1. Scope
This Policy applies to information handled through cumulonimbusllc.com, our customer and prospect relationships, and software and services that refer to this Policy (collectively, the "Services"). The Services are offered to organizations for business and professional use, not to consumers for personal, family, or household use. If you use the Services for an organization, references to a "Customer" mean that organization.
A product, including an MVP Rad product, may provide a supplemental privacy notice describing product-specific practices. A supplement controls only where it expressly differs from this Policy. Our Terms of Service, an order form, and any data processing agreement may impose additional obligations.
This Policy does not govern a Customer's own privacy practices or third-party websites, marketplaces, payroll providers, accounting platforms, payment processors, or other services that a Customer chooses to connect. Those parties' notices govern their independent processing.
2. Our privacy roles
Our role depends on the information and the context in which we handle it.
Information we control
We determine the purposes and means of processing information about website visitors, prospects, Customer representatives, account administrators, payers, and people who communicate with us ("Company Information"). For this information, we generally act as a controller or, under California law, a business.
Information we process for Customers
A Customer generally determines why and how information is entered into or obtained through its configured Services ("Customer Service Data"). We process that information on the Customer's documented instructions to provide the Services. Where privacy law applies, we generally act as the Customer's processor, service provider, or contractor. The Customer is responsible for its collection, instructions, notices, permissions, and responses to people whose information it controls.
If you seek to exercise rights concerning Customer Service Data, contact the Customer that controls the relevant account first. We will assist the Customer as required by applicable law and our agreement. If you contact us directly, we may refer your request to that Customer and tell it that you contacted us.
3. Information we collect
Company Information
Depending on how you interact with us, we may collect:
- Business identity and contact information, such as name, employer, job title, business email address, business telephone number, and business mailing address.
- Account and authorization information, such as username, organization, role, account identifiers, authentication records, permissions, and acceptance of contracts and policies. We do not need your password in support messages.
- Commercial and billing information, such as products considered or purchased, subscription and order details, invoices, payment status, and transaction metadata. A payment processor may collect payment-card details directly; our Services are not designed to receive or store raw card numbers or bank-account credentials.
- Communications, such as sales inquiries, support requests, feedback, survey responses, privacy requests, and other business correspondence you send to us.
- Device, network, and website information, such as IP address, browser and device type, operating system, referring URL, requested pages, request timestamps, approximate location inferred from IP address, and security or diagnostic events.
- Service administration and operational telemetry, such as account configuration, feature interactions, integration status, error codes, performance measurements, audit events, and security logs. Operational telemetry is designed to exclude Customer Service Data content.
Sources
We collect information from:
- you when you visit, register, purchase, or communicate;
- your employer, organization, account administrator, or an authorized colleague;
- your browser, device, and interaction with the Services;
- integrations and platforms a Customer directs us to connect;
- service providers that support hosting, security, billing, communications, and business operations; and
- public business sources, referrals, and professional networks.
Information we do not request
Do not send us passwords, raw payment-card data, bank credentials, government identification numbers, employee-level payroll or human-resources information, consumer shopping information, or protected health information ("PHI") through a website form, support channel, or other general communication. Product-specific restrictions are described below and in the Terms of Service.
4. Product-specific data
Radiology report-generation software
Our radiology Services are designed to receive only numerical and qualitative information that the Customer has de-identified before it reaches CumuloNimbus. Intended inputs do not include patient names, medical record numbers, birth dates, contact information, images bearing identifiers, or other information that identifies or can reasonably identify a patient.
Merely removing obvious fields such as a name, medical record number, or birth date may not de-identify health information. Before sending any health-derived information to a CumuloNimbus-hosted Service, the Customer must de-identify it under the HIPAA Safe Harbor method or obtain and document a valid Expert Determination, as applicable. The Customer must address identifiers in structured fields, free text, metadata, and any other part of an input.
If you believe PHI was submitted accidentally, do not repeat the information in an email. Promptly contact legal@cumulonimbusllc.com, identify the affected Customer account and approximate time of submission, and use the subject "Accidental PHI." Once we become aware of identifiable accidental PHI, we will take reasonable steps to contain it, restrict access, investigate, securely delete it from systems under our control, and notify the submitting Customer as appropriate, subject to legal preservation requirements.
