Privacy Policy
QSimHealth, a ChiAha™ product · Last updated 2026-05-21
The short version
QSimHealth is a healthcare-staffing decision simulator. We collect the minimum we need to run your account, deliver the service, and bill it. We do not see, request, or process Protected Health Information (PHI). The simulator works on staffing parameters (arrival rates, provider counts) — never on individual patient records. We do not sell your data, do not use it to train AI models, and automatically purge telemetry after 90 days.
Contents
- What we collect
- What we do NOT collect
- How we use what we collect
- Who we share data with
- AI model training
- Cookies and session storage
- Retention
- Your rights and how to exercise them
- International users (GDPR, UK GDPR)
- California users (CCPA / CPRA)
- Children's privacy
- Security
- Changes to this policy
- Contact
1. What we collect
1.1 Account data (when you sign in)
- Email address from your Google or Microsoft account at OAuth signin. Authentication is OAuth-only as of v12.39 (the prior email-code flow was removed for security reasons).
- Name and profile fields that Google or Microsoft return as part of the OAuth handshake (we use these to personalize the UI).
- Subscription state — trial / paid / lapsed status and timestamps — persisted on our application volume to enforce access without re-checking on every request.
- Session cookies — see Section 6 below.
1.2 Simulation inputs you submit at /app or via /api/simulate
- Numerical staffing parameters: arrival rates, provider counts (MD / PA / Locum), treatment-time distributions, simulation days. These are abstract operational numbers — not patient data.
- We do not link these inputs to your identity in any durable record; they're computed against by the engine and the response is returned to you. The engine does not retain the inputs after the response.
1.3 On-page AI chat (signup-gated; embedded in /app + /chat)
If you use the chat widget, the following happens:
- Your message is sent to Anthropic via their Messages API to generate a response from Claude. Anthropic's API does not train its public models on traffic from API calls by default.
- Your message and the assistant's response are not persisted to our durable storage. We only record per-turn metadata: timestamp, a non-reversible session hash (SHA-256 of your IP + user-agent bucket, first 16 hex chars), scenario context, and token usage. This metadata is purged after 90 days by an automatic retention cron.
- Chat is rate-limited to 20 messages per rolling 24 hours per IP and capped at a monthly inference-spend budget.
- Optional content capture — Report link. Each assistant response has a small Report this response link. If you click it, a modal opens; if you submit it, we persist that specific exchange (your message, the assistant's response, your free-text note, and the facility-type context at the time of the click) to a separate file (
/data/reports.jsonl) for product debugging. No content is persisted unless you click Submit on that modal. Reports are subject to the same 90-day retention.
1.4 Public MCP API (qsimhealth.com/mcp/v1)
QSimHealth publishes a public Model Context Protocol server at qsimhealth.com/mcp/v1, intended for use from Claude / ChatGPT / Cursor / other MCP clients. It exposes eight tools:
explain_ed_queueing,explain_walk_in_clinic,explain_appointment_office— textbook explainers (static text).list_facility_types,describe_facility— facility-archetype detail.simulate_ed_demo— 7-day demo simulation with MD + PA roles.recommend_md_pa_mix— inverse problem (smallest provider count meeting a wait target).compare_shifts— side-by-side delta of two staffing configurations.
What we log per tool invocation: tool name, success/failure, duration in milliseconds, a non-reversible session hash (SHA-256 of IP + user-agent bucket, first 16 hex chars), a user-agent bucket, the calling MCP client name (e.g. claude.ai, chatgpt, cursor, smithery), and the numerical input parameters (truncated to 1 KB). These rows go to /data/mcp-tool-calls.jsonl on our application server's encrypted volume and are automatically purged after 90 days. The session hash lets us correlate same-client repeat traffic for abuse forensics within the retention window without storing the IP itself. The input parameters are anonymous numbers and do not constitute personal data.
