Lance Health Inc. · Privacy Policy

Privacy Policy

Last Updated: June 15, 2026

Welcome to Lance Health Inc. (“Lance,” “we,” “us,” or “our”). This Privacy Policy (“Privacy Policy”) explains how Lance collects, uses, discloses, and otherwise processes personal data in connection with www.lance.health (the “Website”) and our LanceLite and Full Lance products and any other product, service, or application that references or links to this Privacy Policy (collectively, the “Services”).

This Privacy Policy does not address our privacy practices relating to Lance employees, contractors, or other employment-related individuals after hire, nor data that is not subject to applicable data protection laws (such as de-identified or publicly available information).

1. Our Role in Processing Personal Data

Data protection laws sometimes differentiate between “controllers” and “processors” of personal data. A “controller” determines the purposes and means (the why and how) of processing personal data. A “processor,” sometimes referred to as a “service provider,” processes personal data on behalf of a controller subject to the controller’s instructions.

This Privacy Policy describes our privacy practices where we act as the controller of personal data — for example, when you visit our Website, sign up for our mailing list, or contact us directly.

This Privacy Policy does not cover or address how our customers process personal data when they use our Services, or how we act as a processor (or as a HIPAA business associate) on behalf of our customers. When we process personal data on behalf of our customers, we do so in accordance with their instructions and subject to restrictions set forth in our contracts with them, including our Business Associate Agreement and our Terms of Service. If you have an account with a Lance customer (such as a home health agency, hospice, or other healthcare organization) and you want to know how that customer processes your personal data, we recommend that you refer to that customer’s privacy notice and contact that customer directly. We are generally not permitted to respond to individual requests relating to personal data we process on behalf of our customers.

2. Protected Health Information

When our customers (which are typically Medicare-certified home health agencies and other healthcare organizations) upload patient documents to the Services, those documents may contain protected health information (“PHI”) as that term is defined under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (“HIPAA”). With respect to PHI, Lance acts as a business associate of the relevant customer and our handling of PHI is governed by the Business Associate Agreement between Lance and that customer, not by this Privacy Policy. Among other things, the Business Associate Agreement contractually prohibits Lance from using PHI to train, fine-tune, retrain, or otherwise develop any artificial intelligence model. If you are an individual whose PHI is included in customer-uploaded data, your rights with respect to that PHI are governed by HIPAA and by your relationship with the relevant healthcare organization, and you should direct any inquiries about that PHI to the healthcare organization that uploaded it.

3. Personal Data We Collect

The categories of personal data we collect depend on how you interact with us and our Services. We collect personal data you provide directly to us, automatically when you interact with the Website or other Services, and from other sources and third parties.

Personal Data You Provide to Us

• Contact Information, including first and last name, phone number, email address, mailing address, job title, organization name, and communication preferences. We use this information primarily to fulfill your request or transaction, to communicate with you, to administer your account, to provide you with the Services, and to send you marketing communications in accordance with your preferences.
• Account and Verification Information, including National Provider Identifier (“NPI”), CMS Certification Number (“CCN”), the legal name of the healthcare organization on whose behalf you register, your title, and your authority to bind the organization. We use this information to verify your eligibility for the Services and to administer your account.
• Payment Information, including (where applicable) billing name, billing address, and payment card information. Payment card information is collected and processed by our third-party payment processor and is not stored on Lance’s systems.
• Communications, including emails, support tickets, chat transcripts, recordings of calls (where permitted by law), and other communications you send to us. We use this information to respond to your inquiries, provide support, improve the Services, and comply with our legal obligations.
• Marketing and Event Information, including information you provide when you sign up for newsletters, events, webinars, demos, or surveys, or when you respond to our marketing communications. We use this information to administer the relevant program, to communicate with you, and to inform our marketing activities.
• Feedback, including comments, suggestions, ideas, and survey responses about the Services. We use this information to improve the Services and our business. As described in our Terms of Service, you grant us a perpetual license to use feedback you provide.

Personal Data Automatically Collected

We, and our third-party partners, automatically collect information about how you access and use the Services. We typically collect this information through cookies, web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies, logging technologies, and similar automatic data collection technologies. We may combine information collected automatically with other personal data we collect directly from you or receive from other sources.

• Device and Network Information, including device type, manufacturer, model, operating system, IP address, browser type, internet service provider, and unique identifiers associated with you, your device, or your network. We may use third-party technologies that recognize when multiple devices are likely being used by the same individual.
• Usage and Interaction Information, including the site from which you came, the site you go to when you leave the Services, how frequently you access the Services, whether you open emails or click links in them, browsing behavior, the pages you view, the content you interact with, and other actions you take on the Services.
• Approximate Location, including general geographic location that we or our third-party providers may derive from your IP address. We do not collect precise location data through the Website.

