Simcha AI

Terms of Service & BAA & Privacy Policy

SIMCHA AI PLATFORM TERMS OF USE & Privacy Policy

Last Updated: June 26, 2024

Welcome to Simcha AI. These Platform Terms of Use ("Terms of Use") constitute a legal agreement between you and Simcha AI Inc. ("Simcha AI," "we," "us," or "our"). By accessing and using our software-as-a-service (SaaS) platform available as a web and/or mobile application (the "Platform"), you agree to comply with these Terms of Use and our Privacy Policy, collectively referred to as the "Agreement."

1. Acceptance of the Terms of Use

Please read these Terms of Use carefully. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by these Terms of Use and our Privacy Policy, which is incorporated herein by reference. If you do not agree to any part of the Agreement, do not use the Platform. If you are accepting these terms on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to the Agreement, and "you" and "your" will refer to that entity.

2. Changes to the Terms of Use

We reserve the right to modify, discontinue, or terminate the Platform or modify the Agreement at any time without prior notice. We will post any modifications on the Platform. By continuing to use the Platform after such modifications, you agree to the updated Agreement. If the modified Agreement is unacceptable to you, your only recourse is to cease using the Platform.

3. Right to Access and Use the Platform

Subject to these Terms of Use, Simcha AI grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to authorize your Authorized Users to access and use the Platform solely for your internal business purposes.

You agree not to: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discern the source code or interface protocols of the Platform; (ii) modify, adapt, or translate the Platform; (iii) make any copies of the Platform; (iv) resell, distribute, or sublicense the Platform; (v) remove or modify any proprietary markings on the Platform; (vi) use the Platform in violation of any law, to build a competitive product, or for any unauthorized purpose; (vii) introduce harmful code to the Platform; (viii) store data outside the Platform without prior written permission; (ix) use the Platform for the benefit of a third party; or (x) circumvent any security measures of the Platform. Violation of this section may result in immediate termination of your access to the Platform without notice.

4. Authorized Users

Your employees and contractors who access and use the Platform on your behalf are "Authorized Users." Each Authorized User must create an account with their email and password ("Login Credentials"), which must not be shared. You are responsible for all activities associated with your Authorized Users' Login Credentials and must notify us of any unauthorized use. We reserve the right to disable any account at our discretion.

5. Use of Personal Information

Your use of the Platform involves the transmission of personal information, governed by our Privacy Policy, which is incorporated into these Terms of Use.

6. Ownership

The Platform and its content, including software, text, graphics, images, and sound recordings ("Content"), are owned by Simcha AI or third parties and are protected by intellectual property laws. You may not use the Content except as permitted under this Agreement. Unauthorized use of the Content may violate copyright, trademark, and other laws.

7. Your Data

"Your Data" includes any data you and your Authorized Users submit to the Platform. You retain ownership of Your Data and grant Simcha AI a license to use it as necessary to provide the Platform and improve our services. You are responsible for the accuracy and legality of Your Data.

Simcha AI affirms that Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

Use of Google User Data: Simcha AI processes Google user data solely to provide the functionality you have requested within our Platform. Simcha AI does not share, transfer, or disclose Google user data with third parties.

8. Retention of Your Data

You can choose to delete or store Your Data and Patient Recordings within the Platform. If not otherwise specified, Your Data will be deleted after thirty (30) days, except for backup purposes.

9. Fees

You agree to pay the subscription fees associated with your selected plan. We reserve the right to modify our pricing with reasonable notice. Payments are processed through a third-party payment processor.

10. Platform Rules

By using the Platform, you agree to comply with the following guidelines:

- Do not use the Platform for unlawful purposes.

- Do not collect market research for competing businesses.

- Do not upload harmful or infringing content.

- Do not impersonate others or misrepresent your affiliation.

- Do not reverse engineer the Platform.

- Do not interfere with the Platform's security features.

- Do not use automated means to access the Platform without permission.

- Do not impose an unreasonable load on our infrastructure.

- Do not interfere with the Platform's proper operation.

11. Restrictions

The Platform is available only to individuals aged 18 years or older. By using the Platform, you represent that you are 18 years or older.

12. Feedback

We welcome feedback, comments, and suggestions for the Platform. By providing Feedback, you grant us the right to use and disclose it without restriction or compensation.

13. No Warranties; Limitation of Liability

The Platform and Content are provided "as is" without warranties of any kind. Simcha AI disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement. We are not liable for any indirect, incidental, or consequential damages arising from your use of the Platform.

14. External Sites

The Platform may contain links to third-party websites ("External Sites"). These links are provided for convenience and do not constitute an endorsement. We are not responsible for the content of External Sites.

15. Representations and Warranties

You represent and warrant that you have all necessary rights to provide Your Data and that you have obtained all required consents and permissions.

16. Indemnification

You agree to indemnify and hold Simcha AI harmless from any claims, damages, or losses arising from your use of the Platform or breach of this Agreement.

