Privacy Policy

Effective Date: January 14, 2026

1. Introduction

Oystercatcher, LLC ("Oystercatcher," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at oystercatcher.ai (the "Site") and use our lead scoring and sales intelligence platform (the "Service").

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site or use our Service.

2. Information We Collect

We collect information in several ways depending on how you interact with our Service:

2.1 Account and Registration Information

When you create an account or register for our Service, we collect:

  • Name (first and last)
  • Email address
  • Password (stored using industry-standard bcrypt hashing)
  • Phone number (optional)
  • Organization name and business information
  • Job title and role within your organization
  • Profile photo (optional)

2.2 Organization Information

For organizations using our Service, we collect:

  • Company name and business address
  • Billing contact information
  • Technical contact information
  • Website URL
  • Team member information and roles

2.3 Payment Information

When you subscribe to our Service, payment processing is handled by our third-party payment processor, Stripe, Inc. We do not store complete credit card numbers or bank account details on our servers. We receive and store only:

  • Last four digits of your payment card
  • Card brand and expiration date
  • Billing address
  • Transaction history and invoice records

Stripe's collection and use of your payment information is governed by their Privacy Policy.

2.4 Usage and Activity Data

We automatically collect information about how you use our Service, including:

  • Features accessed and actions taken within the platform
  • Campaign creation and configuration data
  • Search queries and lead scoring activity
  • Export history and download records
  • Login timestamps and session duration
  • Team collaboration activity (assignments, notes, tags)

2.5 Device and Technical Information

When you access our Service, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and identifiers
  • Referring URLs and exit pages
  • Pages viewed and links clicked
  • Date and time of access

2.6 Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

  • Maintain your session and authentication state
  • Remember your preferences and settings
  • Analyze usage patterns and improve our Service
  • Provide relevant content and features

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Service.

2.7 Information from Third-Party Integrations

If you connect third-party services to your account (such as CRM systems like Salesforce), we may receive information from those services as authorized by you, including contact records, account data, and synchronization status.

3. Medical Professional Data

Our Service provides access to information about medical professionals that is sourced exclusively from publicly available records. This data is not collected from or about our users, but rather compiled from public sources for use in our lead scoring and sales intelligence features.

3.1 Sources of Medical Professional Data

We aggregate data from the following public sources:

  • National Provider Identifier (NPI) Registry: A publicly searchable database maintained by the Centers for Medicare & Medicaid Services (CMS)
  • State Medical Licensing Boards: Public license verification databases
  • CMS Medicare Data: Publicly released healthcare provider data
  • Public Professional Directories: Publicly listed practice information
  • PubMed and ClinicalTrials.gov: Public research and publication records

3.2 Types of Medical Professional Data

This publicly sourced data may include:

  • Name, credentials, and NPI number
  • Medical specialty and board certifications
  • Practice name, address, and contact information
  • License status and state licensure information
  • Medicare participation status
  • Educational background and graduation year
  • Professional affiliations and hospital privileges
  • Published research and clinical trial participation

3.3 Enrichment Data

We may supplement public records with additional publicly available information from sources such as Google Places (business information, reviews, ratings) to provide more complete professional profiles.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Providing and Maintaining the Service

  • Creating and managing your account
  • Processing transactions and sending related information
  • Providing customer support and responding to inquiries
  • Delivering the features and functionality of our Service

4.2 Improving and Developing the Service

  • Analyzing usage patterns to enhance user experience
  • Developing new features and functionality
  • Conducting research and analytics
  • Testing and troubleshooting new products and features

4.3 Communications

  • Sending administrative messages, updates, and security alerts
  • Providing information about your account and subscription
  • Sending marketing communications (with your consent)
  • Responding to your comments, questions, and requests

4.4 Safety and Security

  • Detecting, preventing, and addressing fraud and abuse
  • Protecting the security and integrity of our Service
  • Enforcing our Terms of Service and other policies
  • Complying with legal obligations

