Credana
FeaturesPricingToolsBlogFAQ
Sign inGet Early Access

Privacy Policy

Last Updated: February 17, 2026

Table of Contents

IntroductionInformation We CollectHow We Use Your InformationHow We Share Your InformationData SecurityData RetentionYour RightsHIPAA DisclaimerChildren's PrivacyChanges to This PolicyContact Us

1. Introduction

Welcome to Credana. We are operated by Mindstar LLC("we," "us," or "our"). Credana is a credentialing management platform designed for mental health group practices to track providers, insurance panels, credential documents, and application statuses.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at credana.app (the "Service"). By using Credana, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create a Credana account, we collect:

  • Your email address
  • Your full name
  • Your practice name
  • Your role within the practice (owner, admin, member)

2.2 Provider Professional Data

To facilitate credentialing management, we collect and store professional information about healthcare providers, including:

  • Provider names, addresses, phone numbers, and email addresses
  • National Provider Identifiers (NPIs)
  • State license numbers and expiration dates
  • Credential types (e.g., LCSW, LMFT, PsyD, MD)
  • DEA numbers and expiration dates
  • CAQH provider IDs and attestation dates
  • Medicare PTANs and Medicaid IDs
  • Taxonomy codes
  • Malpractice insurance details (carrier, policy number, expiration)
  • Employment start dates and internal notes

2.3 Uploaded Documents

Users upload credential documents to Credana, including:

  • Professional licenses
  • DEA certificates
  • Malpractice certificates of insurance (COIs)
  • W-9 forms
  • Board certifications and diplomas
  • NPI confirmation letters
  • Other credentialing-related documents

These documents are stored securely in Supabase Storage with access controls and encryption.

2.4 Usage Data

We collect information about how you interact with Credana, including:

  • Page views, clicks, and navigation patterns (via PostHog analytics)
  • Device type, browser type, and IP address
  • Session duration and feature usage
  • Error logs and crash reports (via Sentry)

2.5 Payment Information

Payment processing is handled by Stripe. We do not store your credit card numbers or banking details. Stripe collects and processes payment information in accordance with its own privacy policy and PCI DSS compliance standards.

2.6 Carrier Truth Contributions

Users may optionally contribute credentialing experience data to our Carrier Truth Database, including:

  • Payer name and state
  • Provider type (anonymized)
  • Application submission and approval dates
  • Processing times and outcomes

This data is anonymized and aggregated before being made available to the community. Individual practice or provider identifiers are never shared.

3. How We Use Your Information

We use the information we collect to:

3.1 Provide the Service

  • Manage your account and practice membership
  • Store and organize provider professional data and documents
  • Track credentialing applications and panel statuses
  • Generate task checklists and application summaries

3.2 AI Document Parsing

When you upload a document and request AI parsing, we send the document to Anthropic's Claude API for data extraction. The API processes the document in real-time to extract fields like license numbers, expiration dates, and issuing authorities. Anthropic does not retain or store these documents after processing. The extracted data is returned to Credana for your review and confirmation before being saved.

3.3 Automated Monitoring

  • NPI Verification: We query the public NPPES (National Plan and Provider Enumeration System) API maintained by CMS to verify provider NPI status. This is a government-run, publicly accessible service.
  • Payer Directory Checks: We use headless browser automation (via Browserless.io) to check public payer directories and verify if providers are listed as in-network. Only the verification result (confirmed, not found, or error) is stored — not the directory content itself.

3.4 Email Notifications

We send automated emails via Resend for:

  • Credential expiration alerts (licenses, DEA, malpractice, CAQH)
  • Provider status changes (NPI verification, directory status)
  • Billing and subscription updates
  • Upload portal invitations (when practice admins request provider documents)
  • Trial ending reminders and payment failure notices

3.5 Carrier Truth Database

User-contributed credentialing experiences are anonymized and aggregated to provide community intelligence on payer processing times, approval rates, and requirements. No individual practice, provider, or application is identifiable in this aggregated data.

3.6 Product Improvement

We use analytics (PostHog) and error tracking (Sentry) to improve the Service, fix bugs, and understand feature usage. These tools are configured to exclude sensitive data and personally identifiable information from their tracking.