17. Compliance with Applicable Laws

You are responsible for complying with all applicable laws in your jurisdiction when using the Platform.

18. Term; Termination

Your right to use the Platform begins upon acceptance of these Terms of Use and continues for the duration of your subscription plan. Either party may terminate the Agreement with thirty (30) days' notice. Upon termination, we will assist with data export and delete Your Data as specified.

19. Binding Arbitration

Disputes arising under this Agreement will be resolved by binding arbitration, with certain exceptions for small claims and injunctive relief.

20. Class Action Waiver

You agree to resolve disputes on an individual basis and waive the right to participate in class actions.

21. Equitable Relief

We are entitled to seek injunctive relief to protect our intellectual property rights.

22. Miscellaneous

You may not assign your rights under this Agreement without our written consent. Our failure to enforce any provision does not constitute a waiver. This Agreement constitutes the entire agreement between you and Simcha AI.

Business Associate Agreement

This Simcha AI Business Associate Agreement (this “Addendum”) is an agreement between Simcha AI Inc. (“Business Associate”) and you or the entity you represent (“Covered Entity”), and is an addendum to the Simcha AI Terms of Service available at simchaai.com/terms-of-service (as updated from time to time) by and between you and Simcha AI, or other agreement between you and Simcha AI governing your use of the Services (the “Agreement”). This Addendum takes effect on the date when you click “I Agree” (or other electronic means made available by Simcha AI for such purpose) presented with this Addendum (the “Addendum Effective Date”). You represent to Simcha AI that you are lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Addendum for an entity, such as the company you work for, you represent to Simcha AI that you have legal authority to bind that entity.

1. Definitions. Terms used in this Addendum but not otherwise defined in this Addendum or the Agreement shall have the meaning ascribed to them by HIPAA. For purposes of this Addendum only, when Simcha AI is deemed to be a Business Associate of Customer, as applicable, Simcha AI shall be referred to as “Business Associate,” and Customer, as applicable, shall be referred to as “Covered Entity.” In the event of an inconsistency between this Addendum and another term of the Agreement as it relates to PHI, this Addendum shall control.

2. Use and Disclosure. Business Associate agrees not to use or disclose Customer PHI other than as permitted or required by this Addendum, the Agreement, or as Required By Law. Business Associate shall comply with the provisions of this Addendum relating to privacy and security of PHI and that are applicable to Business Associates.

3. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of Customer PHI other than as provided for by this Addendum, the Agreement, or as Required By Law. Without limiting the generality of the foregoing sentence, Business Associate will:

- Implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information contained within Customer PHI (“Electronic Customer PHI”) as required by the Security Rule; and comply with the applicable requirements, policies, procedures, and documentation requirements of the Security Rule.

- Report to Covered Entity any Security Incident involving Electronic Customer PHI or involving systems in which Electronic Customer PHI is stored, maintained, or over which it is transmitted, of which Business Associate becomes aware. Any actual, successful Security

Incident will be reported to Covered Entity in writing without unreasonable delay. With respect to attempted, unsuccessful Security Incidents, the parties acknowledge and agree that this Addendum constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, disclosure, modification or destruction of Electronic Customer PHI or interference with system operations in an information system that contains Electronic Customer PHI.

- Notify Covered Entity following the discovery of a Breach of Unsecured PHI that is Customer PHI in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no event later than sixty (60) days (or within any shorter deadline imposed by applicable state law) after discovery of the Breach. The notice shall include the following information if known (or can be reasonably obtained) by Business Associate: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery; (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, dates of birth, addresses, account numbers of any type, and similar information); and (iv) a brief description of what the Business Associate has done or is doing to investigate the Breach and mitigate harm to the individuals impacted by the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach.

- Report, without unreasonable delay, to Covered Entity any access, use or disclosure of Customer PHI by Business Associate or a third party to which Business Associate disclosed Customer PHI which is not permitted by this Addendum and of which Business Associate becomes aware.

- Comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations, to the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164.

4. Mitigation. Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Customer PHI by Business Associate in violation of the requirements of this Addendum (including, without limitation, any Security Incident or Breach of Unsecured PHI). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this Addendum and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA or any other federal or state laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.

5. Minimum Necessary. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of Customer PHI necessary to accomplish the purpose of the request, use or disclosure.

6. Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits Customer PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions or conditions that apply to Business Associate through this Addendum with respect to such information.

7. Access to Designated Record Sets. The parties do not expect that Business Associate will maintain Designated Record Sets. In the event, however, that Covered Entity requests and Business Associate agrees to maintain a Designated Record Set, Business Associate agrees to provide access, within thirty (30) days of a request by Covered Entity, and in the manner designated by the Covered Entity, to Customer PHI in a Designated Record Set created or received by Business Associate solely on behalf of Covered Entity only, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of the HIPAA Regulations. If an Individual makes a request for access to Customer PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for access to Customer PHI.

