Legal

Privacy Policy

audit the outcome · verify activation · prove it every Friday

This Privacy Policy describes how Luminex Global Inc. ("we," "our") collects, uses, discloses, and protects information when you use Riley.

Last updated April 2026

Plain-language summary

We collect data necessary to deliver Riley: account info, integration data (reviews, AR, and patient communications you authorize), and product analytics. We do not sell your data. We do not train AI models on your customer data. We honor CCPA, GDPR, and HIPAA data rights. We retain data only as long as needed for service or required by law. Patient data on the Practice plan is processed under a Business Associate Agreement.

1. What we collect

Account information: name, email, practice name, billing details. Integration data: Slack, email, or Teams beta workspace identifiers, OAuth tokens (encrypted), review feeds, AR records, and recall lists you have authorized. Product analytics: usage events (anonymized: feature taps, error rates), no PHI in analytics. Patient data (PHI): processed only under a signed BAA, only inside your authorized integrations.

2. How we use it

To deliver the Riley service. To process payment. To send service notifications. To improve the product (using anonymized analytics only). For required legal compliance. We do not use your data to train AI models.

3. Who we share with (subprocessors)

Third-party vendors necessary to deliver the service. Full list in Disclosures section 18. All subprocessors are bound by data-protection agreements consistent with this Policy. Material changes are communicated 30 days in advance.

4. Data retention

Account data: while your account is active, plus 90 days after termination for export. Patient data: per the BAA and Customer instructions. Anonymized analytics: 18 months. Logs: 13 months. Backups encrypted, purged after a rolling 90 days.

5. Security

Encryption at rest (AES-256) and in transit (TLS 1.3). OAuth-only authentication. Per-tenant data isolation. Automatic PII scanning on AI outputs. SOC 2 readiness in progress. Type II audit timing is readiness-gated; no certification is claimed before a completed report exists. See the Security page for architecture detail.

6. California rights (CCPA / CPRA)

California residents have rights to access, delete, correct, and opt out of sale or sharing of personal information. We do not sell personal information. To exercise these rights, email privacy@hireriley.com. We respond within 45 days. See Disclosures section 22.

7. European rights (GDPR)

EU residents have rights to access, erasure, rectification, restriction, portability, and objection under GDPR. Contact privacy@hireriley.com. We respond within 30 days. We have not yet appointed an EU representative. Riley is currently U.S.-only.

8. HIPAA

On the Practice plan, Luminex Global Inc. acts as a Business Associate under HIPAA. Patient data (PHI) is processed under the executed Business Associate Agreement (BAA) and the requirements of 45 C.F.R. Parts 160 and 164. Customer remains the Covered Entity. See the HIPAA Notice.

9. Children (COPPA)

Riley is not directed to children under 13. We do not knowingly collect personal information directly from children. See Disclosures section 29.

10. Changes

Material changes are communicated 30 days in advance via email and in-product notification. The last-updated date is at the top of this page. Continued use after the effective date constitutes acceptance.


Privacy questions: privacy@hireriley.com. Data subject requests are responded to within the legal SLA per jurisdiction. See also DPA, HIPAA Notice, and Disclosures.