Legal

Privacy Policy

Effective date: January 1, 2026

This Privacy Policy describes how Silver Mountain Ventures, LLC ("Squyr", "we", "us", or "our") handles information in connection with squyr.com and its subdomains (the "Site"), and the Squyr bilateral cryptographic data exchange (the "Protocol"). We have designed Squyr to transmit as little information as possible — all cryptographic processing is client-side, and no personally identifiable information transits our infrastructure. This policy covers the Site, the Protocol, and related services.

1. Scope of This Policy

This Privacy Policy applies to:

  • The marketing site at squyr.com and pages under that domain
  • The interactive demo at squyr.com/demo
  • The Squyr bilateral cryptographic exchange protocol
  • The Squyr Portal at portal.squyr.com
  • The downloadable documents available at squyr.com/downloads

This policy does not apply to the commercial site at summitaudiencesegments.com (separate privacy policy) or any partner sites.

2. Data Collection Practices

Squyr processes healthcare patient data on behalf of licensed partners under HIPAA Safe Harbor de-identification standards. The Protocol is designed so that personally identifiable information (PII) never transits Squyr infrastructure. Each party's data remains in its own environment.

Site visitors. We collect minimal information when you visit the Site. We use privacy-respecting analytics (Plausible or Fathom) that record only aggregate, anonymous data: pages visited, country, device type, and session duration. This data cannot identify you personally.

Protocol participants. Data exchanged through the Protocol is encrypted client-side using AES-256-GCM before transmission. Squyr's servers receive only opaque ciphertext bundles. We do not decrypt, inspect, or store the content of data exchanged between parties. We may retain operational metadata (bundle IDs, timestamps, transmission status) for audit and logging purposes, but this metadata does not include the content of any patient records.

3. HIPAA Safe Harbor De-identification

All patient data processed through the Protocol is de-identified in accordance with HIPAA Safe Harbor (45 CFR § 164.514(b)). This means identifiers specified under the Safe Harbor rule — including names, geographic subdivisions smaller than state, dates other than year, phone numbers, fax numbers, email addresses, SSN, medical record numbers, health plan numbers, etc. — are stripped from datasets before they are hashed or encrypted for exchange. The resulting data elements cannot, individually or in combination, be re-identified back to a specific patient without information that Squyr and its partners do not possess.

Licensed partners are responsible for applying de-identification before transmitting data through the Protocol. Squyr provides the cryptographic infrastructure; the originating party bears responsibility for the completeness of de-identification on their side.

4. How Squyr Processes Data

The Protocol processes data in the following sequence:

  • Hashing. Each party hashes their patient records client-side using SHA-256. The original records never leave the party's environment.
  • Key derivation. HKDF-SHA256 derives exchange keys bilaterally. Both parties contribute entropy; neither party can derive the other's keys independently.
  • Encryption. Bundles are encrypted with AES-256-GCM client-side before transmission. Squyr's servers receive ciphertext only.
  • Signature. Bundles are signed with Ed25519 keys before transmission. Counterparties verify signatures before accepting bundles.
  • Transmission. Signed ciphertext bundles are transmitted via pre-signed S3 URLs or mutual TLS — no PII transits Squyr's application servers in plaintext form.

No human at Squyr has access to the content of any data bundle. Access to operational metadata (bundle status, transmission timestamps) is limited to authorized engineering personnel and logged.

5. Cookie Policy

The Site uses minimal cookies. We do not use tracking cookies, marketing pixels, or third-party advertising cookies.

  • Necessary cookies. The Squyr Portal uses session cookies to maintain authenticated sessions. These are HttpOnly, scoped to the portal domain, and expire after 24 hours.
  • Analytics cookies. We use Plausible or Fathom for site analytics. These services do not set persistent cookies; they use session-level data only.
  • No third-party trackers. We do not use Google Analytics, Meta Pixel, or any other third-party tracking service. Per-site privacy-respecting analytics only.

6. Information Sharing

We do not sell, rent, or share Site visitor information with third parties. We do not share Protocol operational metadata beyond what is required for transmission and audit.

We may share information in the following limited circumstances:

  • With our analytics service provider (Plausible or Fathom) for aggregate site analytics only
  • If required by applicable law, valid legal process, or governmental request
  • To protect the rights, safety, or property of Squyr, our users, or the public
  • In connection with a corporate transaction (merger, acquisition, sale of assets), in which case the successor entity assumes the obligations of this policy

7. Data Retention

Protocol metadata (bundle IDs, transmission timestamps, status logs) is retained for the period required for audit and operational purposes. Aggregate analytics from Plausible or Fathom is retained per those services' data retention policies (typically up to 24 months). No content data — patient records, PII, or bundle ciphertext — is retained beyond successful transmission and verification.

We do not retain the content of any data bundles. Once a bundle is verified and the counterparty acknowledges receipt, the ciphertext is not retained by Squyr's infrastructure.

8. Security

The Site is served over HTTPS. The Protocol uses AES-256-GCM for encryption, SHA-256 for hashing, HKDF-SHA256 for key derivation, and Ed25519 for signatures — all via the Web Crypto API client-side. Data in transit between parties uses pre-signed S3 URLs or mutual TLS.

We follow reasonable security practices including access controls, audit logging, and operational monitoring. No system can guarantee absolute security; we implement controls appropriate to the sensitivity of the data processed.

9. Your Rights

California residents (CCPA/CPRA): We do not sell or share personal information. The aggregate analytics described above are the only site-level information collected. You have the right to know, delete, and correct personal information, and to opt out of sale/sharing. Contact us at the address below to exercise these rights.

EEA, UK, and Switzerland residents (GDPR/UK GDPR): You have the rights of access, rectification, erasure, restriction, data portability, and objection as applicable. Contact us to exercise these rights.

Other jurisdictions: Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, and others) may have additional rights under those laws.

10. Children's Privacy

The Site is not directed at children under 13. We do not knowingly collect information from children under 13. The Protocol is intended for healthcare data partners operating under HIPAA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at squyr.com/privacy with an updated effective date. Material changes will be noted at the top of the policy. Continued use of the Site or Protocol after a change indicates acceptance of the updated policy.

12. Contact

Questions about this Privacy Policy:

Silver Mountain Ventures, LLC
4925 S. Holladay Blvd.
Holladay, UT 84117

Email: info@summitaudiencesegments.com