Legal

Privacy Policy

Effective June 2026 · Last updated June 2026

Summary and scope

This Privacy Policy covers the public Kanurra website at kanurra.com (the “Website”). That is all it covers.

The Website exists to do two things: explain how Kanurra works (a transparent, fully pass-through pharmacy benefit manager that earns only a flat, disclosed per-member-per-month (PMPM) administrative fee) and let you book a 30-minute claims-audit call. It is built for businesses: brokers, third-party administrators, and self-funded employer plan sponsors. It is not built for patients or consumers.

The Website is separate from the Kanurra pharmacy-benefit platform (the “Platform”). The Platform is where member and claims data actually live. The Platform is governed by the plan and services agreement and by HIPAA Business Associate Agreements, not by this policy. The next section makes that wall explicit.

Here is our stewardship promise, in plain words: we collect the minimum we need to run the site and respond to you, we do not sell it, and we name everyone who touches it. The rest of this document is the detail behind that sentence.

This website does not handle PHI

This is the part that matters most, so we will be blunt about it.

  • The Website does not collect, process, or store Protected Health Information (“PHI”) as defined under HIPAA. Do not submit PHI, member data, or patient data through the booking form or any other form on this site.
  • Kanurra acts as a Business Associate of its health-plan and employer clients. Any PHI that Kanurra creates, receives, maintains, or transmits is handled inside the Platform, never on this Website.
  • PHI is governed solely by HIPAA and HITECH, the applicable Business Associate Agreement between Kanurra and the covered entity, and the plan and services agreement, not by this Privacy Policy.
  • This Privacy Policy is NOT a HIPAA Notice of Privacy Practices. To learn how your PHI is used and disclosed, request the Notice of Privacy Practices from your health plan or plan sponsor.
  • As a business associate, Kanurra generally does not issue its own Notice of Privacy Practices. Covered entities (your health plan or plan sponsor) issue those.

Information we collect

We collect two kinds of information, and only two.

Information you give us. When you book a claims-audit call on the /audit page, you give us your name, your business email, and anything you type into the booking form. This is collected through our scheduling provider, Cal.com.

Information collected automatically. When you visit the Website, our hosting provider, Vercel, records standard server-log data: your IP address, browser and device type, the pages you view, timestamps, and similar usage data. Separately, the Cal.com scheduler on /audit is an embed loaded from app.cal.com; visiting that page transmits your IP address and basic request data to Cal.com even if you never type or submit anything.

Cookies and tracking technologies. The Website itself sets no marketing or advertising cookies. We do not set any cookies beyond what the Cal.com scheduling embed on /audit requires to function, and those load only when you visit /audit. We use no analytics or advertising cookies.

Analytics. We currently use no analytics provider. If we add one, we will update this section to name the provider and describe what it collects before relying on it.

CCPA categories. For state-law clarity, the data above maps to two statutory categories: identifiers (name, email, IP address) and internet or other electronic network activity (pages viewed, usage data).

Notice at collection. The booking form on /audit links to this policy at the point of collection, so you can see what we collect and why before you submit anything.

How we use information

We use this data only for what the site is for:

  • To schedule, confirm, and hold the claims-audit meeting you request.
  • To respond to your inquiry and follow up about it.
  • To operate, secure, debug, and improve the Website.
  • To comply with law and enforce our terms.

We do not use this data for cross-context behavioral advertising, and we do not profile you. We do not make any automated decisions that produce legal or similarly significant effects about you on this Website.

If we send you a marketing follow-up email, every such message includes an unsubscribe link. For recipients in the EU or UK, we send marketing email only on the basis of your consent.

How we share information (subprocessors)

We do not sell or rent your personal information, and we do not share it for cross-context behavioral advertising. We do not monetize it for advertising. No hedging on this one.

We use a small number of subprocessors to run the Website. Here they are, by name and function:

  • Cal.com (Cal.com, Inc., United States): demo and audit scheduling. The scheduler is an embed loaded from app.cal.com, so visiting /audit transmits your IP address and basic request data to Cal.com on page load, before you enter anything. When you complete the form, Cal.com also receives the name, email, and answers you enter. Cal.com’s own subprocessors (for example, a messaging provider used for reminders) may process that data under Cal.com’s terms.
  • Vercel (Vercel Inc., United States): website hosting, edge/CDN delivery, and server request logs. Processes visitor IP addresses and request metadata.