1.5 Authenticated MCP API (qsimhealth.com/mcp, gated)
Signed-up users receive a personalized URL to the authenticated MCP endpoint (full agent-pattern toolset). The key embedded in that URL is HMAC-derived from your email address; it identifies your session for rate-limiting and access control but is not stored on our side beyond derivation. The same per-tool-call logging described in §1.4 applies, with the same session-hash treatment and 90-day retention.
1.6 Operational telemetry (every visitor)
- IP address — processed in memory by the rate limiter and appears in Fly.io's platform HTTP access logs (retained per Fly's standard log window). IP is not written to our durable JSONL files; those store a session hash instead.
- User-agent string — bucketed into categories for analytics; only the bucket is written to durable storage. The full UA string lives only in Fly's transient HTTP access logs.
- Standard HTTP access logs — timestamps, paths, status codes, response times.
- Error log (
/data/error-log.jsonl) — diagnostic records of 5xx responses for debugging. Same 90-day retention.
1.7 Payment data (FastSpring)
- Subscription billing is handled by FastSpring. They process your payment details (card, billing address) directly; QSimHealth never sees or stores card numbers.
- FastSpring sends us webhook events (subscription started, renewed, lapsed, canceled) which update your subscription state on our side. Webhook payloads contain your email and FastSpring's internal IDs, not card data.
1.8 Analytics
- We use Google Tag Manager (container
GTM-NL7VDMTV) and Google Analytics 4 for pageview and traffic-source aggregates. GA4 collects standard browser/device fingerprints; IP anonymization is enabled where supported.
2. What we do NOT collect
- No Protected Health Information (PHI). The simulator operates on staffing parameters, not patient records. Do not enter PHI.
- No card numbers. Payment data goes directly to FastSpring; we never see it.
- No chat content stored. Per-turn aggregates only.
- No third-party advertising trackers. No retargeting pixels, no ad-network beacons.
- No sensitive personal information. Race, religion, sexual orientation, biometric data, precise geolocation — none collected.
3. How we use what we collect
- Run the simulator and chat features for signed-up users.
- Authenticate sessions and enforce subscription tier.
- Detect and prevent abuse (rate-limit floods, scraping).
- Compute aggregate usage statistics for product decisions.
- Send you product, support, and billing-related emails. Marketing emails only if you opted in.
We do not use any of the data we collect for advertising, profiling, or automated decisions that produce legal or similarly significant effects on you.
4. Who we share data with
- Fly.io — hosts the application, stores HTTP access logs, hosts the encrypted Fly volume. fly.io/legal/privacy-policy
- Google / Microsoft OAuth — verify your identity at signin. Their privacy policies govern that handshake.
- Anthropic — processes your on-page chat messages via their Messages API. anthropic.com/legal/privacy
- OpenAI / other MCP clients — if you invoke our MCP from ChatGPT, Claude.ai, Cursor, Smithery, or another client, that client's privacy policy governs its handling of your inputs before they reach us.
- FastSpring — processes payments. fastspring.com/privacy
- ActiveCampaign — receives your email for product-update mailings (only if you opt in). activecampaign.com/legal/privacy-policy
- Google (Tag Manager + Analytics 4) — aggregate site analytics. policies.google.com/privacy
We do not sell, rent, or trade your data. We do not "share" personal information for cross-context behavioral advertising as that term is defined under California law.
5. AI model training
- We do not use any of the data we collect to train AI models. Your chat messages, simulation inputs, account data, and analytics are not used to train Claude or any other model on our side.
- Anthropic processes API traffic. Per Anthropic's published policy, Anthropic does not train its public models on API traffic by default. See their commercial terms.
- OpenAI / other MCP clients have their own data-use policies.
6. Cookies and session storage
| Cookie | Source | Purpose | Lifetime |
|---|---|---|---|
qsh_session (or similar) | QSimHealth (ASP.NET Core) | Authentication session after OAuth signin | 30 days (sliding) |
| OAuth correlation cookies | ASP.NET Core authentication middleware | OAuth handshake state during signin (short-lived) | Session / minutes |
_ga | Google Analytics 4 (via GTM) | Distinguishes unique visitors | ~2 years |
_ga_<property-id> | Google Analytics 4 (via GTM) | Session state for GA4 | ~2 years |
We do not set any advertising or cross-site tracking cookies.