Commerce and payroll-accounting software
Depending on the Customer's selected product and configuration, commerce Services may process product catalogs, SKUs, listings, pricing rules and prices, inventory levels, channel identifiers, synchronization events, sales and return summaries, marketplace fees, payouts, invoices, tax-related fields, accounting records, integration settings, and OAuth or API tokens needed to connect Customer-authorized channels.
When a Customer enables a payroll-accounting connection, the Services are designed to use read-only access and import only company-level and aggregate accounting information, such as pay-period and payroll totals, employer-tax totals, aggregate benefit and deduction totals, organizational or accounting dimensions, and information used to derive journal entries and reconciliations. These connections are not designed to retrieve employee names, Social Security numbers, personal bank-account information, home addresses, birth dates, individual tax forms, individual compensation records, or other employee-level payroll or human-resources details. Customers must authorize only scopes and mappings consistent with these limits.
These Services are designed for business operational data. They are not designed to receive shopper personal information, raw payment-card data, bank-account credentials, or custody of customer funds. Customers must configure integrations and data mappings so those unsupported data types are not transmitted. Connected platforms may process them independently under their own terms and privacy notices.
Customer-authorized OAuth and API tokens for commerce, payroll, and accounting connections are Customer Service Data. We use them only to operate and secure the Customer-directed integration and retain them only while the connection remains authorized or as needed to complete Customer-requested processing. When a Customer disconnects an integration or the authorization ends, we revoke the credentials where the provider supports revocation and delete or render them unusable in active systems. Residual encrypted copies expire through the backup lifecycle described in Section 9, subject to legal preservation requirements.
5. How we use information
We use information as reasonably necessary to:
- provide, configure, operate, maintain, and support the Services;
- authenticate users, administer accounts, and apply Customer permissions and instructions;
- connect and synchronize Customer-selected platforms, import authorized read-only payroll-accounting summaries, and generate Customer-requested outputs;
- process subscriptions, invoices, payments, taxes, and related business records;
- communicate about accounts, service changes, security, support, contracts, and relevant products;
- monitor reliability, diagnose errors, prevent fraud or abuse, and protect Customers, users, the Services, and the public;
- improve features and performance using non-content operational telemetry, authorized feedback, and other information that does not include Customer Service Data content;
- comply with law, respond to valid legal process, establish or defend legal claims, and enforce our agreements; and
- carry out another purpose disclosed when information is collected or with appropriate authorization.
We may create statistical or aggregate information that cannot reasonably be linked to an individual or Customer. We will not attempt to reidentify information that applicable law treats as deidentified, except to test whether our deidentification processes satisfy legal requirements.
6. AI processing and model training
Some Services use large language models or other machine-learning models to analyze authorized, non-PHI inputs and produce requested outputs. Depending on the product and configuration, inference may occur on a Customer-controlled local system or through models operated by CumuloNimbus on United States cloud GPU infrastructure.
AI analysis of payroll-accounting data occurs only when an authorized Customer user enables the applicable feature. When enabled, models receive only the company-level and aggregate accounting summaries described in Section 4, not employee-level payroll or human-resources information. When the feature is disabled, we do not submit payroll-accounting data to a model.
CumuloNimbus does not send Customer Service Data content to OpenAI, Anthropic, or another third party's general-purpose model API. Infrastructure and GPU hosting providers may process encrypted network traffic and data in system memory as needed to provide the underlying compute, storage, networking, security, and support services to CumuloNimbus; they are infrastructure service providers, not recipients authorized to use content for their own model training.
We do not use patient-derived content, commerce operational data, aggregate payroll-accounting data, prompts, inputs, or generated outputs from Customers to train, fine-tune, or improve shared models. Processing an input to generate a requested output is inference, not model training. A model does not learn from or retain the content as a result of that request.
7. How we disclose information
We disclose information only as described below, as directed by a Customer, or with appropriate authorization:
- Customer administrators and users. An organization's authorized administrators and users may access information associated with that organization's account.
- Infrastructure and service providers. Providers may support cloud hosting and GPU compute, content delivery, security, error monitoring, communications, customer support, billing, and other business operations. They may process information only to perform contracted services for us and as otherwise permitted by law.
- Customer-selected integrations. We exchange data with a marketplace, commerce channel, payroll provider, accounting system, or other integration when a Customer enables and directs that connection.
- Professional advisers. Lawyers, accountants, auditors, insurers, and consultants may receive information under duties of confidentiality when reasonably necessary to provide professional services.
