Diana.

Legal

Privacy
Policy

Last updated May 16, 2026. We collect only what we need to run the marketplace.

EQ - 100

Template language for an early-stage marketplace. Have it reviewed by privacy counsel (HIPAA / CCPA / GDPR) before launching to the public.

1. What we collect

  • Account data: name, email, phone, role, password hash, auth provider IDs.
  • Profile data: photo, license type and number (Clinicians), facility details, specialties, rates, bio.
  • Credential documents: licenses, certifications, COIs you upload to the credentials vault.
  • Tax info: legal name, address, and the last four digits of your TIN - full TIN is never stored in clear text.
  • Booking & messaging activity: shifts viewed/applied/confirmed, messages between counterparties, timesheets, ratings.
  • Device & log data: IP, browser, device, approximate location (if you grant geolocation), session events.

2. What we never want

Do not send Protected Health Information (PHI) through Diana - patient names, identifiers, photos, charts, or clinical notes. Diana is not a HIPAA Business Associate. Messages and uploads that contain PHI may be redacted or deleted.

3. How we use it

To run the marketplace: authenticating you, matching Clinicians to shifts, surfacing applicants to Facilities, processing timesheets and payouts, computing reliability scores, fighting fraud, sending transactional notifications, complying with law, and improving the product. We do not sell personal information.

4. Who we share it with

  • The counterparty to a booking (Clinician ↔ Facility) - name, profile, ratings, timesheets.
  • Service sub-processors: cloud hosting and database, transactional email, error monitoring, analytics. Each is bound by data-processing terms.
  • Law enforcement when legally compelled, or to protect safety, rights, and the integrity of the service.
  • An acquirer in a merger, sale, or restructuring (with notice and continued protection).

5. Cookies & similar tech

We use first-party cookies for sign-in, session security, and saving display preferences. Optional analytics cookies help us improve the product; you can decline them in the cookie banner and continue using Diana normally.

6. Your rights

Depending on where you live (CCPA, GDPR, UK GDPR, PIPEDA, Brazil LGPD, etc.) you have rights to access, correct, port, restrict, object to, or delete your personal data, and to withdraw consent. You can exercise most of these in Account → Privacy, including downloading your data and deleting your account. We respond to written requests within thirty (30) days.

7. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to on-call engineers and logged. Credential documents and tax info live in private storage buckets with row-level access policies. We have a documented incident-response plan and will notify affected users without undue delay if a breach materially affects them.

8. Data retention

Account and booking data is retained for as long as your account is active and for up to seven years after closure for tax, fraud, and legal-defense reasons (1099 records, dispute history). You can request earlier deletion subject to legal holds.

9. Children

Diana is not directed at children under 18 and we do not knowingly collect data from them.

10. International transfers

We process data in the United States. If you access Diana from outside the US, you consent to the transfer. Where required, we rely on Standard Contractual Clauses with our sub-processors.

11. Changes

Material changes to this policy will be announced in-app or by email at least seven days before they take effect.

12. Contact

Privacy questions: use the in-app support channel or contact form.