Legal
Effective date: January 1, 2026
This Privacy Policy describes how Silver Mountain Ventures, LLC ("Squyr", "we", "us", or "our") handles information in connection with squyr.com and its subdomains (the "Site"), and the Squyr bilateral cryptographic data exchange (the "Protocol"). We have designed Squyr to transmit as little information as possible — all cryptographic processing is client-side, and no personally identifiable information transits our infrastructure. This policy covers the Site, the Protocol, and related services.
This Privacy Policy applies to:
This policy does not apply to the commercial site at summitaudiencesegments.com (separate privacy policy) or any partner sites.
Squyr processes healthcare patient data on behalf of licensed partners under HIPAA Safe Harbor de-identification standards. The Protocol is designed so that personally identifiable information (PII) never transits Squyr infrastructure. Each party's data remains in its own environment.
Site visitors. We collect minimal information when you visit the Site. We use privacy-respecting analytics (Plausible or Fathom) that record only aggregate, anonymous data: pages visited, country, device type, and session duration. This data cannot identify you personally.
Protocol participants. Data exchanged through the Protocol is encrypted client-side using AES-256-GCM before transmission. Squyr's servers receive only opaque ciphertext bundles. We do not decrypt, inspect, or store the content of data exchanged between parties. We may retain operational metadata (bundle IDs, timestamps, transmission status) for audit and logging purposes, but this metadata does not include the content of any patient records.
All patient data processed through the Protocol is de-identified in accordance with HIPAA Safe Harbor (45 CFR § 164.514(b)). This means identifiers specified under the Safe Harbor rule — including names, geographic subdivisions smaller than state, dates other than year, phone numbers, fax numbers, email addresses, SSN, medical record numbers, health plan numbers, etc. — are stripped from datasets before they are hashed or encrypted for exchange. The resulting data elements cannot, individually or in combination, be re-identified back to a specific patient without information that Squyr and its partners do not possess.
Licensed partners are responsible for applying de-identification before transmitting data through the Protocol. Squyr provides the cryptographic infrastructure; the originating party bears responsibility for the completeness of de-identification on their side.
The Protocol processes data in the following sequence:
No human at Squyr has access to the content of any data bundle. Access to operational metadata (bundle status, transmission timestamps) is limited to authorized engineering personnel and logged.
The Site uses minimal cookies. We do not use tracking cookies, marketing pixels, or third-party advertising cookies.
We do not sell, rent, or share Site visitor information with third parties. We do not share Protocol operational metadata beyond what is required for transmission and audit.
We may share information in the following limited circumstances:
Protocol metadata (bundle IDs, transmission timestamps, status logs) is retained for the period required for audit and operational purposes. Aggregate analytics from Plausible or Fathom is retained per those services' data retention policies (typically up to 24 months). No content data — patient records, PII, or bundle ciphertext — is retained beyond successful transmission and verification.
We do not retain the content of any data bundles. Once a bundle is verified and the counterparty acknowledges receipt, the ciphertext is not retained by Squyr's infrastructure.
The Site is served over HTTPS. The Protocol uses AES-256-GCM for encryption, SHA-256 for hashing, HKDF-SHA256 for key derivation, and Ed25519 for signatures — all via the Web Crypto API client-side. Data in transit between parties uses pre-signed S3 URLs or mutual TLS.
We follow reasonable security practices including access controls, audit logging, and operational monitoring. No system can guarantee absolute security; we implement controls appropriate to the sensitivity of the data processed.
California residents (CCPA/CPRA): We do not sell or share personal information. The aggregate analytics described above are the only site-level information collected. You have the right to know, delete, and correct personal information, and to opt out of sale/sharing. Contact us at the address below to exercise these rights.
EEA, UK, and Switzerland residents (GDPR/UK GDPR): You have the rights of access, rectification, erasure, restriction, data portability, and objection as applicable. Contact us to exercise these rights.
Other jurisdictions: Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, and others) may have additional rights under those laws.
The Site is not directed at children under 13. We do not knowingly collect information from children under 13. The Protocol is intended for healthcare data partners operating under HIPAA.
We may update this Privacy Policy from time to time. Changes will be posted at squyr.com/privacy with an updated effective date. Material changes will be noted at the top of the policy. Continued use of the Site or Protocol after a change indicates acceptance of the updated policy.
Questions about this Privacy Policy:
Silver Mountain Ventures, LLC
4925 S. Holladay Blvd.
Holladay, UT 84117