Legal

Privacy Policy

Privacy policy for Profound Health’s integrated care platform.

Last updated: November 5, 2025

1. Overview

This Privacy Policy explains how Profound Health Institute LLC (“Profound Health,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information in connection with our integrated care platform, portals, APIs, and websites (the “Services”).

When we handle protected health information (“PHI”) on behalf of a healthcare provider or health plan (each a “Partner”), we do so as a Business Associate under HIPAA and our Business Associate Agreement (“BAA”). For PHI, the BAA controls to the extent of any conflict with this Policy.

2. Who We Are and Scope

Profound Health provides partner‑facing tools for Collaborative Care (CoCM) and related programs, including communications, EHR interoperability, analytics, and provider workflows.

Scope: This Policy covers (a) our processing of Partner data in the platform and (b) information collected from visitors to our websites. It does not apply to a Partner’s independent privacy notices or to third‑party sites/services we do not control.

3. Information We Collect

The categories of information we process depend on your role and use of the Services.

  • Account and profile information: name, email, role, organization, and user preferences.
  • Operational and clinical program data: enrollment context, encounters, tasks, measurement scores (e.g., PHQ‑9/GAD‑7), warm handoffs, and related metadata, as directed by Partners (PHI where applicable).
  • Communications metadata: timestamps and routing details for SMS, email, voice, and push (we avoid PHI in message bodies).
  • Payment and billing information: organizational billing contact details, invoice and payment status via Stripe (no storage of card PANs).
  • Technical information: device/browser type, IP address, identifiers, diagnostic and performance logs designed to exclude PHI.
  • Support and audit records: support tickets, audit events (actor, action, resource, result, minimal metadata).

4. Sources of Information

  • You and your organization (enrollment, configuration, user management).
  • Connected EHR systems and interoperability partners (e.g., Particle Health, direct FHIR, or SFTP bundles).
  • Communications and payment providers (Twilio, SendGrid, Stripe).
  • Your device and browser (cookies or similar technologies, as described below).

5. How We Use Information

  • Provide, secure, and maintain the Services (access control, RLS, audit logging, troubleshooting).
  • Support care program operations (time tracking, measurement‑based care, consult workflows).
  • Facilitate EHR data exchange and write‑backs as configured by Partners.
  • Send operational notifications (SMS/email/voice/push) without PHI in message bodies.
  • Improve the Services (quality, reliability, fraud/security monitoring) using de‑identified or aggregated data where feasible.
  • Comply with law, enforce terms, and protect rights, safety, and property.

6. Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: (a) performance of a contract (to provide the Services to your organization); (b) our legitimate interests (to secure, maintain, and improve the Services); (c) compliance with legal obligations; and, where applicable, (d) consent. For PHI, HIPAA and the BAA govern our processing.

7. Sharing and Disclosure

We disclose information as needed to provide the Services and as required by law.

  • Service providers/subprocessors: Supabase (managed Postgres/Edge Functions), Particle Health (EHR), Stripe (payments), Twilio (SMS/voice), SendGrid (email), LiveKit (video), Infisical (secrets management), Honeycomb (observability), and others providing infrastructure or support.
  • EHR and healthcare partners: data exchange to and from a Partner’s EHR or related systems per configuration and instructions.
  • Legal compliance and safety: to comply with law, legal process, or enforceable government requests; to enforce terms; or to protect rights, safety, or property.
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
For PHI, disclosures are made as permitted by HIPAA and the BAA with the Partner.

8. Cookies and Analytics

We use cookies or similar technologies to operate the Services (e.g., session authentication) and to understand usage in a privacy‑protective manner. We avoid PHI in analytics and logs.

  • Strictly necessary cookies are required for core functionality and cannot be disabled.
  • Analytics/diagnostic tools (e.g., privacy‑minded product analytics) help us understand performance; you may have choices via your browser or our banner where implemented.

9. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. For PHI, retention and deletion are governed by HIPAA, the BAA, and applicable law or Partner instructions.

10. Security

We implement safeguards appropriate to the nature of the data, including tenant‑scoped access controls, encryption, secrets management, and audit logging. No method of transmission or storage is 100% secure.

11. Data Location and Transfers

We generally process data in the United States using reputable cloud providers. If data is transferred across borders, we take steps to implement appropriate safeguards (e.g., contractual protections) consistent with applicable law.

12. Your Privacy Rights

Your rights depend on your role and location. For PHI we handle on behalf of a Partner, requests to access, amend, or receive an accounting of disclosures should be directed to your healthcare provider or plan, who manages patient rights under HIPAA.

  • HIPAA (U.S.): Contact your provider/plan to exercise patient rights relating to PHI.
  • CCPA/CPRA (California): For website visitors or other non‑PHI data we control, you may have rights to access, correct, delete, or opt‑out of certain sharing; requests may be submitted to [email protected].
  • GDPR/UK GDPR (EEA/UK): Where we act as a controller for non‑PHI data, you may have rights to access, rectification, erasure, restriction, portability, and objection; contact us to exercise these rights. When we act as a processor for your organization, we will direct you to your organization as controller.

13. Children’s Privacy

The Services are intended for use by authorized personnel of healthcare organizations. They are not directed to children under 13, and we do not knowingly collect personal information from children on public‑facing sites. Patient information managed under a Partner’s program is handled under HIPAA and the BAA.

14. SMS, Email, and Voice Communications

If you provide a phone number or email, we may send operational messages (e.g., reminders). Message and data rates may apply. We avoid PHI in message content. You may opt out of SMS by following the instructions in the message.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted to this page with an updated effective date.

16. Contact Information

Profound Health Institute LLC

3608 East 29th Street, Suite 204, Bryan, TX 77802

+1‑512‑270‑7078

Privacy: [email protected] | Security: [email protected]

Footer

© 2025 Profound Health Institute.HIPAA Compliant - BAA Available