- Legal and safety recipients. We may disclose information if we reasonably believe disclosure is necessary to comply with law or valid legal process; protect rights, safety, or property; investigate fraud, abuse, or a security incident; or establish, exercise, or defend legal claims.
- Corporate transactions. Information may be disclosed in connection with due diligence, financing, a merger, acquisition, reorganization, bankruptcy, or sale of all or part of the business, subject to appropriate safeguards and legally required notice.
We do not disclose one Customer's Customer Service Data to another Customer unless the controlling Customer directs or authorizes the disclosure.
8. Sales, advertising, and tracking
We do not sell personal information for money or other valuable consideration. We do not "share" personal information for cross-context behavioral advertising as that term is defined by California law, and we do not process personal information for targeted advertising. We have not engaged in those activities in the preceding 12 months. We do not offer financial incentives for the collection, sale, sharing, or retention of personal information.
Our website currently does not use advertising pixels, analytics trackers, third-party advertising scripts, or nonessential cookies. Hosting, content-delivery, and security infrastructure may process IP addresses and request information and may use a strictly necessary cookie when needed for security, routing, or abuse prevention.
Because there is no generally accepted standard for browser "Do Not Track" signals, our website does not alter its behavior in response to DNT. Where required, we recognize legally valid opt-out preference signals, including the Global Privacy Control, as a request to opt out of sale, sharing, or targeted advertising for the browser or device that sends the signal. Because we do not conduct those activities, a signal does not result in a visible change to the website.
9. Retention and deletion
We retain personal information only for as long as reasonably necessary and proportionate to provide the Services, maintain security and business records, comply with law, resolve disputes, and enforce agreements. Our default retention schedule is:
- Radiology content: no persistent CumuloNimbus retention. Content is held transiently only for the time needed to process the request and return the output and is excluded from application logs and backups.
- Commerce and payroll-accounting Service records: for the subscription term and 30 days after termination or expiration, unless the Customer deletes them earlier or a written agreement specifies a different period.
- Backups: eligible deleted data expires through the normal backup lifecycle within 90 days. Backups are not restored for ordinary business use except for disaster recovery, and restored data remains subject to the applicable deletion schedule.
- Security and operational logs: 90 days by default. These logs are designed to exclude Customer Service Data content.
- Contracts, invoices, and required financial records: up to seven years, or longer if law requires.
- Account, support, and business contact records: for the business relationship and a reasonable period afterward based on the record's purpose, applicable limitation periods, and legal requirements.
- Privacy request records: for the period required by applicable law, ordinarily at least 24 months where a law requires request recordkeeping.
We may retain specific information beyond a default period when a legal hold, active dispute, fraud or security investigation, or statutory duty requires it. We limit such retention to the affected information and purpose. Deidentified or aggregate information that cannot reasonably identify an individual or Customer may be retained longer, subject to our commitment not to reidentify it.
10. Security
We maintain administrative, technical, and organizational safeguards designed to protect information against unauthorized access, use, alteration, disclosure, or destruction. We assess safeguards based on the nature of the information, how it is processed, and the risks presented. We also require Customers and users to protect account credentials, use authorized access only, and promptly report suspected compromise.
No method of transmission, processing, or storage is completely secure, and we cannot guarantee absolute security. If you suspect a security incident, contact legal@cumulonimbusllc.com without including passwords, tokens, PHI, or other sensitive content in the message.
11. Privacy rights and choices
Depending on where you reside, the law that applies, and relevant exceptions, you may have the right to:
- confirm whether we process your personal information and access or know the categories and specific pieces we maintain;
- correct inaccurate personal information;
- delete personal information;
- obtain a portable copy of information you provided, where technically feasible;
- opt out of sale, sharing, targeted advertising, or certain profiling with legal or similarly significant effects;
- limit certain uses or disclosures of sensitive personal information or withdraw consent where processing relies on consent;
- appeal our denial of a privacy request; and
- receive equal service and not be discriminated against for exercising a privacy right.
You may opt out of non-transactional marketing email at any time by using the unsubscribe link in the message or contacting us. We may still send account, security, legal, billing, and other service-related communications.
Submitting a request
Email legal@cumulonimbusllc.com with the subject "Privacy Request." State the right you wish to exercise and provide your name, business email address, organization, and relationship with CumuloNimbus. Do not send identity documents, passwords, tokens, PHI, or financial credentials unless we specifically request an appropriate verification method.
