the applicable BAA, and the Provider’s own privacy practices.

3. Information We Collect

3.1 Account and Identity Information

When a Provider enrolls for the Services or when PaiKnight creates an internal Authorized User account, PaiKnight collects:

  • Full name, job title, and role;
  • Business email address and business phone number;
  • Provider practice name, tax identification number (EIN), National Provider Identifier (NPI), business address, and state of licensure;
  • Credentials and authentication data (hashed passwords, multi-factor authentication enrollment status, session data);
  • Billing and payment information for PaiKnight’s own subscription and per-case administrative fees (collected and processed through Stripe; PaiKnight does not store full payment card numbers); and
  • Signatures and acknowledgment records for the Services Agreement, BAA, and HIPAA training completion.

3.2 Usage and Platform Data

When Authorized Users interact with the Services, PaiKnight automatically collects:

  • Case workflow events and status changes (including timestamps, role of the user taking the action, and jurisdiction/country of access for cross-border audit purposes);
  • Access logs, including login history, session duration, IP address at time of access, and device identifiers;
  • Feature-usage data (pages visited, modules used, reports generated, document uploads/downloads) at the account level; and
  • Error and performance data, which is processed through Sentry with PHI-scrubbing enabled to prevent any patient-identifiable data from appearing in error reports.

3.3 Device and Technical Data

When any user visits PaiKnight’s website(s) or uses the Services, PaiKnight or its service providers may automatically collect:

  • Browser type and version, operating system, and device type;
  • IP address and approximate geographic location (city/state level);
  • Referring URL and pages visited; and
  • Cookie identifiers and similar tracking technologies (see Section 6).

3.4 Marketing Lead Information

When a prospective Provider (or its representative) submits an inquiry form, requests a demo, subscribes to PaiKnight communications, or otherwise contacts PaiKnight through marketing channels, PaiKnight collects:

  • Name, business email address, and phone number;
  • Practice name, specialty, and state;
  • Information provided in free-text inquiry fields; and
  • Communication history and marketing engagement data (email opens, link clicks).

4. How We Use the Information We Collect

PaiKnight uses the personal information described in Section 3 for the following purposes:

Providing and operating the Services: - Creating, maintaining, and authenticating Authorized User accounts; - Enabling workflow functions (case management, document handling, insurer-call support, and analytics); - Processing billing for the SaaS subscription, per-case administrative fees, and communication credits through Stripe; - Sending transactional communications (account confirmations, password resets, billing receipts, case-workflow notifications, and patient-balance reminder emails sent in the Provider’s name); and - Enforcing role-based access controls so each Authorized User accesses only the data and functions appropriate to their role and assigned case book.

Security, compliance, and audit: - Maintaining immutable audit logs of PHI access and all material actions within the Services, including jurisdiction and country metadata for cross-border access events; - Monitoring for unauthorized access, abuse, and security incidents; - Fulfilling PaiKnight’s obligations under HIPAA (as a Business Associate), applicable BAAs, and the HIPAA Security Rule; - Tracking HIPAA training completion and BAA execution status as access-gating requirements; and - Generating compliance evidence packs (uniform-pricing records, BAA registers, training registers, access logs, and insurer-interaction histories) for audit-defense purposes.

Legal obligations: - Complying with applicable federal and state laws, regulations, and lawful government requests; - Enforcing PaiKnight’s agreements; and - Investigating and responding to potential security breaches or violations of policy.

Marketing and business development: - Communicating with prospective Providers about the Services; - Sending newsletters, product updates, and event invitations to individuals who have opted in or where otherwise permitted by law; and - Analyzing marketing-channel performance.

Service improvement: - Aggregating and analyzing non-PHI usage data to improve platform features, reliability, and performance.

PaiKnight does not sell personal information. PaiKnight does not use personal information to make automated decisions that produce legal or similarly significant effects on individuals without human review.