Product Analytics and Session Replay

On our public marketing website (which does not handle PHI), we use PostHog, a product-analytics provider, to understand how visitors discover and navigate the site, measure the performance of our content, and identify points where prospective customers struggle in the “Request access” flow. PostHog collects the categories of data described in “Personal Data Automatically Collected” above and may record an anonymized replay of your session (mouse movement, scrolls, and clicks). We configure PostHog with all text inputs masked by default, so the contents of forms — including names, email addresses, CCNs, and any other text you type on the Website — are never recorded in session replays. We do not enable PostHog or any comparable session-replay tool inside the LanceLite or Full Lance products, where PHI may be present. We honor browser-level “Do Not Track” signals on the marketing website: if your browser sends a Do Not Track header, our analytics tracker disables itself before any data is sent. You can also opt out at any time by emailing us at support@lancehealth.ai.

Personal Data from Other Sources

We may receive personal data about you from other sources, including:

• Public CMS Data. We verify the eligibility of healthcare-organization customers against publicly available data from the Centers for Medicare & Medicaid Services (“CMS”), including the National Plan and Provider Enumeration System (“NPPES”) and CMS Care Compare.
• Employers and Colleagues. If you interact with the Services in connection with your employment, we may obtain personal data about you from your employer or another individual at your organization who has registered for the Services on behalf of the organization.
• Service Providers. We engage service providers that perform services on our behalf, such as analytics providers, marketing providers, and customer-support providers, who collect personal data and share some or all of it with us.
• Social Media and Other Public Sources. When you interact with us through social media, we may receive information from the social network in accordance with your privacy settings.
• Inferences. We may generate inferences about you and your interests based on the other personal data we collect.

4. How We Use Personal Data

We use personal data we collect for the following purposes:

• To provide and administer the Services, including to operate the Website, administer accounts, authenticate users, verify the eligibility of healthcare-organization customers (including by verifying NPIs and CCNs against publicly available CMS data), process payments, provide customer support, and respond to inquiries.
• To improve and develop the Services, including to monitor and analyze usage patterns, diagnose and fix technical issues, develop new features and services, and improve the security, performance, and functionality of the Services.
• To communicate with you, including to send service-related notices, security alerts, account-related communications, and (where you have not opted out) marketing communications about Lance products and services.
• For marketing and advertising purposes, including to inform our marketing activities, deliver advertising on our Website and on third-party properties, and measure the effectiveness of our advertising.
• To create aggregated or de-identified information that does not identify you and cannot reasonably be used to identify you. We may use such aggregated or de-identified information for lawful business purposes, including for analytics, benchmarking, security monitoring, and to improve the Services. We do not use such information to train any foundation model, large language model, or other general-purpose artificial intelligence model that is intended for, or made available for, use beyond the Services we provide to our customers.
• For security, fraud prevention, and legal compliance, including to protect the security and integrity of the Services, detect and prevent fraud and abuse, enforce our Terms of Service and other agreements, defend against legal claims, respond to lawful requests and legal process, and comply with applicable laws.
• For business operations and transactions, including to facilitate corporate transactions such as mergers, acquisitions, financings, and reorganizations.
• For any other purpose disclosed to you at the time of collection, or for which you have otherwise consented.

5. How We Disclose Personal Data

We disclose personal data in the following ways:

• Service Providers. We engage third parties to perform services on our behalf in connection with the operations of our business and the Services. These service providers may include hosting providers, payment processors, communications providers, customer-support providers, analytics providers, marketing providers, professional advisors (such as lawyers, accountants, and auditors), and security and fraud-prevention providers. Service providers are permitted to access and use personal data only as necessary to perform services on our behalf.
• Our Affiliates. We may share personal data with companies under common ownership or control with Lance for purposes consistent with this Privacy Policy.
• Marketing and Advertising Partners. We may share personal data with marketing and advertising partners to deliver advertising on our Website and on third-party properties, to measure the effectiveness of our advertising, and to communicate with you about the Services.
• In Connection with a Business Transaction. We may disclose, transfer, or assign personal data in connection with a corporate divestiture, merger, consolidation, acquisition, reorganization, sale of all or part of our business or assets, financing, or similar transaction (or negotiations for such a transaction), including in the event of our bankruptcy, receivership, or insolvency.
• To Comply with Law and Protect Rights. We may disclose personal data to law enforcement, government authorities, regulators, courts, and other third parties as we believe in good faith to be necessary or appropriate: (a) to comply with applicable laws or to respond to lawful requests and legal process; (b) to establish, exercise, or defend our legal rights; (c) to protect our rights, property, and safety, and the rights, property, and safety of our customers, our employees, or any other person; (d) to detect, prevent, or investigate fraud, security incidents, or other illegal activity; (e) to enforce our Terms of Service and other agreements; or (f) as otherwise required by applicable law.
• With Your Consent or at Your Direction. We may disclose personal data to third parties or publicly with your consent or at your direction.

