Privacy Policy

Effective date: May 14, 2026

This Privacy Policy describes how Kalivar LLC ("Kalivar," "we," "us," or "our") collects, uses, discloses, and protects information when you visit kalivar.com or use the Kalivar platform and related services (collectively, the "Services"). It applies to all visitors, attorney users, physician users, expert networks, and organization administrators (each, "you").

This Privacy Policy is incorporated by reference into our Terms of Service and uses the definitions set forth there.

Read this first. The Services are designed for the anonymized, double-blind exchange of preliminary professional information between attorneys and physicians. The Services are not intended to receive Protected Health Information ("PHI") as defined under HIPAA, and Kalivar is not a HIPAA covered entity or business associate with respect to your use of the Services. Attorneys are solely responsible for anonymizing case materials before submission.

1. Who we are and how to contact us

Kalivar Email: privacy@kalivar.com Legal: legal@kalivar.com Security: security@kalivar.com DPO / EU representative: privacy@kalivar.com (engaged where applicable)

If you have any questions about this Privacy Policy or our data practices, contact us at the addresses above.

2. Scope and roles

(a) Controller. Kalivar is the controller of personal information collected through the Services, except where Kalivar acts as a processor on behalf of a subscribing organization (a "Customer") under a written agreement (e.g., a master services agreement or data processing addendum). Where Kalivar is a processor, this Privacy Policy describes our practices generally; the Customer's own privacy notice governs the relationship between the Customer and its end users.

(b) Independent professionals. Attorneys and physicians on the Platform are independent professionals. Their independent practices, communications, and engagements (including following an Introduction) are governed by their own privacy notices and professional obligations, not by this Privacy Policy.

(c) Geographic scope. The Services are operated from the United States and are intended primarily for U.S. users. If you access the Services from outside the United States, your information will be transferred to and processed in the United States as described in Section 11.

3. Information we collect

We collect information in three ways: information you provide to us, information collected automatically, and information from third parties.

3.1 Information you provide

  • Account information: name, email address, password (hashed), passkey credential identifiers, profile photo, professional credentials (bar number, medical license number, board certifications, specialties, NPI), and similar registration details.
  • Organization information: organization name, role, seat assignments, billing contacts, and administrator authority.
  • Case Materials: information that attorney users submit for evaluation. Attorney users are required to anonymize Case Materials before submission, in accordance with the anonymization rules in our Terms of Service. Case Materials must not contain patient names, defendant or plaintiff names, dates of birth, government identifiers, facility names, or other PHI.
  • Opinions: preliminary professional opinions submitted by physician users in response to Case Materials.
  • Defendant / party identifiers (limited). Where Case Materials reference parties whose names are part of the public record (for example, named defendants in already-filed litigation), the Platform may store such identifiers in encrypted form to support conflict-checking and case-management features. These identifiers are subject to time-limited retention (see Section 8) and are not used by Kalivar for any purpose other than operating the Platform.
  • Payment information: billing name, billing address, tax identifiers, and limited payment-card metadata (last four digits, brand, expiry). Full payment-card numbers are collected and stored by our payment processor, not by Kalivar.
  • Communications: the content of messages you send to support, billing, security, or other Kalivar channels, including attachments.
  • Survey, feedback, and marketing-preference data.

3.2 Information collected automatically

  • Device and usage data: IP address, browser type, operating system, device identifiers, language, referring URLs, pages viewed, features used, timestamps, and crash diagnostics.
  • Cookies and similar technologies: strictly necessary cookies for authentication and security; functional cookies for preferences; and limited analytics cookies. See Section 7.
  • Log data: authentication events, audit-log records of in-Platform actions (for example, submitting Case Materials, requesting an Introduction, paying an Opinion Fee), and security events. The Platform maintains an audit log to satisfy compliance, billing, and security requirements.

3.3 Information from third parties

  • Identity providers and authentication: if you log in via a third-party identity provider, we receive your name, email address, and a unique identifier from that provider.
  • Payment processors: Stripe, Inc. shares transaction status, payment-method metadata, and decline reasons.
  • Email and notification providers: delivery, open, and bounce metadata.
  • Background and credential verification (physicians): during physician onboarding, we may receive licensure verification, board-certification status, and disciplinary-history information from public or commercial sources.
  • Customer organizations: Customer administrators may provide information about their seat-holders to provision access.

We do not knowingly collect personal information from children under 13 (see Section 13).