4.5 AI and Machine Learning

We use artificial intelligence and machine learning technologies to power certain features of our Service, including our "Vibe Targeting" natural language processing feature and lead scoring algorithms. These features process your campaign configurations and search criteria to provide intelligent lead recommendations. We use third-party AI services (described in Section 6) to provide these capabilities.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you have requested and to fulfill our contractual obligations to you.
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Service, preventing fraud, and ensuring security, where such interests are not overridden by your rights.
  • Consent: Where required by law, such as for marketing communications or certain cookies, we will obtain your consent before processing.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

6. Third-Party Service Providers

We share information with third-party service providers who assist us in operating our Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

6.1 Infrastructure and Hosting

We use cloud infrastructure providers to host our Service and store data securely.

6.2 Payment Processing

Stripe, Inc. - Processes payments and manages subscriptions. Stripe is PCI-DSS compliant.

6.3 Authentication

Google OAuth - Provides optional single sign-on authentication.

6.4 AI and Machine Learning Services

  • Anthropic - Powers our natural language processing features for campaign targeting and analysis.
  • OpenAI - Provides text embedding services for semantic search functionality.

6.5 Data Enrichment

Google Places API - Provides business location data, reviews, and ratings for medical practice profiles.

6.6 Analytics

Google Analytics - We use Google Analytics on our marketing pages to understand how visitors interact with our Site. Google Analytics collects information such as how often users visit our Site, what pages they visit, and what other sites they used prior to coming to our Site. We use this information to improve our Site and marketing efforts. Google Analytics collects the IP address assigned to you on the date you visit our Site, but not your name or other identifying information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

6.7 CRM Integrations

If you choose to connect your CRM system (such as Salesforce, Microsoft Dynamics, Pipedrive, or Zoho CRM), data will be shared with those services as necessary to provide the integration functionality you have authorized.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

7.1 With Your Consent

We may share information when you direct us to do so or provide consent.

7.2 Within Your Organization

Information may be shared with other members of your organization who have appropriate access permissions within our Service.

7.3 Service Providers

We share information with third-party vendors and service providers who perform services on our behalf, as described in Section 6.

7.4 Legal Requirements

We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:

  • Comply with a legal obligation
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing
  • Protect the personal safety of users or the public

7.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

7.6 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

8. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Account Data

We retain your account information for as long as your account is active. If you request account deletion, we will delete or anonymize your personal information within 30 days, except as required for legal, accounting, or audit purposes.

8.2 Usage Data

Usage logs and analytics data are typically retained for up to 24 months to support service improvement and troubleshooting.

8.3 Billing Records

Transaction and billing records are retained for 7 years to comply with tax and accounting requirements.

8.4 Backup Data

Backup copies of data may persist for up to 90 days after deletion from production systems.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

9.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of your data in a portable format.

9.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

9.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions required by law.

9.4 Restriction and Objection

You have the right to request restriction of processing or to object to processing of your personal information in certain circumstances.

9.5 Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

9.6 How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

10.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

10.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

10.3 Right to Correct

You have the right to request correction of inaccurate personal information.

10.4 Right to Opt-Out of Sale or Sharing

We do not sell personal information or share it for cross-context behavioral advertising purposes.

10.5 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.6 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authorization.

10.7 Categories of Information

In the preceding 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet or network activity information, geolocation data, and professional or employment-related information.

11. International Data Transfers

Oystercatcher is based in the United States. If you access our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For users in the EEA, UK, or Switzerland, we ensure appropriate safeguards for international transfers through:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with our service providers
  • Other legally recognized transfer mechanisms

12. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing using bcrypt
  • Role-based access controls
  • Regular security assessments and monitoring
  • Employee training on data protection
  • Multi-factor authentication for administrative access

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.

14. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Our Service does not currently respond to DNT signals. You can opt out of certain tracking as described in Section 2.6.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by:

  • Posting the updated Privacy Policy on our Site with a new "Effective Date"
  • Sending an email notification to registered users for significant changes
  • Displaying a prominent notice within our Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Oystercatcher, LLC
Email: [email protected]

For EEA residents, you also have the right to lodge a complaint with your local data protection authority.