Privacy Policy
Version 2.0 — Effective August 3, 2026 (posted July 4, 2026)
Prior version: 1.4, effective January 14, 2026. Healthcare professionals whose information appears in our platform: see our Provider Data Notice. To exercise privacy rights, see Your Privacy Choices.
1. Introduction
Oystercatcher, LLC ("Oystercatcher," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at oystercatcher.ai (the "Site") and use our lead scoring and sales intelligence platform (the "Service").
This Privacy Policy is a notice describing our practices — your agreement to our data practices where required (for example, at account signup) is captured separately. If you do not agree with these practices, please do not use the Site or Service.
2. Information We Collect
We collect information in several ways depending on how you interact with our Service:
2.1 Account and Registration Information
When you create an account or register for our Service, we collect:
- Name (first and last)
- Email address
- Password (stored using industry-standard bcrypt hashing)
- Phone number (optional)
- Organization name and business information
- Job title and role within your organization
- Profile photo (optional)
2.2 Organization Information
For organizations using our Service, we collect:
- Company name and business address
- Billing contact information
- Technical contact information
- Website URL
- Team member information and roles
2.3 Payment Information
When you subscribe to our Service, payment processing is handled by our third-party payment processor, Stripe, Inc. We do not store complete credit card numbers or bank account details on our servers. We receive and store only:
- Last four digits of your payment card
- Card brand and expiration date
- Billing address
- Transaction history and invoice records
Stripe's collection and use of your payment information is governed by their Privacy Policy.
2.4 Usage and Activity Data
We automatically collect information about how you use our Service, including:
- Features accessed and actions taken within the platform
- Campaign creation and configuration data
- Search queries and lead scoring activity
- Export history and download records
- Login timestamps and session duration
- Team collaboration activity (assignments, notes, tags)
2.5 Device and Technical Information
When you access our Service, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Device type and identifiers
- Referring URLs and exit pages
- Pages viewed and links clicked
- Date and time of access
2.6 Cookies and Similar Technologies
We use cookies and similar tracking technologies to:
- Maintain your session and authentication state
- Remember your preferences and settings
- Analyze usage patterns within the logged-in application to improve our Service
- Provide relevant content and features within the logged-in application
You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Service. For a full description of the cookies and similar technologies we use, including session replay, and how to control them, see our Cookie Policy.
2.7 Information from Third-Party Integrations
If you connect third-party services to your account (such as CRM systems like Salesforce), we may receive information from those services as authorized by you, including contact records, account data, and synchronization status.
3. Medical Professional Data
Our Service provides access to information about medical professionals that is sourced from publicly available records. This data is not collected from or about our users, but rather compiled from public sources for use in our lead scoring and sales intelligence features. Provider records may also incorporate corrections or business-contact updates submitted by our customers, and publicly available web content retrieved by our AI research features when a customer runs a research report. We describe this dataset, its sources, and the rights available to healthcare professionals — including how to request review, correction, or suppression of a profile — in our Provider Data Notice.
Oystercatcher is not a data broker: this information is drawn from public records that are lawfully available to the public, and any enrichment we perform is a custom process for a specific customer's use rather than the sale or brokering of data.
3.1 Sources of Medical Professional Data
We aggregate data from the following public sources:
- National Provider Identifier (NPI) Registry: A publicly searchable database maintained by the Centers for Medicare & Medicaid Services (CMS)
- State Medical Licensing Boards: Public license verification databases
- CMS Medicare Data: Publicly released healthcare provider data
- Public Professional Directories: Publicly listed practice information
- PubMed and ClinicalTrials.gov: Public research and publication records
3.2 Types of Medical Professional Data
This publicly sourced data may include:
- Name, credentials, and NPI number
- Medical specialty and board certifications
- Practice name, address, and contact information
- License status and state licensure information
- Medicare participation status
- Educational background and graduation year
- Professional affiliations and hospital privileges
- Published research and clinical trial participation
3.3 Enrichment Data
We may supplement public records with additional publicly available information from sources such as Google Places (business information, reviews, ratings) to provide more complete professional profiles.