6. Artificial Intelligence and Aggregated Data

The Services use artificial intelligence and machine learning technologies to process documents and generate outputs. We want you to understand our practices:

• No training on PHI. As described in our Business Associate Agreement, we are contractually prohibited from using PHI to train, fine-tune, retrain, or otherwise develop any artificial intelligence model.
• No training of general-purpose AI models on de-identified customer data. We may use aggregated and de-identified data derived from customer use of the Services to evaluate, improve, and operate the Services. However, we do not use such aggregated or de-identified data to train, fine-tune, retrain, or otherwise develop any foundation model, large language model, or other general-purpose artificial intelligence model that is intended for, or made available for, use beyond the Services we provide to our customers.
• Third-party AI providers. We use third-party AI service providers to power certain features of the Services. Those providers are contractually prohibited from using customer inputs (and any PHI contained in those inputs) to train their general-purpose AI models.
• Outputs of the Services may contain errors. As described in our Terms of Service, outputs of the Services are intended to support, not replace, the independent clinical, coding, documentation, and billing judgment of qualified healthcare professionals. Outputs may contain inaccuracies and must be reviewed by a qualified clinician or coder before being relied upon.

7. Your Privacy Choices

Communication Preferences

You can opt out of marketing communications from us at any time. To opt out of marketing emails, click the “unsubscribe” link in any marketing email we send you, or contact us at support@lancehealth.ai. To opt out of marketing text messages, reply STOP to any marketing text message you receive from us. Please note that you cannot opt out of service-related communications such as account-verification messages, transaction confirmations, and service updates, which are necessary for our relationship with you.

Cookies and Online Tracking

Most browsers allow you to remove or reject cookies. To do this, follow the instructions in your browser settings. Note that some features of the Website may not function properly if you disable cookies. You can opt out of Google Analytics by installing the browser plugin available at https://tools.google.com/dlpage/gaoptout. You can block our Website from setting cookies used for interest-based advertising by using a browser with privacy features (such as Brave) or by installing browser plugins that block third-party cookies and trackers. Because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device you use.

Do Not Track and Global Privacy Control

Some browsers may be configured to send “Do Not Track” signals to the online services you visit. On our public marketing website, our product-analytics tracker honors “Do Not Track” signals: if your browser sends a Do Not Track header, no analytics, autocapture, or session-replay data is sent to our analytics provider. We do not otherwise respond to “Do Not Track” signals across the Services. We honor Global Privacy Control (“GPC”) signals as required by applicable law. To learn more about GPC, visit https://globalprivacycontrol.org.

Your State Privacy Rights

Depending on your state of residence, you may have the following rights with respect to your personal data:

• Right to Know / Access. The right to request that we disclose what personal data we have collected, used, and disclosed about you.
• Right to Correct. The right to request that we correct inaccurate personal data we have about you.
• Right to Delete. The right to request that we delete personal data we have about you, subject to certain exceptions (such as data we need to retain to comply with legal obligations or to provide the Services).
• Right to Portability. The right to receive a copy of your personal data in a portable, readily usable format.
• Right to Opt Out of certain processing, including the “sale” or “sharing” of personal data, targeted advertising, and certain profiling activities. You can exercise this right by (a) emailing us at support@lancehealth.ai with the subject line ‘Privacy Rights Request,’ (b) enabling the Global Privacy Control setting in your browser, or (c) using any ‘Your Privacy Choices’ link we may make available on our Website.
• Right to Non-Discrimination. The right not to receive discriminatory treatment for exercising your privacy rights.

You may exercise these rights by contacting us at support@lancehealth.ai. We may need additional information from you to verify your identity before fulfilling your request. You may also designate an authorized agent to submit a request on your behalf in accordance with applicable law. We will respond to your request within the timeframe required by applicable law.