5. Disclosure of Information and Sub-Processors

PaiKnight does not sell personal information to third parties for their own marketing use. PaiKnight may share personal information in the following limited circumstances:

5.1 Service Providers and Sub-Processors

PaiKnight engages the following categories of sub-processors who may process personal information (and, in the case of BAA-covered sub-processors, PHI on behalf of a Provider) to provide the Services:

Sub-Processor Category Data Processed BAA Required
Stripe, Inc. (USA) Payment processing Authorized User billing data; subscription and fee transactions No (payment data, not PHI)
Amazon Web Services, Inc. (AWS) (USA) Cloud infrastructure and storage All platform data, including PHI in BAA-covered configurations Yes
Google Cloud Platform (GCP) (USA) Cloud infrastructure and database All platform data, including PHI in BAA-covered configurations Yes
Amazon Web Services — SES / Resend Transactional email delivery Authorized User email addresses; notification content Yes (for PHI-bearing notifications)
Sentry Error monitoring and diagnostics Error reports (PHI-scrubbed before transmission)
PaiKnight’s offshore processing personnel Case-handling operations (offshore) PHI and Authorized User data, under signed subcontractor BAA and with encrypted cross-border transmission Yes

PaiKnight maintains a vendor-BAA register and enforces a PHI-tool allowlist. PaiKnight does not permit PHI to enter any third-party tool that has not executed a BAA with PaiKnight.

5.2 Business Transfers

If PaiKnight undergoes a merger, acquisition, asset sale, or reorganization, personal information may be transferred to the successor entity subject to equivalent privacy protections. PaiKnight will notify affected individuals as required by applicable law.

PaiKnight may disclose personal information when required by law, subpoena, court order, or other legal process, or when PaiKnight in good faith believes disclosure is necessary to (a) comply with applicable law or regulation; (b) protect the rights, property, or safety of PaiKnight, Providers, Authorized Users, or the public; or (c) detect, prevent, or address fraud, security, or technical issues.

PaiKnight may share personal information for any other purpose with the explicit prior consent of the individual.

6. Cookies and Analytics

6.1 What We Use

PaiKnight’s website(s) and Services use cookies and similar technologies, including:

  • Strictly necessary cookies: Required for authentication, session management, security (CSRF tokens), and basic platform functionality. These cannot be disabled without breaking the Services.
  • Functional cookies: Retain user preferences (e.g., display settings, notification preferences) to improve the user experience.
  • Analytics cookies: Aggregate, non-PHI usage statistics to understand how Authorized Users and website visitors interact with the Services and website, used to improve functionality and content.
  • Marketing cookies: On public-facing marketing pages only, to track campaign effectiveness and serve relevant advertising. PaiKnight does not serve behavioral advertising within the authenticated Services.

6.2 Managing Cookies

Website visitors may manage cookie preferences through:

  • Browser settings (most browsers allow refusal or deletion of cookies);
  • a cookie consent banner / preference center; and
  • Opt-out tools for specific analytics providers at the links provided in the cookie banner.

Disabling analytics or marketing cookies will not affect access to the Services for Authorized Users (whose only required cookies are strictly necessary and functional).

7. Your U.S. State Privacy Rights

7.1 Overview

Several U.S. state privacy laws grant residents of those states certain rights with respect to their personal information. This section describes those rights and how to exercise them. These rights apply to non-PHI personal information governed by this Policy. PHI is governed by HIPAA and the Provider’s own Notice of Privacy Practices, not this Policy.

7.2 California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”), may grant you the following rights:

  • Right to Know: You may request that PaiKnight disclose the categories and specific pieces of personal information it has collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom PaiKnight shares it.
  • Right to Delete: You may request deletion of personal information PaiKnight has collected about you, subject to certain exceptions (e.g., information needed to complete a transaction, comply with a legal obligation, or for security purposes).
  • Right to Correct: You may request correction of inaccurate personal information PaiKnight holds about you.
  • Right to Opt Out of Sale or Sharing: PaiKnight does not sell personal information or share it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. No opt-out is required, but you may submit a request to confirm.
  • Right to Limit Use of Sensitive Personal Information: To the extent PaiKnight collects “sensitive personal information” as defined under CPRA (which may include precise geolocation, account credentials, or health-related information), you may request that PaiKnight limit its use to the purposes permitted by the CPRA. PaiKnight uses sensitive personal information only to provide the Services and for security and compliance purposes.
  • Right to Non-Discrimination: PaiKnight will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive a different level or quality of Services as a result of a rights request.

