Privacy Policy

• Account information, such as name, email address, authentication identifiers, organization membership, and sign-in metadata provided through our authentication provider.
• Provider lookup inputs, such as NPI numbers, clinician names, state filters, roster names, roster NPI lists, and uploaded CSV or text content used for provider data quality review.
• Generated review outputs, such as NPPES profile details, taxonomy and license fields available from NPPES, OIG public-source lookup support, CMS-related signals, web evidence summaries, source-alignment confidence, warnings, reports, and exports.
• Operational records, such as API keys, API usage, rate-limit counters, audit events, scheduled roster report settings, email report delivery metadata, errors, and system health logs.
• Basic technical information, such as IP address, browser/device information, request timestamps, and security-relevant request metadata.

AtteStaff™ uses public or customer-provided sources to create provider data quality review outputs. These may include NPPES records, OIG LEIE public-source lookup support, CMS or PECOS-related public enrollment data, web search evidence, customer roster data, and information returned by third-party infrastructure services used to operate the application.

Public provider records can be incomplete, delayed, or inconsistent across sources. AtteStaff™ provides public-source research aids; customers remain responsible for confirming facts that matter to their own operational process.

• Run individual and batch provider data quality reviews.
• Save, recheck, monitor, export, and email roster reports.
• Provide organization-scoped API access and usage tracking.
• Maintain audit trails for security, support, abuse prevention, and operational troubleshooting.
• Improve reliability, data quality, product workflow, and customer support.
• Protect the application from misuse, unauthorized access, excessive request volume, and security threats.

AtteStaff™ is not intended to collect, process, store, or transmit patient protected health information. Do not upload patient lists, medical records, clinical notes, claims containing patient identifiers, or other patient PHI into roster uploads, API requests, report names, or support messages.

We may use service providers for hosting, database storage, authentication, email delivery, web evidence search, analytics, monitoring, and payment operations. These providers process information only as needed to provide their services to AtteStaff™.

We do not sell customer roster data or provider review history. We may disclose information if required by law, to protect our rights or users, to investigate abuse, or as part of a business transaction such as a merger, acquisition, or sale of assets.

We retain account, roster, report, audit, schedule, API, and usage records for as long as needed to provide the service, support customer workflows, meet security and audit needs, comply with legal obligations, and resolve disputes. Customers may delete saved rosters and cancel scheduled reports from the application where those controls are available.

The pre-launch target retention schedule is: saved rosters and latest data quality review results are retained until deleted by the customer or until the customer relationship ends; roster monitoring summaries are retained for up to 24 months by default; generated CSV, JSON, and printable reports are generated on demand and are not intentionally retained as standalone report files; API usage, email schedule metadata, delivery metadata, and operational audit logs are retained for up to 24 months unless a longer period is needed for security, legal, tax, dispute, or contract reasons.

Final paid-launch retention commitments may vary by customer agreement, legal hold, enterprise retention configuration, or counsel-approved policy updates.

AtteStaff™ uses authentication, organization scoping, API key controls, rate limits, audit events, server-side validation, and encrypted infrastructure connections where supported. No internet service can guarantee perfect security, but we work to reduce risk and monitor for issues as the product evolves.

• You can choose what provider inputs and roster files you submit.
• You can delete saved rosters and cancel monthly email schedules in the product.
• You can revoke API keys from the API settings page.
• You can request help with account, organization, privacy, or data questions at privacy@attestaff.com.

Depending on your location and relationship with AtteStaff™, you may have rights to know or access personal information, delete personal information, correct inaccurate personal information, receive portable information, opt out of sale or sharing, limit certain uses of sensitive personal information, and exercise privacy rights without discriminatory treatment.

AtteStaff™ does not sell customer roster data or provider review history, and does not share that data for cross-context behavioral advertising. To submit a privacy request, including a California privacy request or a "Do Not Sell or Share" request, contact privacy@attestaff.com. We may need to verify your identity, authority, and relationship to the account or organization before fulfilling a request.

Abalith Systems will complete counsel-approved CCPA/CPRA, GDPR, and other jurisdiction-specific rights language before paid customer launch.

Where GDPR or similar privacy laws apply, AtteStaff™'s legal bases may include performing a contract, taking pre-contract steps, legitimate interests in operating and securing the service, consent where requested, and compliance with legal obligations.

Depending on the law that applies to you, you may have rights to access, correct, erase, restrict, object to processing, receive portable data, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory authority. Submit requests to privacy@attestaff.com.

Do not submit patient PHI, patient identifiers, consumer background-check files, or unrelated sensitive personal information to AtteStaff™ unless a written agreement with Abalith Systems expressly permits it.

AtteStaff™ outputs are staffing information review signals. Customers are responsible for determining whether their use requires FCRA, HIPAA, state employment, healthcare staffing, payer enrollment, or other regulated workflows.

Unless and until Abalith Systems publishes counsel-approved terms permitting that use, AtteStaff™ output must not be treated as a Fair Credit Reporting Act consumer report, background screening product, employment eligibility tool, or automated adverse-action decision system.

We may update this policy as AtteStaff™ changes. If changes are material, we will provide notice through the application, customer communication, or another reasonable method.