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 Providing and Maintaining the Service
- Creating and managing your account
- Processing transactions and sending related information
- Providing customer support and responding to inquiries
- Delivering the features and functionality of our Service
4.2 Improving and Developing the Service
- Analyzing usage patterns to enhance user experience
- Developing new features and functionality
- Conducting research and analytics
- Testing and troubleshooting new products and features
4.3 Communications
- Sending administrative messages, updates, and security alerts
- Providing information about your account and subscription
- Sending marketing communications (with your consent)
- Responding to your comments, questions, and requests
4.4 Safety and Security
- Detecting, preventing, and addressing fraud and abuse
- Protecting the security and integrity of our Service
- Enforcing our Terms of Service and other policies
- Complying with legal obligations
4.5 AI and Machine Learning
We use artificial intelligence and machine learning technologies to power certain features of our Service, including our "Vibe Targeting" natural language processing feature and lead scoring algorithms. These features process your campaign configurations and search criteria to provide intelligent lead recommendations. We use third-party AI services (described in Section 6) to provide these capabilities.
5. Scope of This Policy
Oystercatcher is based in the United States and provides its Service to business customers in the United States. The Service is not directed to, and we do not knowingly serve, individuals in the European Economic Area, the United Kingdom, or Switzerland. This Policy is governed by U.S. federal and state law.
6. Third-Party Service Providers
We share information with third-party service providers who assist us in operating our Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify. A complete, maintained list — including advance notice of changes — is published at our Subprocessor List.
6.1 Infrastructure and Hosting
Amazon Web Services (AWS) - Hosts our Service, stores data, and delivers our transactional email. Cloudflare - Provides DNS, content delivery, and hosting for our marketing site.
6.2 Payment Processing
Stripe, Inc. - Processes payments and manages subscriptions. Stripe is PCI-DSS compliant.
6.3 Authentication
Google OAuth and Microsoft (Entra ID) - Provide optional single sign-on authentication.
6.4 AI and Machine Learning Services
- Anthropic - Powers our natural language processing features for campaign targeting and analysis.
- OpenAI - Provides text embedding services for semantic search functionality.
6.5 Data Enrichment
Google Places API - Provides business location data, reviews, and ratings for medical practice profiles.
6.6 Analytics
We use cookieless, aggregate analytics (Cloudflare Web Analytics) on our marketing pages to understand how visitors interact with our Site. This measurement sets no cookies, uses no persistent identifiers, and does not track you across sites. We do not use Google Analytics or other cookie-based analytics on our Site. See our Cookie Policy for details.
6.7 CRM Integrations
If you choose to connect your CRM system (currently Salesforce; we may offer additional integrations over time), data will be shared with that service as necessary to provide the integration functionality you have authorized.
6.8 Error Monitoring and Session Replay
Sentry - Collects application error and diagnostic data, which may include user identifiers, to help us detect and fix problems.
LogRocket - Records in-application session replays (screen interactions and associated technical data) within the logged-in product to help us provide support and improve the Service. Session replays are associated with your user profile (name, email, organization, role). Session replay does not run on our marketing or authentication pages; sensitive values such as credentials and authorization headers are redacted; and recordings are retained for no more than 30 days, after which they are deleted. You can turn session replay off at any time in your account settings, your organization's administrators can disable it organization-wide, or you can contact [email protected].
7. Data Sharing and Disclosure
We do not sell or share (as those terms are defined by the California Consumer Privacy Act) the personal information of our users or site visitors. Our handling of medical professional data, which is licensed to our customers as part of the Service, is described separately in the Provider Data Notice, including the choices available to those professionals. We may share your information in the following circumstances:
7.1 With Your Consent
We may share information when you direct us to do so or provide consent.
