Privacy Policy

Account & Contact Data
When you register or contact us, we collect your name, email address, organisation name, job title, and other information you provide directly.

Usage & Technical Data
We automatically collect information about how you interact with the Services, including IP addresses, browser type, pages visited, timestamps, and referring URLs. This data helps us maintain security, diagnose issues, and improve the platform.

Customer Data (Health & Claims Information)
As part of delivering our Services, your organisation may submit claims data, member information, underwriting data, and related documents. This may include Protected Health Information (PHI) as defined under HIPAA. We process this data solely as a Business Associate under your direction.

Communications
If you contact our support or sales team, we retain records of those communications to resolve your requests and improve our service.

We use the information we collect to:

• Provide, operate, and improve the Services.
• Process claims, underwriting, and fraud detection tasks as instructed by your organisation.
• Respond to your enquiries, provide technical support, and send service-related communications.
• Monitor for security incidents, abuse, and compliance violations.
• Comply with applicable legal obligations, including regulatory reporting requirements.
• Develop and improve our AI models using aggregated, de-identified data only — we never use identifiable PHI to train models without explicit written consent.

We do not sell your personal information or Customer Data to third parties.

Ginja AI operates as a HIPAA Business Associate when processing PHI on behalf of Covered Entities. We maintain appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule, including:

• Encryption of PHI in transit and at rest.
• Role-based access controls and audit logging for all PHI access.
• Regular risk assessments and workforce security training.
• Breach notification procedures in compliance with the HIPAA Breach Notification Rule.

A signed Business Associate Agreement (BAA) is required before any PHI is processed on our platform.

We share information only in the following limited circumstances:

• Service Providers: We engage vetted sub-processors (e.g. cloud infrastructure, security monitoring) who are contractually bound to process data only as directed by us and to maintain appropriate security standards.
• Legal Requirements: We may disclose information when required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Ginja AI, our clients, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, Customer Data may be transferred to the successor entity subject to the same privacy protections.
• With Your Consent: We share information with third parties when you have given us explicit consent to do so.

We retain Customer Data for the duration of your contract plus any additional period required by applicable law or your written instructions. Account and contact data is retained while your account is active and for a reasonable period thereafter to fulfil legal obligations and resolve disputes. You may request deletion of your data subject to legal retention requirements.

We implement industry-standard security measures to protect information against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption for all data in transit, AES-256 encryption for data at rest, multi-factor authentication, continuous intrusion detection, and regular third-party penetration testing.

No system is completely secure. If you become aware of any security incident, please notify us immediately at admin@ginja.ai.

Our website uses essential cookies to enable core functionality (e.g. session management). We may also use analytics cookies to understand how visitors interact with the site. You can control cookie preferences through your browser settings. We do not use tracking cookies for advertising purposes.

Depending on your jurisdiction, you or your organisation's members may have rights regarding personal data, including the right to access, correct, delete, or restrict processing. Requests from individual data subjects (e.g. health plan members) should be directed to the Covered Entity (your organisation) in the first instance, as we process such data under their instructions.

For enquiries about our own processing of your account or contact data, please email admin@ginja.ai.

Ginja AI processes data in data centres located in accordance with applicable data residency requirements. If data is transferred across borders, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or equivalent mechanisms) to comply with applicable data protection laws.

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently received such information, we will take steps to delete it promptly.

We may update this Privacy Policy periodically. We will notify you of material changes by email or via an in-platform notice at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

For questions about this Privacy Policy or our data practices, please contact our Privacy team at admin@ginja.ai.