7.3 Other State Residents

Residents of the following states may have similar rights (right to access, correct, delete, opt out of sale/targeted advertising, and appeal PaiKnight’s response to a rights request) under their respective state privacy laws:

  • Virginia — Consumer Data Protection Act (CDPA), Va. Code § 59.1-571 et seq.
  • Colorado — Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq.
  • Connecticut — Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. § 42-515 et seq.
  • Texas — Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq. (Note: Texas also maintains the Texas Health Privacy Law (HB 300), which applies to covered entities and business associates handling PHI of Texas residents and supplements HIPAA.)
  • Washington — Washington My Health My Data Act (WMHMDA), RCW § 70.372 et seq. (Note: The WMHMDA has a broad definition of “consumer health data” that may extend beyond HIPAA’s PHI definition; PaiKnight takes the position that its processing of health-related data is exclusively as a HIPAA Business Associate under a BAA, but counsel should confirm whether WMHMDA obligations apply independently to any data PaiKnight processes in its own right.)
  • and other states as applicable at the time of launch

7.4 How to Exercise Your Rights

To submit a privacy rights request, contact PaiKnight using the information in Section 12 or by emailing privacy@paiknight.com. Include:

  • Your full name and the email address associated with your account or marketing contact record;
  • The specific right(s) you wish to exercise; and
  • Sufficient information for PaiKnight to verify your identity.

PaiKnight will verify your identity before processing any request to access, delete, or correct personal information. Verification may require confirmation of account credentials, a response to an account-associated email address, or additional identifying information. PaiKnight will respond to a verifiable consumer request within the timeframe required by applicable law (generally 45 days, with an extension of up to 45 additional days where reasonably necessary, with notice).

If PaiKnight declines to take action on your request, PaiKnight will inform you of the reasons and, where required by applicable law, provide instructions for appealing the decision.

8. Security

PaiKnight implements technical, administrative, and physical safeguards designed to protect personal information and PHI from unauthorized access, disclosure, alteration, and destruction. Key security measures include:

  • Encryption at rest: PHI and sensitive personal information are encrypted using AES-256-GCM. PaiKnight does not use weaker cipher modes (e.g., CBC without authentication) for PHI fields.
  • Encryption in transit: All data transmitted between users and the Services, and between the Services and sub-processors, is protected by TLS. Cross-border transmissions to the offshore processing team use encrypted channels.
  • Access controls: Role-based access control (RBAC) limits each Authorized User to the data and functions appropriate to their assigned role and case book. Case handlers access only their assigned patients. Developer roles have no PHI access by default.
  • Authentication: Multi-factor authentication (MFA) is enforced for all Authorized Users. Sessions expire after inactivity. Account lockout is enforced after repeated failed authentication attempts.
  • Audit logging: All PHI access and material platform actions are recorded in an immutable audit log with timestamps, user identity, action type, and jurisdiction/country metadata. Logs cannot be altered or deleted by platform users.
  • HIPAA training: PaiKnight employees and contractors with PHI access must complete HIPAA training before receiving access; access is gated on current training status.
  • Vendor controls: PaiKnight maintains a vendor-BAA register and a PHI-tool allowlist to ensure PHI is processed only by sub-processors that have executed a BAA.
  • Error monitoring: Error-monitoring tools (Sentry) are configured with PHI-scrubbing rules to prevent patient-identifiable information from appearing in error reports.
  • Breach response: PaiKnight maintains an incident-response and breach-notification process designed to meet the timelines required under HIPAA, applicable state breach-notification laws, and any BAA obligations.

