Legal · Privacy

Privacy Policy

How OpsRail Command Center handles data during demos, pilots, and early product evaluations.

Last updated: May 26, 2026Demo / Pilot MVPNo-PHI evaluation mode

How your data flows through the product during an early evaluation.

Early-evaluation document

This page is provided for early evaluation and pilot discussions and should be reviewed by legal counsel before production use. It is not a substitute for a formal Data Processing Agreement, Business Associate Agreement, or jurisdiction-specific privacy notice.

Section 01

Overview

OpsRail Command Center is designed for operational analysis of Medicare Advantage supplemental benefit workflows. Early pilots should use synthetic, masked, or de-identified operational files. This policy explains how data flows through the product during demos, pilots, and early evaluations.

Section 02

Information we collect

  • Account and contact information, if voluntarily provided
  • Uploaded operational files
  • Parsed operational records
  • Detected incidents
  • Generated briefs
  • Basic usage and technical logs
  • Communications with the team

Section 03

Data we do not need for MVP pilots

For MVP and pilot evaluation, you should not upload any of the following. The product is designed to deliver operational value without them:

  • Member names
  • Dates of birth
  • Addresses
  • Phone numbers
  • Emails
  • SSNs
  • Medicare Beneficiary Identifiers
  • Full payment card numbers
  • Clinical notes
  • Medical diagnoses
  • Claims details not required for supplemental benefit operations analysis

See the Data Requirements page for the complete schema and the fields that can be hashed instead of sent raw.

Section 04

How we use data

  • Parse uploaded files
  • Detect operational incidents
  • Generate evidence-based summaries and briefs
  • Improve reliability and product quality
  • Support pilot evaluation and troubleshooting
  • Communicate with pilot users

Section 05

AI processing

The product may send structured incident evidence to OpenAI or another configured AI provider to generate briefs or copilot answers. Raw uploaded files do not need to be sent to the AI provider for the MVP brief generation flow.

AI outputs are grounded in structured evidence but may be incomplete or inaccurate, and should be reviewed by qualified users before being shared or acted upon. The deterministic incident engine remains the source of truth.

Section 06

Data sharing

We do not sell user data.

We may share limited data with service providers needed to operate the product — such as hosting, database, analytics or logging, and AI providers — solely to deliver the service. We may also disclose information if required by law or to protect the integrity and safety of the service.

Section 07

Data retention and deletion

During pilots, uploaded files, parsed records, incidents, and briefs may be retained for the duration of the evaluation unless deletion is requested. Pilot data can be deleted upon request, subject to reasonable backup and log retention limitations.

Section 08

Security

We use reasonable technical and organizational safeguards appropriate for an early MVP, including:

  • Hosted infrastructure for the demo / pilot environment
  • HTTPS in transit where supported by hosted services
  • Environment-based secret management — no secrets in source code
  • Access-limited operational practices during pilot evaluations

Honest disclosure: the MVP is not yet SOC 2 or HITRUST certified. See the Security posture page for the current pilot-readiness overview.

Section 09

No-PHI pilot mode

The recommended pilot mode uses synthetic, masked, or de-identified operational files. If a future production workflow involves PHI, additional agreements, safeguards, access controls, and potentially a Business Associate Agreement may be required before any PHI-bearing data is processed.

Section 10

Your choices

  • Request deletion of pilot data at any time
  • Avoid uploading sensitive data during MVP evaluation
  • Use synthetic, masked, or de-identified files for all evaluations

Section 11

Children's privacy

OpsRail Command Center is intended for business users — typically operations, compliance, and benefits professionals — and is not directed to children. We do not knowingly collect information from children.

Section 12

Changes to this Privacy Policy

This Privacy Policy may be updated as the product evolves. Material changes will be reflected by updating the “Last updated” date at the top of this page.

Section 13

Contact

Questions about this Privacy Policy or how data is handled during a pilot? Reach out to hello@opsrail.app.

Companion documents

Review the Security posture and Data Requirements next.

Security postureData Requirements