8. Amendments to Designated Record Sets. The parties do not expect that Business Associate will maintain Designated Record Sets. In the event however, that Covered Entity requests and Business Associate agrees to maintain a Designated Record Set, Business Associate agrees to provide information to Covered Entity for amendment and to incorporate any such amendment(s) to Customer PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to the HIPAA Regulations within thirty (30) days of a request by Covered Entity, and in the manner designated by the Covered Entity. If an Individual makes a request for an amendment to Customer PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request. Covered Entity will have the sole responsibility to make decisions regarding whether to approve a request for an amendment to Customer PHI.

9. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Covered Entity’s PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the Privacy Rule.

10. Accountings. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. Business Associate agrees to, within thirty (30) days of request from Covered Entity, make available to Covered Entity such information as is in Business Associate’s possession and as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Customer PHI in accordance with HIPAA. If Business Associate receives a request for an accounting for Customer PHI directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall have the sole responsibility to provide an accounting of such disclosures to an Individual.

11. Permitted Uses and Disclosures by Business Associate.

- **Services.** Business Associate may use or disclose PHI to perform the Services, provided that such use or disclosure would not violate HIPAA if done by Covered Entity and except as expressly permitted in paragraphs (b)-(d) below.

- **Use for Administration of Business Associate.** Business Associate may use Covered Entity’s PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Covered Entity acknowledges and agrees that proper management and administration of Business Associate includes, without limitation, modifications of, upgrades to, and the development and/or addition of additional features and functionality for, the Services.

- **Disclosure for Administration of Business Associate.** Business Associate may disclose Customer PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required By Law, or (ii) Business Associate obtains reasonable written assurances from the third party to whom the information is disclosed that the third party will (1) protect the confidentiality of Customer PHI, (2) use or further disclose the Customer PHI only as Required By Law or for the purpose for which it was disclosed to the third party, and (3) notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

- **Data Aggregation.** Business Associate may use Customer PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under this Addendum or the Agreement.

- **De-Identified Information.** Business Associate may use Customer PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may use or disclose de-identified health information for any purpose permitted by law.

- **Authorization.** Business Associate may present patients with a valid HIPAA Authorization to obtain patients’ authorizations for Business Associate to be able to use and disclose Customer PHI for the purposes set forth in the Authorization. If a patient has signed a valid HIPAA Authorization for Business Associate to retain such individual’s Customer PHI and use and disclose such PHI for the purposes set forth in the Authorization, then, notwithstanding anything in Section 14 of this Addendum, the parties agree that Business Associate will have no obligation to return or destroy such PHI upon the termination of the Agreement.

12. Obligations of Covered Entity.

- **Permissible Requests by Covered Entity.** Covered Entity shall not request Business Associate to use or disclose Covered Entity’s PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

- **Minimum Necessary PHI.** Consistent with Business Associate’s mutual obligation in Section 5 of this Addendum, when Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purpose.

- **Permissions; Restrictions.** Covered Entity warrants and represents that it has obtained or will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Covered Entity’s PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Business Associate’s use or disclosure of Covered Entity’s PHI under this Addendum or the Agreement unless Business Associate grants its written consent.

- **Notice of Privacy Practices.** Except as required by HIPAA or other applicable law, with Business Associate’s consent or as set forth in the Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of Covered Entity’s PHI under this Addendum or the Agreement.

13. Termination Upon Breach. Notwithstanding anything to the contrary in this Addendum or in the Agreement, either party (the “Non-Breaching Party”), upon knowledge of a material breach of this Addendum relating to Customer PHI by the other party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If Breaching Party does not cure the breach or end the violation to the reasonable satisfaction of the Non-Breaching Party within thirty (30) days, the Non-Breaching Party may terminate: (a) this Addendum; (b) all of the provisions of the Agreement that involve the use or disclosure of Customer PHI; and (c) such other provisions, if any, of the Agreement as the Non-Breaching Party designates in its sole discretion.

14. Effect of Termination.

- **Return of PHI.** Except as provided in paragraph (b) of this Section, upon termination of this Addendum or the Agreement, for any reason, Business Associate shall return or destroy, without unreasonable delay, all Customer PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Customer PHI that is in the possession of subcontractors or agents of Business Associate.

- **Infeasibility.** In the event that Business Associate determines in its sole reasonable discretion that returning or destroying the Customer PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of Customer PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains Customer PHI. Without limiting the generality of the foregoing, Covered Entity acknowledges and agrees that: (i) it is infeasible for Business Associate to delete Customer PHI from its backup tapes or other backup systems; and (ii) it is infeasible for Business Associate to delete all Customer PHI during an ongoing investigation in connection with a Security Incident or Breach of Unsecured PHI, and that temporarily retaining certain Customer PHI may be necessary for such investigation.

15. Miscellaneous