No security system is impenetrable. If you believe your account has been compromised or if you have discovered a potential security vulnerability, please notify PaiKnight immediately at privacy@paiknight.com.

9. Data Retention

PaiKnight retains personal information for as long as necessary to fulfill the purposes described in this Policy, comply with applicable legal and regulatory obligations, resolve disputes, and enforce PaiKnight’s agreements.

General retention principles:

  • Authorized User account data is retained for the duration of the active Services relationship and for a period of seven (7) years after account termination, or as required by applicable law or a BAA.
  • Audit logs (PHI access and material actions) are retained in accordance with HIPAA’s minimum six-year retention requirement for documentation related to policies and procedures, and in accordance with any longer period required under applicable state law or a BAA.
  • Marketing lead data is retained until the contact opts out or requests deletion, subject to applicable law.
  • Billing records are retained for the period required by applicable tax and financial-records laws.

Upon expiration of the applicable retention period, PaiKnight will delete or de-identify personal information in accordance with its data-retention policy, unless a legal hold or other obligation requires continued retention.

10. International and Offshore Data Processing

PaiKnight’s Services are operated from the United States. However, PaiKnight engages an offshore processing team (currently based in the Philippines) to perform case-handling operations. Members of this team may access PHI and Authorized User data as part of their work.

PaiKnight takes the following measures to address cross-border data transfers:

  • Subcontractor BAA: The offshore processing team has executed a Business Associate Agreement with PaiKnight that satisfies the requirements of 45 C.F.R. § 164.308(b) for subcontractor arrangements.
  • Encrypted transmission: All data transmitted to and from the offshore team is encrypted in transit using TLS. PHI is encrypted at rest (AES-256-GCM) before transmission and at the storage layer.
  • Audit logging with jurisdiction metadata: Every PHI access event, regardless of geography, is recorded in the immutable audit log with a jurisdiction/country field identifying the location from which the access occurred.
  • Least-privilege access: Offshore team members access only the cases assigned to them and have no broader PHI access.
  • HIPAA training: Offshore team members with PHI access must complete HIPAA training and maintain current training status as a condition of access.

PaiKnight does not transfer personal information of Authorized Users (i.e., non-PHI account data) outside the United States except through the sub-processors listed in Section 5.1 operating in their normal course of business.

11. Children’s Data

The Services are designed and intended solely for business-to-business use by Providers (healthcare businesses) and their Authorized Users, all of whom are adults. The Services are not directed to, and PaiKnight does not knowingly collect personal information from, children under the age of 13 (or such other age as may be required by applicable law) through the Services or public website.

If PaiKnight becomes aware that it has inadvertently collected personal information from a child under the applicable age threshold, PaiKnight will take prompt steps to delete that information. If you believe PaiKnight has collected personal information from a child, please contact privacy@paiknight.com.

12. Changes to This Privacy Policy

PaiKnight may update this Privacy Policy from time to time to reflect changes in the Services, applicable law, or PaiKnight’s practices. When PaiKnight makes material changes, it will notify Authorized Users by email to the address on file or by a prominent notice within the Services, and will update the “Last updated” date at the top of this Policy. PaiKnight will provide advance notice of material changes to the extent required by applicable law.

Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you should discontinue use of the Services and contact PaiKnight to request account termination.

13. Contact Us

For questions about this Privacy Policy, to exercise your U.S. state privacy rights, or to report a privacy concern, contact PaiKnight’s Privacy Officer:

Privacy Officer PaiKnight LLC 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702 Email: privacy@paiknight.com

For security incidents or potential breaches, contact us immediately at privacy@paiknight.com or security@paiknight.com.

For Provider-specific inquiries regarding PHI handling under a BAA, contact your PaiKnight Account Manager or the Compliance Officer at privacy@paiknight.com.

Governing law: This Privacy Policy and any disputes arising under it shall be governed by the laws of Delaware, without regard to its conflict-of-law provisions, except to the extent superseded by applicable federal law (including HIPAA).