7.2 Within Your Organization
Information may be shared with other members of your organization who have appropriate access permissions within our Service.
7.3 Service Providers
We share information with third-party vendors and service providers who perform services on our behalf, as described in Section 6.
7.4 Legal Requirements
We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:
- Comply with a legal obligation
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing
- Protect the personal safety of users or the public
7.5 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
7.6 Aggregated or De-identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you.
8. Data Retention
We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
8.1 Account Data
We retain your account information for as long as your account is active. If you request account deletion, we will delete or anonymize your personal information within 30 days, except as required for legal, accounting, or audit purposes.
8.2 Usage Data
Usage event logs are retained for 90 days; aggregated feature-usage statistics for 12 months; and application audit logs for at least two years (audit logs may be retained longer where preserved for compliance).
8.3 Billing Records
Transaction and billing records are retained for 7 years to comply with tax and accounting requirements.
8.4 Backup Data
Backup copies of data may persist for up to 90 days after deletion from production systems.
9. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information:
9.1 Access and Portability
You have the right to request access to the personal information we hold about you and to receive a copy of your data in a portable format.
9.2 Correction
You have the right to request correction of inaccurate or incomplete personal information.
9.3 Deletion
You have the right to request deletion of your personal information, subject to certain exceptions required by law.
9.4 Restriction and Objection
You have the right to request restriction of processing or to object to processing of your personal information in certain circumstances.
9.5 Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time.
9.6 How to Exercise Your Rights
To exercise any of these rights, please contact us at [email protected] or see Your Privacy Choices. We will confirm receipt of access, deletion, and correction requests within 10 business days and respond substantively within the window the applicable law requires — for example, 45 days under the CCPA (extendable once by 45 days with notice) and comparable windows under other U.S. state privacy laws, and 15 business days for opt-out requests. We may need to verify your identity before processing your request.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
10.1 Right to Know
You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
10.2 Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions.
10.3 Right to Correct
You have the right to request correction of inaccurate personal information.
10.4 Right to Opt-Out of Sale or Sharing
We do not sell the personal information of our users or site visitors, or share it for cross-context behavioral advertising purposes. We honor Global Privacy Control (GPC) browser signals as a valid opt-out of sale or sharing. California healthcare professionals whose information appears in our platform can exercise opt-out and deletion rights as described in the Provider Data Notice.
10.5 Right to Non-Discrimination
We will not discriminate against you for exercising your privacy rights.
10.6 Authorized Agents
You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authorization.
10.7 Categories of Information
In the preceding 12 months, we have collected the following categories of personal information: identifiers; commercial information; internet or other electronic network activity information; geolocation data (coarse, derived from IP address); professional or employment-related information; inferences drawn from the foregoing; and sensitive personal information limited to account log-in credentials (used only to authenticate you).
11. International Data Transfers
Oystercatcher operates in the United States, and we process and store information in the United States. We do not transfer personal information to, or process it on behalf of individuals in, the European Economic Area, the United Kingdom, or Switzerland.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing using bcrypt
- Role-based access controls
- Regular security assessments and monitoring
- Employee training on data protection
- Multi-factor authentication for administrative access
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
13. Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.
14. Do Not Track and Global Privacy Control
Some browsers include a "Do Not Track" (DNT) feature. Our Service does not respond to DNT signals, which lack a settled standard. We do, however, honor Global Privacy Control (GPC) signals as a valid request to opt out of any sale or sharing of personal information for the browser sending the signal. See Your Privacy Choices and our Cookie Policy for other controls.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by:
- Posting the updated Privacy Policy on our Site with a new "Effective Date"
- Sending an email notification to registered users for significant changes
- Displaying a prominent notice within our Service
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Oystercatcher, LLC
2389 Main St., Ste 100, Glastonbury, CT 06033, United States
Email: [email protected]
If you are a California resident, you may also contact the California Privacy Protection Agency.