Privacy Policy

Our Commitment to Privacy

ChairFlow™ Solutions LLC ("ChairFlow," "we," "us," or "our") takes your privacy seriously. We're a healthcare SaaS provider built from the ground up to handle sensitive patient data responsibly. This Privacy Policy explains how we collect, use, protect, and share information when you use our platform.

If you're a healthcare practice using ChairFlow, your patients' information is covered by our Business Associate Agreement (BAA) and HIPAA compliance framework. If you're visiting our website, this policy applies to your personal information.

HIPAA & Healthcare Compliance

We Are HIPAA Compliant

ChairFlow processes Protected Health Information (PHI) on behalf of healthcare practices. We comply with the Health Insurance Portability and Accountability Act (HIPAA) and maintain:

• Business Associate Agreements: Signed with every healthcare practice customer
• End-to-end encryption: All PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access controls: Role-based access, API authentication, and credential management
• Audit logging: Complete audit trails of all PHI access and modifications
• Data breach protocols: 60-day breach notification procedures compliant with HIPAA

What We Don't Do With Patient Data

• We don't sell or share patient data with third parties for marketing
• We don't use patient data to train AI models (without explicit consent)
• We don't store patient data longer than necessary to provide services
• We don't access patient information except to provide cancellation recovery services

What Information We Collect

From Healthcare Practices

• Practice information: Name, address, phone, specialties, hours of operation
• User accounts: Email, password (hashed with bcrypt), role/permissions
• Calendar data: Appointment types, provider names, time slots (from your EHR/PMS)
• Protected Health Information: Patient names, phone numbers, appointment history, cancellation status (to perform waitlist matching)

From Patients

• Phone numbers: Collected from your system to send SMS outreach
• Booking responses: Whether they accepted or declined the appointment offer
• Conversation metadata: Timestamps of SMS messages and responses (not content analysis)

From Website Visitors

• Contact form submissions: Name, email, practice name, phone, message (optional)
• Analytics: IP address (anonymized), browser type, pages visited, referrer source
• Cookies: Session tokens, user preferences (see Cookies section below)

How We Use Your Information

For Healthcare Practices

• Deliver cancellation detection and automated waitlist matching
• Send SMS outreach to waitlisted patients on your behalf
• Generate performance reports and ROI analytics
• Provide technical support and account management
• Comply with legal obligations and enforce agreements

For Patients

• Send SMS notifications about available appointment slots
• Track response status (accepted/declined)
• Provide booking confirmation and reminders

For Website Visitors

• Respond to demo requests and sales inquiries
• Send product updates and feature announcements (if you opt in)
• Improve website functionality and user experience
• Analyze usage patterns to optimize our site

Data Protection & Security

How We Protect Your Data

• Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
• Access controls: Role-based permissions; employees access PHI only as needed
• Authentication: Multi-factor authentication (MFA) for all admin accounts
• Firewalls & monitoring: AWS VPC security groups, application load balancer, continuous CloudWatch logging, rate limiting on all endpoints
• Infrastructure: Hosted on AWS (a HIPAA-eligible cloud provider) with automatic daily database backups
• Security controls aligned with SOC 2 Trust Services Criteria (access control, encryption, logging, change management)

Third-Party Services

Partners We Use

• Twilio: SMS delivery partner (covered by our Twilio BAA for HIPAA)
• AWS: Cloud infrastructure provider (HIPAA-compliant hosting)
• EHR/PMS integrations: Dentrix, Open Dental, Epic FHIR, DrChrono, athenahealth, etc. (direct encrypted connections; we don't store credentials)
• Analytics: Anonymized usage data only; no PHI shared with analytics providers

What We Don't Do

We do not sell, rent, or share patient data with marketing companies, data brokers, or any third party without explicit consent. All subprocessors handling PHI are covered by data processing agreements and HIPAA compliance requirements.

Your Rights & Choices

If You're a Patient

• Opt out of SMS: Reply STOP to any ChairFlow text message
• Access your data: Contact the healthcare practice to request your information
• Correction: Ask your practice to correct any inaccurate information

If You're a Healthcare Practice

• Data access: View all data we hold about your practice and patients via your dashboard
• Data portability: Export your data in standard formats (CSV, JSON)
• Deletion: Request deletion of your practice data at any time; we'll securely erase it within 30 days
• Consent management: Choose which patient data ChairFlow accesses from your EHR/PMS

If You're a Website Visitor

• Email preferences: Unsubscribe from marketing emails via the link in any email
• Cookie control: Manage cookies in your browser settings
• Do Not Track: We honor Do Not Track (DNT) browser signals and do not use tracking pixels

Data Retention

• Active accounts: Data retained as long as your account is active
• PHI: Deleted within 30 days of account termination (unless longer retention is legally required)
• Audit logs: Retained for 7 years for compliance purposes
• Website analytics: Anonymized data retained for 12 months
• Backups: Encrypted backups may exist for 90 days before final deletion

Contact Us

Questions about this Privacy Policy or how we handle your information? Reach out anytime:

For HIPAA-specific privacy concerns, contact our Privacy Officer at the email above.