7. Retention
Durable telemetry storage is automatically aged out via a background retention service that runs every 24 hours and prunes rows older than 90 days. Subscription state (which is "of record" data, not telemetry) is retained as long as your account is active.
| What | Where | Retention |
|---|---|---|
| HTTP access logs (IP, UA, path, status) | Fly.io platform logs | Up to 90 days (Fly's standard log window) |
| Chat-history JSONL (aggregate metadata only — no message content) | /data/chat-history.jsonl | 90 days, enforced by retention cron |
| MCP tool-call JSONL (per tool invocation, anonymous tool inputs) | /data/mcp-tool-calls.jsonl | 90 days, enforced by retention cron |
| Error log (5xx diagnostic records) | /data/error-log.jsonl | 90 days, enforced by retention cron |
| Reports (user-submitted chat content via the Report link) | /data/reports.jsonl | 90 days, enforced by retention cron |
| Subscription state (trial / paid / lapsed) | /data/qsh-subscription-state.jsonl | Retained as long as your account is active; removed on account deletion request |
| In-memory rate-limit counters | Application memory | Resets on server restart |
| Email list (if you opted in) | ActiveCampaign | Until you unsubscribe |
| FastSpring subscription / billing records | FastSpring | Per their retention policy |
| GA4 aggregate analytics | Google Analytics | 14 months (configured GA4 default) |
8. Your rights and how to exercise them
To exercise a right, email qsimhealth@chiaha.com and include:
- What action you want. Common options: access (a copy of any data we hold on you), deletion (account + subscription-state deletion), correction, opt-out of analytics, unsubscribe from emails, cancellation of subscription (we can route the cancellation request to FastSpring).
- The email address on your account — this is the primary identifier we use to find your records.
We respond within 5 business days. Account deletion removes your subscription state and personal data from our side; billing records held by FastSpring are retained per their policy.
9. International users (GDPR, UK GDPR)
QSimHealth is operated from the United States. If you are accessing from the EEA, UK, or another jurisdiction with similar data-protection laws, your data is transferred to and processed in the United States.
Lawful bases (under GDPR Article 6):
- Contract performance — for account, subscription, and authentication processing (necessary to provide the service you signed up for).
- Legitimate interest — for operational telemetry, rate limiting, abuse prevention, and aggregate analytics.
- Consent — for marketing emails (opt-in only) and analytics cookies. Withdraw any time by emailing us or unsubscribing.
You have the rights of access, rectification, erasure, restriction, portability, and objection.
10. California users (CCPA / CPRA)
- Categories collected: identifiers (IP, email, name from OAuth, subscription state), internet/network activity (UA, request paths, GA4 cookies), commercial information (subscription tier, billing events via FastSpring). No sensitive personal information.
- Sources: directly from you (signup, OAuth, app usage), from FastSpring (billing events), from automated server logs.
- Sale or sharing: we do not sell or share personal information for cross-context behavioral advertising.
- Rights: access, deletion, correction, opt-out of sale or sharing (not applicable since we don't do so). Email qsimhealth@chiaha.com.
11. Children's privacy
QSimHealth is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us and we will delete it.
12. Security
Infrastructure runs on Fly.io with TLS terminating at the edge and encrypted persistent volumes. Authentication is OAuth-only (Google + Microsoft); we never see your password. Session cookies are HttpOnly and Secure. The MCP, chat, and signup endpoints are rate-limited. The retention service automatically purges telemetry rows older than 90 days. We do not make HIPAA Business Associate claims because we do not collect, store, or transmit Protected Health Information.
13. Changes to this policy
If we make material changes, we'll update this page and revise the "Last updated" date above. We may notify account holders by email for significant changes.
14. Contact
Questions, requests, or concerns: qsimhealth@chiaha.com. We aim to respond within 5 business days.