ROM Tracker

Privacy Policy

Version 1.0 · Effective [set at launch]

[Company legal name](“we,” “us”) provides the Range of Motion Tracker, used by healthcare practices (“Providers”) to capture and track patients’ range of motion, exercise programs, and related clinical records.

1. Our role

For patient health information, we act as a HIPAA Business Associateand process that information on behalf of, and on the instructions of, the Provider, who is the Covered Entity. The Provider’s Notice of Privacy Practices and our Business Associate Agreement with the Provider govern how that information is used and disclosed. For our website, account, and business-contact data, we act as the controller of that limited information.

2. Information we collect

  • Provider/account data: name, email, role, organization, and authentication identifiers.
  • Patient data (PHI), entered or captured by Providers: name and email; range-of-motion measurements and capture metadata; therapist notes, exercise programs, and pain/difficulty ratings; and still images (“snapshots”) captured to measure movement.
  • Telehealth session data: for remote video sessions, session metadata and media processed during the live session.
  • Technical/usage data: IP address, device/browser data, and security audit logs (we maintain a PHI access audit trail).

We do not intentionally collect health information from general website visitors or non-patients.

3. How we use information

To provide, secure, and support the Service; to process PHI only as permitted by the BAA and on the Provider’s instructions; to authenticate users and maintain security and audit logs; to communicate about the account and (for Providers) billing; and to improve the Service using de-identified or aggregated data only. We do not sell personal information or PHI, and we do not use PHI for marketing.

4. How we share information (subprocessors)

We share information only as needed to run the Service, under contract and — where PHI is involved — under a Business Associate Agreement:

  • Amazon Web Services (DynamoDB, S3, Chime SDK, [Bedrock]) — database, image storage, telehealth video, [AI summaries]. PHI, under the AWS BAA.
  • Clerk — authentication and user identity (names, emails). [PHI — confirm BAA status.]
  • Svix — delivery of authentication webhooks. [Confirm scope/BAA.]
  • [Payment processor] — Provider billing only; no patient PHI.

We flow down HIPAA obligations to subprocessors via BAAs, may disclose information when required by law, and may transfer information in a business transaction subject to the BAA.

5. Security, location, and retention

Data is encrypted at rest (AWS KMS) and in transit (TLS), with access controls, least-privilege permissions, an append-only PHI audit log, and the administrative, physical, and technical safeguards required by the HIPAA Security Rule. Data is stored in the United States. We retain PHI as needed to provide the Service and as the Provider instructs, retain HIPAA compliance records for at least 6 years as required by law, and on termination or request return or securely destroy PHI, except where retention is legally required.

6. Patient rights

Because we process patient PHI on behalf of Providers, patients should direct requests to access, amend, restrict, or obtain an accounting of disclosures of their health information to their Provider, who is the Covered Entity. We support Providers in fulfilling these HIPAA rights and will assist or redirect requests we receive directly.

7. State privacy rights

California (CCPA/CPRA): PHI handled under HIPAA, and medical information under the CMIA, are exempt from the CCPA. For any non-exempt personal information we control (e.g., website or business-contact data), California residents may have rights to know, delete, correct, and opt out of sale/sharing — we do not sell or share such data. Washington (MHMDA): PHI we maintain as a Business Associate is exempt. To exercise any applicable right, contact [privacy@DOMAIN].

8. Children’s information

Providers may treat minor patients. Where a patient is a minor, the parent/guardian acts as the patient’s personal representative under HIPAA, and the Provider is responsible for obtaining guardian consent/authorization. We do not knowingly collect data directly from children through our website.

9. Breach notification

If we discover a breach of unsecured PHI, we will notify the affected Provider without unreasonable delay and within 60 days, as required by the HIPAA Breach Notification Rule and the BAA.

10. Contact

Privacy questions: [privacy@DOMAIN] · [mailing address] · [privacy officer name/title].