4. How we use information

We use personal information for the following purposes:

| Purpose | Legal basis (where applicable) | | ------------------------------------------------------------------------------------------------- | -------------------------------------- | | To create and maintain accounts and authenticate users | Contract; legitimate interests | | To operate the double-blind exchange (anonymized Case Materials → physician → Opinion → attorney) | Contract | | To facilitate Introductions and the de-anonymized exchange of contact information | Contract | | To process payments, calculate fees, and manage subscriptions | Contract; legal obligation | | To send transactional communications, security notices, and service updates | Contract; legal obligation | | To send marketing communications (where permitted) | Consent; legitimate interests | | To verify professional credentials (physicians) and detect fraud | Legitimate interests; legal obligation | | To maintain audit logs and ensure platform security | Legitimate interests; legal obligation | | To produce aggregated, statistical, or de-identified analytics | Legitimate interests | | To enforce our Terms of Service and policies | Legitimate interests; legal obligation | | To comply with legal obligations and respond to lawful requests | Legal obligation |

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

5. How information flows within the Platform

(a) Anonymized exchange. When an attorney user submits Case Materials, those materials are routed to participating physician users in anonymized form. Physician users are not informed of the identity of the submitting attorney, the attorney's client, or which side of the litigation the attorney represents.

(b) No reverse routing of attorney identity to physicians (pre-Introduction). Physician users do not receive the attorney's identity until and unless an Introduction occurs and the attorney has authorized the de-anonymization.

(c) Opinions to attorneys. When a physician user submits an Opinion, the Opinion is delivered to the requesting attorney user (and their organization, if applicable) within the Platform.

(d) Introductions. Upon request and payment of an Introduction Fee, the Platform shares the contact information of the attorney user and the physician user with each other. After the Introduction, communications and any engagement between the parties take place outside the Platform and are not governed by this Privacy Policy.

(e) Within Customer organizations. Customer administrators can see usage attributable to the organization (including which users submitted Case Materials, obtained Opinions, or initiated Introductions) for billing, audit, and access-control purposes. Customers configure their own internal access policies; Kalivar is not responsible for a Customer's internal handling of information once it is available to that Customer.

6. How we share information

We share personal information only as described in this Privacy Policy:

  • Within the Platform as described in Section 5 (anonymized exchanges, Opinions, Introductions, Customer-attributable usage).

  • Service providers (processors). We share information with vendors that perform services on our behalf, including:

    • Stripe, Inc. — payment processing;
    • Resend (or equivalent email-delivery provider) — transactional and notification email;
    • Cloud hosting and database providers — infrastructure;
    • Authentication providers — passkeys, magic links, OAuth (Better Auth–integrated services);
    • Analytics and product-monitoring providers — limited usage analytics and error reporting;
    • Credential-verification providers (for physicians) — license and certification verification;
    • Customer-support tooling.

    Each processor is bound by contract to use personal information only to provide services to Kalivar and to safeguard it appropriately.

  • Legal disclosures. We may disclose personal information if we believe in good faith that disclosure is necessary to: (i) comply with applicable law, subpoena, or other legal process; (ii) enforce our Terms of Service; (iii) protect the rights, property, or safety of Kalivar, our users, or others; or (iv) respond to claims of unauthorized activity.

  • Business transfers. If Kalivar is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of the transaction, subject to standard confidentiality protections.

  • With your consent or at your direction, including when you authorize an Introduction.

  • Aggregated or de-identified information, which is not subject to this Privacy Policy.

We do not sell or rent personal information to third parties, and we do not share personal information for purposes of cross-context behavioral advertising or targeted advertising.

7. Cookies and similar technologies

We use a limited set of cookies and similar technologies:

  • Strictly necessary cookies — required for authentication, session management, security, and load balancing. These cannot be disabled.
  • Functional cookies — remember preferences (locale, UI state).
  • Analytics cookies — measure aggregate Platform usage to help us improve the Services. We do not use advertising cookies or third-party retargeting trackers.

You can control non-essential cookies through your browser settings or, where presented, through our cookie banner. Disabling strictly necessary cookies may prevent the Services from functioning.

For EU/UK visitors, we comply with the ePrivacy Directive and obtain consent for non-essential cookies where required.

8. Data retention

We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with applicable law, resolve disputes, and enforce our agreements. Specifically:

  • Account information — retained while your account is active and for a reasonable period after closure to enforce these Terms, handle disputes, and comply with legal obligations.
  • Case Materials and Opinions — retained in active form for the period necessary to deliver the Service and to maintain audit and dispute-resolution records. Identifying party information that may appear in Case Materials (for example, defendant names that are part of the public record) is subject to a time-limited retention window configured per environment and applied via automated privacy purge.
  • Audit logs — retained for the period required by our compliance, security, and legal obligations.
  • Payment records and tax records — retained as required by applicable financial and tax law.
  • Marketing data — retained until you opt out and for any additional period required for record-keeping.
  • Backups — purged according to a documented backup-rotation schedule; deletion from production may not propagate to backups immediately but will be applied on restore.