We serve our fonts from our own infrastructure, so visiting the Website does not transmit your data to a third-party font provider.

Subprocessors and other service providers receive data only under contract, only with appropriate privacy and confidentiality obligations, and only to perform services for us.

Beyond these, we disclose information only where required by law (legal process, or to protect safety and rights) or in connection with a business transfer such as a merger or acquisition.

In every case we collect and share the minimum necessary.

Data retention

We keep data only as long as we need it for the purposes above.

  • Booking-form contact data (name, email, form answers): we retain this for 24 months after your last interaction with us, then delete or anonymize it.
  • Server logs and usage data: we retain these for up to 90 days for security, debugging, and abuse prevention, then delete or anonymize them.

When data is no longer needed for the stated purposes, we delete or anonymize it.

Our subprocessors (Cal.com, Vercel) retain data according to their own policies and data processing agreements.

Your privacy rights and choices

You have rights over your personal information, and we honor them.

Core rights. You can ask us to access, correct, delete, or port your personal information, and you can object to or restrict certain processing. To exercise any of these, email us at the address in the Contact section.

California (CCPA/CPRA). If you are a California resident, you have the right to know what we collect, to delete it, to correct it, to opt out of any sale or sharing, and to limit the use of sensitive personal information. We will not retaliate against you for exercising these rights. We currently run no third-party advertising or analytics pixel, so there is no “sale” or “share” to opt out of. If we ever add such a pixel, that would count as a “share,” and at that point we will honor the Global Privacy Control (GPC) browser signal and add a “Do Not Sell or Share My Personal Information” link to the site.

GDPR and UK GDPR. If you are in the EU or UK, you have the right to access, rectification, erasure, restriction, portability, objection, to withdraw consent, and to lodge a complaint with a supervisory authority. Our legal bases are: the booking form is processed to take steps at your request before a contract and on our legitimate interest in responding to inquiries; any marketing email is on consent; any analytics or advertising cookies (none today) would be on consent. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects under Article 22. We are a US-focused B2B business and do not target EU or UK visitors, so we have not appointed an Article 27 representative.

International transfers. We process data in the United States. Where EU or UK personal data reaches our subprocessors, those transfers rely on the subprocessors’ own transfer mechanisms, such as Standard Contractual Clauses or an applicable certification framework, as described in their data processing terms.

Verification and timelines. We will verify your identity before acting on a request. An authorized agent may act for you with signed permission or a power of attorney. We respond within 45 days for CCPA requests and within one month for GDPR requests, with extensions only where the law allows.

To exercise any right, email privacy@kanurra.com.

Security

We apply reasonable administrative and technical safeguards to the limited contact data and logs we hold, and we work only with subprocessors that maintain their own security programs.

We will be honest about the limit, though: no method of transmitting or storing data over the internet is perfectly secure, and we cannot guarantee absolute security.

If a breach involving your personal information occurs, we will notify affected individuals and authorities as required by law.

For security questions or to report a vulnerability, email security@kanurra.com.

Children’s privacy

The Website is not directed to children. It is intended for business users.

We do not knowingly collect personal information from anyone under 13, the standard under COPPA. We do not sell or share the personal information of anyone, and in any case we conduct no sale or share today, and we do not offer consent-based processing of minors below the applicable EU or UK age of digital consent. If we learn we have collected information from a child, we will delete it. If you believe a child has provided us information, email privacy@kanurra.com.

Third-party links and embeds

The Website links to and embeds tools operated by third parties. The Cal.com scheduler embed on /audit is the main one; any maps or video embeds we add later would be others.

These third parties operate under their own privacy policies, and we are not responsible for their practices. For the scheduler and our host specifically, see the subprocessor list above.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will indicate them by updating the effective date and posting the revised policy to this page.

For changes that materially affect how we use personal information you already gave us, we will take additional reasonable steps to notify you, such as a notice on the site or, where we have your email, by email.

Contact us

For privacy questions, requests, or complaints, email privacy@kanurra.com.

Legal entity: Kanurra, Inc. (“Kanurra”).

Mailing address: 315 West 86th Street, Apt 10E, New York, NY 10024.

If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

Governing law and dispute terms for this Website are set out in the Terms of Service. Governing-law state is New York.