We will acknowledge and respond within the time required by applicable law. We may ask for information reasonably necessary to verify your identity, authority, account, and jurisdiction. We use verification information only to evaluate and respond to the request. If we cannot verify a request, an exception applies, or fulfilling it would adversely affect another person's rights, we may limit or deny the request and explain our decision as required.
An authorized agent may submit a request by using the same email address and identifying the person represented. We may require proof of the agent's authorization and may ask the individual to verify their identity or confirm the authorization directly, unless a valid power of attorney makes that unnecessary. To appeal a decision, reply to our response or email us with the subject "Privacy Appeal" and explain why you believe the decision should be reconsidered.
We voluntarily consider rights requests from U.S. residents where reasonably feasible even if a particular comprehensive state privacy law does not apply to us. This voluntary practice does not waive an exemption, create a right beyond applicable law, or change our role as a processor of Customer Service Data.
12. California disclosures
This section supplements the rest of the Policy for California residents. It applies if and to the extent CumuloNimbus is subject to the California Consumer Privacy Act ("CCPA"). Terms such as "personal information," "sensitive personal information," "sell," and "share" have the meanings assigned by the CCPA.
In the preceding 12 months, we have collected the following CCPA categories for the purposes described in Section 5:
- Identifiers
- Name, business contact details, username, IP address, device or account identifiers, organization identifiers, and integration account identifiers.
- California customer-record information
- Business address and telephone number, signature or contract acceptance record, and payment-related account metadata. We do not seek raw card numbers or bank credentials.
- Commercial information
- Products or services considered, purchased, or used; subscriptions; invoices; payment status; and Customer business transaction records.
- Internet or other electronic network activity
- Website and Service interactions, browser and device information, request and event logs, integration events, and security or diagnostic information.
- Approximate geolocation
- General location inferred from an IP address.
- Professional or employment-related information
- Employer, organization, business role, and job title.
- Sensitive personal information
- Account authentication information and Customer-provided OAuth or API credentials used to secure or operate a Customer-directed integration. We do not use sensitive personal information to infer characteristics about a person.
We obtain these categories from the sources in Section 3. We may disclose each category to the corresponding recipients in Section 7 for the stated business purposes. Depending on context, recipients may include infrastructure, security, communications, support, billing, and professional-service providers; Customer administrators; Customer-selected integrations; and legal or transaction recipients. Our retention criteria and default periods appear in Section 9.
We do not knowingly collect protected-classification characteristics, biometric information, sensory information, education information, or precise geolocation as Company Information. Customer Service Data might fall within a CCPA category when a Customer supplies it; in that context, we process it as a service provider or contractor and the Customer's notice should describe the collection.
We have not sold or shared personal information, including sensitive personal information, in the preceding 12 months. We do not knowingly sell or share personal information of people under 16. We use and disclose sensitive personal information only as reasonably necessary for permitted business purposes, such as providing and securing the Services, and not to infer characteristics. We therefore do not provide a separate "Limit the Use of My Sensitive Personal Information" link.
California residents may exercise the rights to know, access, correct, delete, and receive information about our practices, and the rights to opt out or limit processing where applicable, using the process in Section 11. California's Shine the Light law permits certain residents to request information about disclosures for third parties' direct-marketing purposes. We do not disclose personal information to third parties for their own direct marketing.
13. Children
The Services are for business users and are not directed to children or anyone under 18. We do not knowingly collect personal information directly from children. If you believe a child has provided personal information to us, contact us without repeating the information so we can investigate and take appropriate action.
14. United States only
The Services are offered only to organizations in the United States and are operated from the United States. Information may be processed in different U.S. states by CumuloNimbus and our service providers. The Services are not offered to organizations or individuals outside the United States, and this Policy is not intended to describe compliance with non-U.S. privacy regimes.
15. Changes to this policy
We may update this Policy to reflect changes in our Services, practices, or legal obligations. We will post the updated Policy with a new effective date and version. If a change materially affects how we use personal information, we will provide additional notice through the Services, by email, or by another appropriate method before the change takes effect when required by law. Prior versions will be retained and made available upon request.
16. Contact us
For privacy questions, requests, appeals, security reports, or accidental-PHI notices, contact:
CumuloNimbus LLCAttn: Privacy
legal@cumulonimbusllc.com
Do not include PHI, passwords, OAuth or API tokens, payment-card data, bank credentials, or other sensitive content in your initial message.