State Privacy Rights and Disclosures

California Residents. If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), including the rights described in this Section 7. The categories of personal data we collect, the sources from which we collect it, the business and commercial purposes for which we use it, and the categories of third parties with whom we share it are described in Sections 3, 4, and 5 of this Privacy Policy. Lance does not “sell” personal data within the meaning of CCPA/CPRA. To the extent Lance “shares” personal data with third-party advertising or analytics partners within the meaning of CCPA/CPRA, you may opt out as described in the Right to Opt Out subsection above. We do not knowingly process the personal data of California residents under the age of 16 for sale or sharing. If you would like to exercise your CCPA/CPRA rights, please contact us at support@lancehealth.ai. We will respond within 45 days, subject to permitted extensions under applicable law.

Residents of Other States. If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under applicable state privacy laws, including the rights described in this Section 7 above. You may exercise these rights by contacting us at support@lancehealth.ai. If we deny your request, you may have the right to appeal that decision; instructions for appealing will be included in our response to your request.

Washington Residents. If you are a Washington resident, you may have rights under the Washington My Health My Data Act (“MHMDA”) with respect to certain “consumer health data” that we collect outside of the HIPAA context. Most of the protected health information Lance processes is governed by HIPAA and the Business Associate Agreement, and HIPAA-regulated data is exempt from MHMDA. To the extent we collect consumer health data subject to MHMDA (for example, in connection with the Website), you have rights to access, delete, and withdraw consent under MHMDA. To exercise these rights, please contact us at support@lancehealth.ai.

Nevada Residents. If you are a Nevada resident, you have the right under Nevada law (NRS 603A) to opt out of the sale of certain personal information. Lance does not sell personal information in the manner contemplated by Nevada law. If you have questions, please contact us at support@lancehealth.ai.

8. Security

We employ technical, organizational, and physical safeguards designed to protect the personal data we collect. However, no security measures are perfect, and we cannot guarantee the security of your personal data. If we become aware of a security incident affecting your personal data, we will notify you in accordance with applicable law and our contractual obligations.

9. Data Retention

We retain personal data for as long as reasonably necessary to fulfill the purposes for which it was collected, in accordance with our legitimate business interests and applicable law. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, our purposes for processing the personal data, whether we can achieve those purposes through other means, and our legal, regulatory, tax, accounting, and contractual obligations.

Once retention of the personal data is no longer reasonably necessary, we will either delete or de-identify the personal data, or, if that is not possible (for example, because the personal data has been stored in backup archives), we will securely store the personal data and isolate it from further active processing until deletion or de-identification is possible. Retention of PHI is governed by the Business Associate Agreement, not by this section.

10. Third-Party Websites and Services

The Services may contain links to third-party websites, plug-ins, applications, and other services that we do not own or control. This Privacy Policy does not apply to those third-party services. To learn about the privacy practices of those third parties, please review their respective privacy policies.

11. Children

The Services are intended for use by healthcare organizations and their authorized workforce members and are not directed to children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13 without parental consent, we will delete it. If you believe we may have collected personal data from a child under 13, please contact us at support@lancehealth.ai. Note that customer-uploaded patient documents may contain information about pediatric patients; that data is PHI governed by the Business Associate Agreement, not by this section.

12. Job Applicants

When you apply for a job with Lance, we collect your business and personal contact information, professional credentials and skills, education and work history, and other information you provide in connection with your application. We use this information to facilitate our recruitment activities, process employment applications, monitor recruitment metrics, and respond to inquiries. We may also retain your information for purposes of considering you for future openings, and as otherwise necessary to comply with applicable laws, respond to legal process, protect our rights and property, and investigate or prevent violations of law or our policies. The terms of this Privacy Policy do not apply to personal data we collect about Lance employees and contractors after their hire; that information is governed by our internal personnel privacy policies.

13. Users Outside the United States

Lance is based in the United States and the Services are operated from and intended for use in the United States. If you access the Services from outside the United States, your information may be processed in the United States, where data protection laws may differ from those in your country of residence. We do not intentionally direct the Services to residents of, or knowingly process personal data of residents of, jurisdictions outside the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by updating the “Last Updated” date at the top of this Privacy Policy and, where appropriate, by sending email to your registered email address or by prominent posting on the Website. All changes are effective on the date of publication unless otherwise provided. Your continued use of the Services after the effective date of any change constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have questions or requests in connection with this Privacy Policy or other privacy-related matters, please contact us at support@lancehealth.ai or by mail at Lance Health Inc., One World Trade Center, Suite 49P, New York, NY 10007.

— END OF PRIVACY POLICY —