Blackstone Capital ("Company," "we," "us," or "our") operates the LienOS platform (the "Service"), accessible at blackstonecapital.live and app.blackstonecapital.live. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
1. Information We Collect
1.1 Account Information
When you create an account or are invited to the platform by your organization, we collect:
- Full name and email address
- Organization name and type
- Role and access permissions within your organization
- Authentication credentials (passwords are hashed and never stored in plain text)
1.2 Case and Patient Data
The Service processes medical lien data on behalf of your organization. This data may include:
- Patient names, dates of birth, and contact information
- Medical billing records, CPT codes, and treatment dates
- Insurance policy information
- Lien amounts, statuses, and recipient information
- Legal case information and settlement data
- Funding and financial transaction records
1.3 Usage Data
We automatically collect certain information when you use the Service:
- IP address and browser type
- Pages visited and actions performed
- Timestamps and session duration
- Device information and operating system
1.4 Audit Log Data
Every write operation on the platform generates an immutable audit log entry containing the user ID, organization ID, action performed, entity affected, and timestamp. This data is retained for a minimum of seven (7) years for compliance purposes.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate users and enforce access controls
- Process and manage medical lien data on behalf of your organization
- Generate analytics and reporting for authorized users
- Maintain audit trails for compliance and regulatory purposes
- Communicate with you about your account, updates, and support
- Detect, prevent, and address technical issues and security threats
- Comply with legal obligations and regulatory requirements
3. HIPAA Compliance
The Service is designed with HIPAA compliance in mind. We maintain administrative, technical, and physical safeguards to protect Protected Health Information (PHI) as required under the Health Insurance Portability and Accountability Act.
Key safeguards include:
- Role-based access control with organization-level data isolation
- Field-level access filtering based on organizational role
- Encryption of data at rest (AES-256) and in transit (TLS 1.3)
- Column-level encryption for sensitive PII fields
- Immutable, append-only audit logging
- Session-based authentication with secure cookie handling
Organizations that handle PHI through the Service may be required to enter into a Business Associate Agreement (BAA) with Blackstone Capital. Contact us at privacy@blackstonecapital.live to request a BAA.
4. Data Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share data in the following circumstances:
- Within the platform: Case data is shared between organizations associated with a case, subject to strict role-based access controls. Each organization sees only the data permitted by their role (servicer, attorney, funder, or provider).
- Service providers: We use third-party service providers for hosting (Google Cloud Platform), authentication, and operational support. These providers are contractually bound to protect your data.
- Legal requirements: We may disclose information if required by law, subpoena, court order, or other legal process.
- Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction.
5. Data Retention
- Account data: Retained for the duration of your active account plus 30 days after deletion request.
- Case and patient data: Retained according to your organization's data retention policy and applicable legal requirements.
- Audit logs: Retained for a minimum of seven (7) years. Audit logs are immutable and cannot be deleted.
- Usage data: Retained for 12 months for analytics and security purposes.
6. Data Security
We implement industry-standard security measures to protect your data:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Column-level encryption for PII fields (SSN, date of birth, contact information)
- Secure session management with HTTP-only cookies
- Rate limiting and DDoS protection
- Regular security audits and vulnerability assessments
- Automated daily backups with point-in-time recovery
7. Third-Party Services
The Service uses the following third-party services:
- Google Cloud Platform: Infrastructure hosting, database services, and file storage
- Google OAuth: Optional third-party authentication
Each third-party provider maintains their own privacy policies. We encourage you to review them.
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data (subject to legal retention requirements)
- Portability: Request a machine-readable export of your data
- Objection: Object to certain types of data processing
To exercise any of these rights, contact us at privacy@blackstonecapital.live.
9. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us: