Privacy Policy
Last updated: [DATE — DRAFT ONLY]
1. Who we are
PHIGuard, Inc. ("PHIGuard," "we," "us," or "our") operates the PHIGuard platform available at phiguard.app. PHIGuard provides HIPAA-native task management and compliance software for medical clinics and other covered entities under HIPAA.
For questions about this Privacy Policy, contact us at: privacy@phiguard.app
2. Scope of this policy
This Privacy Policy describes how PHIGuard collects, uses, and discloses information about:
- Visitors to our public marketing website (phiguard.app)
- Clinic administrators and staff who create or use PHIGuard accounts
This policy does not apply to Protected Health Information (PHI) that your clinic enters into the PHIGuard application. PHI submitted by your clinic is governed by our Business Associate Agreement with your clinic, not by this Privacy Policy. Your clinic (as a covered entity) remains responsible for its PHI under HIPAA.
3. Information we collect
3.1 Account and contact information
When you create a PHIGuard account, we collect: name, email address, clinic name, and billing information (processed by our payment processor — we do not store full card numbers). We use this information to provide the service, send administrative communications, and fulfill our contractual obligations.
3.2 Usage data
We collect usage data about how administrators and staff use the PHIGuard application, including: feature usage, login timestamps, and error logs. This data is used to improve the product, troubleshoot issues, and maintain security. Usage data does not include the content of tasks or records containing PHI.
3.3 Marketing site analytics
Our public marketing website (phiguard.app) uses PostHog analytics to understand visitor behavior. PostHog analytics are present only on the public marketing site — never inside the PHIGuard application (behind authentication). We do not use session replay, third-party advertising pixels, or tracking technologies inside the authenticated application.
3.4 Communications
If you contact us by email, we retain your correspondence for customer service and legal purposes.
4. How we use your information
We use information we collect to:
- Provide, operate, and maintain the PHIGuard service
- Process payments and fulfill subscriptions
- Send transactional and administrative communications (account creation, billing, security alerts)
- Respond to support requests
- Improve and develop the product
- Comply with legal obligations
- Enforce our Terms of Service
We do not sell, rent, or share your personal information with third parties for their marketing purposes.
5. PHI handling
PHIGuard is a Business Associate under HIPAA. When your clinic uses PHIGuard to create or manage tasks that contain Protected Health Information, that PHI is governed by our Business Associate Agreement with your clinic. Key points:
- We use PHI only as permitted by our BAA and as necessary to provide the service.
- We do not use PHI for marketing, analytics, or any purpose beyond service delivery.
- PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- PHI is never included in email notifications sent by the system.
- We do not subcontract PHI processing to any third party without a signed sub-BAA.
6. Third parties
PHIGuard uses the following categories of third-party service providers for the application. All providers who may process PHI have signed Business Associate Agreements with PHIGuard:
- Cloud infrastructure: Cloudflare and Neon — hosting, edge delivery, storage, and database
- Payment processing: [PROCESSOR — TO BE DETERMINED] — billing and subscription management
- Transactional email: Resend — account notifications (no PHI in email content)
No third-party JavaScript, analytics, session replay, or advertising technology is present inside the authenticated PHIGuard application. PostHog analytics are present only on the public marketing site.
7. Data retention
Account data is retained for the duration of your active subscription. Upon account termination, account data and task records are retained for 30 days before secure deletion, giving you time to export your records.
Audit log records are retained for a minimum of six years in compliance with HIPAA records retention requirements (45 CFR §164.530(j)). Audit logs cannot be deleted by customers or PHIGuard staff during the retention period.
Backup copies of data may be retained for up to [PERIOD — TO BE DETERMINED] following deletion of the primary copy, after which backups are securely destroyed.
8. Your rights
Depending on your jurisdiction, you may have rights regarding your personal information, including rights to access, correct, delete, or export your account data. To exercise these rights, contact privacy@phiguard.app.
Note: rights regarding PHI are governed by HIPAA and are exercised through your clinic (as the covered entity), not directly through PHIGuard.
9. Security
We implement technical and organizational measures to protect your information. See our Security page for details. To report a security concern, contact security@phiguard.app.
10. Changes to this policy
We will post material changes to this Privacy Policy on this page with an updated effective date. For significant changes affecting PHI handling, we will notify clinic administrators directly.
11. Contact
PHIGuard, Inc.
privacy@phiguard.app