Privacy Policy
Last updated May 29, 2026. This page summarizes PHI Uploader's privacy posture for website, application, and customer onboarding use. It is not a healthcare provider Notice of Privacy Practices.
1. Scope
This Privacy Policy explains how PHI Uploader collects, uses, discloses, and protects information in connection with the website, application, and customer onboarding process. When PHI Uploader handles Protected Health Information for a covered entity or business associate customer, that handling is governed by the applicable Business Associate Agreement.
2. Information We Collect
- Account information, such as name, email address, organization, role, and authentication identifiers.
- Customer configuration, including request templates, folder destinations, and organization settings.
- Request information, including recipient contact details, access status, submission state, and metadata.
- Uploaded files and answers submitted through a customer request workflow.
- Security and audit information, such as login state, user actions, processing events, timestamps, and IP-derived data.
- Technical information, such as browser type, device data, error diagnostics, and service logs.
3. How We Use Information
- Provide protected document request, upload, scanning, and delivery workflows.
- Authenticate users, enforce organization permissions, and support account administration.
- Process uploads, generate submission artifacts, and deliver approved files to customer destinations.
- Maintain security, monitor service health, investigate issues, and keep audit records.
- Support customers, manage onboarding, and communicate about the service.
- Comply with legal, contractual, security, and regulatory obligations.
4. PHI Handling
PHI Uploader is designed to process PHI only for authorized customer workflows and only after required onboarding steps are complete. For the MVP, uploaded files are staged in private storage, scanned, and delivered to the customer-approved destination. The app is designed to retain operational metadata and avoid long-term storage of raw answers after the generated submission artifact is uploaded.
Customers are responsible for determining what information they request, providing required patient notices, responding to individual rights requests, and managing downstream records after delivery.
5. Sharing
PHI Uploader may share information only as needed to provide and protect the service, including with:
- Customer-authorized administrators and destination systems.
- Approved infrastructure providers and subprocessors that support hosting, storage, security, and authentication.
- Legal, compliance, or security recipients when required by law or necessary to protect rights and safety.
- Successor entities in a merger, acquisition, financing, or asset transfer, subject to applicable obligations.
6. Cookies and Authentication
PHI Uploader uses cookies, tokens, and similar technologies for authentication, session management, security, and basic service operation. Third-party analytics should not be used in production PHI paths unless that vendor is approved and covered by appropriate agreements.
7. Retention
Retention depends on the type of information, customer configuration, legal requirements, security needs, and the applicable BAA. Short-lived staging and quarantine storage should follow configured lifecycle policies. Customer-delivered files remain under the customer's destination controls.
8. Security
PHI Uploader uses safeguards designed for sensitive healthcare workflows, including encryption, private staging storage, access controls, malware scanning, audit events, least-privilege service accounts, and PHI-safe logging practices. Customer must also secure its own users, devices, Google Workspace, Drive permissions, and internal procedures.
9. Individual Requests
Patients and other individuals should contact the healthcare provider or organization that requested their documents for access, amendment, deletion, accounting, or restriction requests. PHI Uploader will support the customer as required by the BAA and applicable law.
10. Contact
For privacy or security questions, contact PHI Uploader through the public support page without sending PHI. Customers should also review the Terms of Service and Business Associate Agreement.