After the applicable retention period, we delete or de-identify the information.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • encryption in transit (TLS) and at rest for sensitive data, including encryption of identifying party information stored in Case Materials;
  • role-based access controls and least-privilege provisioning;
  • authentication via passkeys, magic links, and OAuth (no shared passwords across organizations);
  • audit logging of in-Platform actions;
  • secrets management and key rotation;
  • vendor security review for material processors; and
  • ongoing monitoring, vulnerability management, and incident response.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@kalivar.com. We will notify affected users and regulators of any reportable security incident as required by applicable law.

10. Your rights and choices

10.1 Account choices

  • Access and update. You can access and update your account information in your profile settings.
  • Marketing preferences. You can opt out of marketing emails using the unsubscribe link in any marketing message. Transactional and service messages cannot be disabled while your account is active.
  • Notification preferences. You can configure in-app and email notification preferences in your settings.
  • Closing your account. You may close your account through your settings or by contacting support@kalivar.com.

10.2 Rights under U.S. state privacy laws (including the CCPA/CPRA)

If you are a California resident or a resident of another U.S. state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, and others), you may have the following rights, subject to verification and to applicable exceptions:

  • Right to know / access the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients.
  • Right to correct inaccurate personal information.
  • Right to delete personal information we have collected from you.
  • Right to portability — to receive personal information in a portable, machine-readable format.
  • Right to opt out of "sale" or "sharing" for cross-context behavioral advertising. Kalivar does not sell personal information and does not share personal information for cross-context behavioral advertising; this right is therefore not implicated.
  • Right to limit the use of sensitive personal information. Kalivar does not use sensitive personal information for purposes that require an opt-out under California law.
  • Right of non-discrimination for exercising any of these rights.

To exercise any of these rights, contact us at privacy@kalivar.com. We will respond within the time required by applicable law. We may need to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf, subject to verification.

If we deny your request, you may appeal by replying to our response with the word "Appeal" in the subject line. We will respond to your appeal within the time required by applicable law.

10.3 Rights under EU/UK GDPR

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that grants GDPR-style rights, you have the right to:

  • access, rectify, or erase your personal data;
  • restrict or object to certain processing;
  • withdraw consent at any time (without affecting the lawfulness of prior processing);
  • data portability; and
  • lodge a complaint with your national supervisory authority.

We rely on the legal bases identified in Section 4.

10.4 Do Not Track

Some browsers send a "Do Not Track" signal. Because there is no industry consensus on how to interpret these signals, the Services do not respond to them. We do not engage in tracking across third-party websites for advertising purposes.

11. International transfers

Personal information is processed in the United States and may be transferred to other countries where our service providers operate. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (and the UK Addendum), and we implement supplementary measures where required.

12. Customer (B2B) processing

Where Kalivar processes personal information on behalf of a Customer (for example, where a subscribing law firm or expert network is the controller and Kalivar is the processor):

  • the Customer is responsible for providing notice to, and obtaining any necessary consents from, its end users;
  • Kalivar processes personal information in accordance with the Customer's instructions and the applicable data processing agreement;
  • Kalivar refers data-subject requests received directly to the relevant Customer where appropriate; and
  • the Customer's own privacy notice governs the relationship between the Customer and its end users.

13. Children's privacy

The Services are not directed to children. We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA), and we do not knowingly collect personal information from minors under 16 in violation of comparable laws (including the GDPR). If you believe a child has provided us with personal information, contact us at privacy@kalivar.com and we will delete it.

14. Confidentiality and professional privilege

The Services are not designed to receive attorney-client privileged communications or attorney work product. Case Materials shared through the Services may not be subject to the attorney-client privilege, the attorney work-product doctrine, or any other evidentiary or professional privilege. Attorneys are responsible for ensuring that no privileged information is improperly disclosed. Physicians are responsible for treating Case Materials as confidential and using them solely for the purpose of preparing an Opinion through the Platform.

15. HIPAA and Protected Health Information

Kalivar is not a HIPAA covered entity or business associate with respect to your use of the Services. The Services are not designed or authorized to receive PHI. Attorneys are required to ensure that Case Materials are anonymized in accordance with the rules set forth in our Terms of Service and onboarding guidelines before submission. Any inadvertent submission of PHI by an attorney user does not create a business-associate relationship between Kalivar and the attorney user or any third party.

If you become aware that PHI may have been submitted in error, contact us immediately at security@kalivar.com so that we can take appropriate remediation steps.

16. Automated decision-making

Kalivar does not engage in automated decision-making that produces legal or similarly significant effects concerning you without meaningful human involvement.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will provide reasonable advance notice (at least thirty (30) days where practicable) by email, in-product notification, or by posting the updated policy on the Services with an updated effective date. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the update.

18. Contact and complaints

If you have questions, concerns, or complaints about our privacy practices, please contact us at privacy@kalivar.com. We take your concerns seriously and will respond promptly. EEA/UK users also have the right to lodge a complaint with their local supervisory authority.