4. How We Share Your Information

We share your information only in the following circumstances:

4.1 Service Providers

We work with third-party vendors to operate and improve Credana. These vendors process data on our behalf and are contractually required to protect your information:

  • Supabase (database, authentication, file storage) — US-based
  • Vercel (hosting and deployment) — US-based
  • Stripe (payment processing) — PCI DSS compliant
  • Resend (email delivery)
  • Anthropic (AI document parsing) — processes documents in real-time, does not retain data
  • PostHog (product analytics) — configured to exclude PHI
  • Sentry (error tracking) — configured to exclude PHI
  • Browserless.io (headless browser for directory checks)

4.2 Carrier Truth Database

Anonymized, aggregated data from user contributions is made available to the Credana community via the Carrier Intelligence feature. This data includes payer processing times, approval rates, and requirement patterns, but never includes individual practice names, provider identities, or application-specific details.

4.3 Legal Requirements

We may disclose your information if required by law or in response to valid legal process, including:

  • Subpoenas, court orders, or other government requests
  • To enforce our Terms of Service or protect our rights
  • To protect the safety or security of users or the public

4.4 Business Transfers

If Credana is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and/or a prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

4.5 We Never Sell Personal Information

We do not sell, rent, or trade your personal information, provider data, or uploaded documents to third parties for marketing or advertising purposes.

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and Credana is encrypted using TLS/HTTPS.
  • Encryption at rest: Uploaded documents and database records are encrypted at rest in Supabase Storage and Postgres.
  • Row-level security: Our database enforces practice-level data isolation, ensuring one practice cannot access another's data.
  • Access controls: File storage uses signed URLs with expiration, and only authenticated users with proper permissions can access documents.
  • Regular monitoring: We use Sentry for error tracking and monitoring to detect and respond to potential security issues.

Important: While we implement strong security measures and follow best practices, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Active accounts: We retain your account data, provider information, and uploaded documents for as long as your account is active.
  • Account deletion: If you request account deletion via support@credana.app, we will delete your data within 30 days. This includes all provider records, uploaded documents, and application data.
  • Carrier Truth contributions: Anonymized, aggregated data contributed to the Carrier Truth Database may persist after account deletion, as it is not linked to your practice or any identifiable information.
  • Backups: Deleted data may remain in backup systems for up to 90 days before being permanently purged.
  • Legal requirements: We may retain certain data if required by law (e.g., tax records, payment history).

7. Your Rights

You have the following rights regarding your data:

7.1 Access Your Data

All your data is accessible via the Credana dashboard. You can view, search, and export your provider records, documents, and application data at any time.

7.2 Correct Your Data

You can update provider information, document details, and account settings directly in the dashboard.

7.3 Delete Your Account and Data

To delete your account and all associated data, email us at support@credana.app. We will process your request within 30 days.

7.4 Opt Out of Non-Essential Emails

You can unsubscribe from marketing emails via the link in any email we send. Critical emails (e.g., billing, security, expiration alerts) cannot be disabled as they are essential to the Service.

7.5 California Residents (CCPA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect and how we use it
  • Right to request deletion of your personal information
  • Right to opt out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising your CCPA rights

To exercise these rights, email support@credana.app.

8. HIPAA Disclaimer

Important: Credana is NOT a HIPAA-Covered Entity

Credana stores provider professional data and practice business information — not patient health information (PHI). This includes:

  • Provider credentials (NPIs, licenses, DEA numbers)
  • Insurance panel and application statuses
  • Professional documents (licenses, malpractice COIs, W-9s)
  • Practice billing and subscription data

Because Credana does not store, transmit, or process patient health records, diagnoses, treatment notes, or insurance claims containing PHI, we are not a HIPAA-covered entity or business associate. No Business Associate Agreement (BAA) is required.

Important: Do not upload documents containing patient information to Credana. If you accidentally upload a document with PHI, delete it immediately and contact support@credana.app.

9. Children's Privacy

Credana is not intended for use by individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe we have collected information from a child under 13, please contact us at support@credana.app.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email at the address associated with your account
  • Post a notice in the Credana dashboard (for significant changes)

Your continued use of Credana after changes become effective constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Mindstar LLC

Email: support@credana.app

Website: credana.app

© 2026 Credana · A Mindstar LLC product

Privacy PolicyTerms of Service