Effective date: 2026-05-02. Last reviewed: 2026-05-02.
1. Scope
This policy describes how HealthDash collects, uses, and protects information about users of HealthDash itself — primarily the staff at our Customer organizations who log in to manage their store, clinic, or platform configuration.
For information about how Protected Health Information (PHI) is handled when our Customers (the Covered Entities) use the platform to treat patients, see our HIPAA Notice of Privacy Practices and the Business Associate Agreement.
2. What we collect
- Account information: name, email, phone, role, organization affiliation, password hash, two-factor enrollment status.
- Usage data: API requests, page views, audit log entries (every authenticated dashboard action), failed login attempts, session IPs, user agents.
- Device information: browser type, OS, screen size, IP at sign-in.
- Billing information: card metadata (last four, expiration) — full PAN handled by our payment processor (Authorize.net), not by us.
- Communications: support tickets, sales inquiries.
3. How we use it
- Provide, maintain, and secure the platform.
- Authenticate sessions and enforce role-based access.
- Generate audit logs required for HIPAA technical safeguards (§164.312(b)).
- Send transactional email (password resets, security alerts, receipts).
- Detect fraud, abuse, and security incidents.
- Bill subscriptions and reconcile usage charges.
- Respond to legal process where required by law.
We do not sell your personal information. We do not use your data to train AI models without your explicit, separate consent.
4. Subprocessors
HealthDash uses the following subprocessors to deliver the platform. Each is bound by a Business Associate Agreement where they touch PHI, and by a Data Processing Addendum otherwise:
- DigitalOcean — managed Postgres, managed Redis/Valkey, Spaces (object storage), App Platform (compute). BAA on file.
- Mailgun — transactional email delivery. BAA on file (effective 2026-05-01).
- Stripe / Authorize.net — payment processing. PCI scope.
- Cloudflare — TLS termination + edge protection.
- Medplum (self-hosted by us) — FHIR-native clinical data store. No external Medplum dependency at runtime.
The current list of subprocessors is maintained at /legal/subprocessors. We notify Customers at least 30 days before adding a subprocessor that touches PHI.
5. Data residency
HealthDash data is stored in DigitalOcean's NYC region by default. Customers under a contract requiring a different region may request that region at provisioning time.
6. Security
We implement HIPAA Security Rule (45 CFR §164.308–§164.318) safeguards including:
- Encryption at rest (AES-256, key-managed by DigitalOcean) and in transit (TLS 1.2+).
- Tamper-evident audit logging with hash-chained AuditLog rows.
- Role-based access control (RBAC) with workforce clearance, termination, and quarterly access reviews per our Access Provisioning Policy.
- Annual risk analysis (§164.308(a)(1)(ii)(A)).
- Documented incident response and breach notification procedures.
7. Retention
Account records: retained as long as the account is active, plus
6 years after deactivation (HIPAA §164.530(j)).
Audit logs: 6 years.
Marketing emails: until you unsubscribe.
Support tickets: 3 years from last activity.
8. Your rights
You may:
- Access, correct, or delete your account information at any time via the Account Settings page.
- Export your data in machine-readable form.
- Object to processing for marketing purposes.
- If you are an EU/UK resident: exercise GDPR rights of access, rectification, erasure, restriction, portability, and objection. Contact [email protected].
- If you are a California resident: exercise CCPA/CPRA rights to know, delete, correct, and limit use of sensitive personal information.
For PHI access (your own or someone else's), the request must go to the applicable Covered Entity (your healthcare provider or clinic), not to HealthDash directly. We process those requests on behalf of the Covered Entity per our BAA.
9. Children
The platform is not directed at children under 13. Patient records for minors are handled per the Covered Entity's Notice of Privacy Practices and applicable parental-consent law.
10. Changes
Material changes will be announced by email and an in-product banner at least 30 days before they take effect.
11. Contact
Privacy Officer: [email protected]
Mail: CodeCraft Studios, Attn: Privacy Officer.