1. Information We Collect
Account Information: When you create a ShrinkDocs™ account, we collect your name, email address, professional credentials, practice name, and practice address.
Billing Information: Payment details (credit card number, billing address) are collected and processed securely by our payment processor, Stripe. ShrinkDocs™ does not store your full credit card number.
Patient Data: As a clinician, you enter patient records, session data, clinical notes, assessment results, and other Protected Health Information (PHI) into the platform. This data is governed by HIPAA and our Business Associate Agreement (BAA).
Usage Data: We collect information about how you interact with the platform, including login times, features used, and browser/device information, for the purpose of improving the service and ensuring security.
Communications: If you contact us for support, we retain the content of those communications to resolve your issue and improve our service.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the ShrinkDocs™ platform and its features
- Process your subscription payments and manage your account
- Send service-related communications (account confirmations, billing notices, security alerts)
- Provide AI-assisted clinical decision support through Doc Wizard™
- Deliver SMS and email notifications to patients on your behalf (via Twilio)
- Monitor and prevent fraud, unauthorized access, and security incidents
- Comply with legal obligations, including HIPAA requirements
3. HIPAA Compliance & Protected Health Information
ShrinkDocs™ is designed to support HIPAA-compliant workflows for healthcare providers:
- All patient data (PHI) is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
- Access to PHI is restricted to authenticated, authorized clinicians only
- ShrinkDocs™ maintains a signed Business Associate Agreement (BAA) with subscribing clinicians
- Our infrastructure provider (Google Cloud/Firebase) maintains its own HIPAA BAA and SOC 2 Type II certification
- Audit logs track all access to and modifications of PHI
- AI features (Doc Wizard™) are processed via Anthropic's API under HIPAA-compliant configurations; PHI is not retained by the AI service after processing
4. Data Sharing & Third-Party Services
We do not sell your personal information or patient data. We share information only in the following circumstances:
- Service Providers: We use third-party services to operate the platform, including Google Cloud/Firebase (hosting and data storage), Stripe (payment processing), Twilio (SMS notifications), and Anthropic (AI features). Each provider processes data only as necessary to provide their service.
- Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls
- Regular security audits and monitoring
- Secure authentication with email verification
- Infrastructure hosted on Google Cloud Platform with HIPAA and SOC 2 compliance
While we take extensive measures to protect your data, no method of electronic storage or internet transmission is 100% secure. We cannot guarantee absolute security.
6. Data Retention
- Your account data and patient records are retained for the duration of your active subscription
- Upon cancellation, data is retained for 90 days to allow for reactivation or export
- After the 90-day retention period, data is permanently deleted
- You may request immediate data deletion in writing at any time
- You may export your data at any time using the built-in export tools
- Certain records may be retained as required by law or for legitimate business purposes (e.g., billing records, audit logs)
7. SMS & Email Communications
ShrinkDocs™ uses Twilio to send SMS messages and emails on behalf of clinicians to their patients. This includes:
- Appointment reminders and session feedback requests
- Assessment invitations and notifications
- Secure portal access links
Patients may opt out of SMS communications at any time by replying STOP. Clinicians are responsible for obtaining appropriate patient consent for communications. Message and data rates may apply. Message frequency varies based on clinical activity.
8. Cookies & Tracking
ShrinkDocs™ uses essential cookies to maintain your authenticated session and platform preferences. We do not use third-party advertising cookies or sell data to advertisers. We may use analytics to understand platform usage patterns in aggregate.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information
- Export your data in a portable format
- Opt out of non-essential communications
To exercise any of these rights, contact us at support@shrinkdocs.io.
10. Children's Privacy
ShrinkDocs™ is intended for use by licensed healthcare professionals. We do not knowingly collect personal information from children under 13. Patient records for minors are entered and managed by their treating clinician under applicable healthcare regulations.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email to registered users. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
12. Contact Information
For questions about this Privacy Policy or to exercise your privacy rights:
This document should be reviewed by qualified legal counsel. ShrinkDocs™ recommends that healthcare providers consult with a healthcare attorney to ensure compliance with all applicable federal, state, and professional requirements.