Quick Navigation
Our Commitment to Privacy
ChairFlowâ„¢ Solutions LLC ("ChairFlow," "we," "us," or "our") takes your privacy seriously. We're a healthcare SaaS provider built from the ground up to handle sensitive patient data responsibly. This Privacy Policy explains how we collect, use, protect, and share information when you use our platform.
If you're a healthcare practice using ChairFlow, your patients' information is covered by our Business Associate Agreement (BAA) and HIPAA compliance framework. If you're visiting our website, this policy applies to your personal information.
HIPAA & Healthcare Compliance
We Are HIPAA Compliant
ChairFlow processes Protected Health Information (PHI) on behalf of healthcare practices. We comply with the Health Insurance Portability and Accountability Act (HIPAA) and maintain:
- Business Associate Agreements: Signed with every healthcare practice customer
- End-to-end encryption: All PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access controls: Role-based access, API authentication, and credential management
- Audit logging: Complete audit trails of all PHI access and modifications
- Data breach protocols: 60-day breach notification procedures compliant with HIPAA
What We Don't Do With Patient Data
- We don't sell or share patient data with third parties for marketing
- We don't use patient data to train AI models (without explicit consent)
- We don't store patient data longer than necessary to provide services
- We don't access patient information except to provide cancellation recovery services
What Information We Collect
From Healthcare Practices
- Practice information: Name, address, phone, specialties, hours of operation
- User accounts: Email, password (hashed with bcrypt), role/permissions
- Calendar data: Appointment types, provider names, time slots (from your EHR/PMS)
- Protected Health Information: Patient names, phone numbers, appointment history, cancellation status (to perform waitlist matching)
From Patients
- Phone numbers: Collected from your system to send SMS outreach
- Booking responses: Whether they accepted or declined the appointment offer
- Conversation metadata: Timestamps of SMS messages and responses (not content analysis)
From Website Visitors
- Contact form submissions: Name, email, practice name, phone, message (optional)
- Analytics: IP address (anonymized), browser type, pages visited, referrer source
- Cookies: Session tokens, user preferences (see Cookies section below)
How We Use Your Information
For Healthcare Practices
- Deliver cancellation detection and automated waitlist matching
- Send SMS outreach to waitlisted patients on your behalf
- Generate performance reports and ROI analytics
- Provide technical support and account management
- Comply with legal obligations and enforce agreements
For Patients
- Send SMS notifications about available appointment slots
- Track response status (accepted/declined)
- Provide booking confirmation and reminders
For Website Visitors
- Respond to demo requests and sales inquiries
- Send product updates and feature announcements (if you opt in)
- Improve website functionality and user experience
- Analyze usage patterns to optimize our site
Data Protection & Security
How We Protect Your Data
- Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Access controls: Role-based permissions; employees access PHI only as needed
- Authentication: Multi-factor authentication (MFA) for all admin accounts
- Firewalls & monitoring: AWS VPC security groups, application load balancer, continuous CloudWatch logging, rate limiting on all endpoints
- Infrastructure: Hosted on AWS (a HIPAA-eligible cloud provider) with automatic daily database backups
- Security controls aligned with SOC 2 Trust Services Criteria (access control, encryption, logging, change management)
Data Breach Notification
If we discover a breach of unsecured PHI, we will notify affected practices without unreasonable delay and in no case later than 60 days after discovery, as required by HIPAA, and will cooperate with required regulatory notifications.
Third-Party Services
Partners We Use
- Twilio: SMS delivery partner (covered by our Twilio BAA for HIPAA)
- AWS: Cloud infrastructure provider (HIPAA-compliant hosting)
- EHR/PMS integrations: Dentrix, Open Dental, Epic FHIR, DrChrono, athenahealth, etc. (direct encrypted connections; we don't store credentials)
- Analytics: Anonymized usage data only; no PHI shared with analytics providers
What We Don't Do
We do not sell, rent, or share patient data with marketing companies, data brokers, or any third party without explicit consent. All subprocessors handling PHI are covered by data processing agreements and HIPAA compliance requirements.
Your Rights & Choices
If You're a Patient
- Opt out of SMS: Reply STOP to any ChairFlow text message
- Access your data: Contact the healthcare practice to request your information
- Correction: Ask your practice to correct any inaccurate information
If You're a Healthcare Practice
- Data access: View all data we hold about your practice and patients via your dashboard
- Data portability: Export your data in standard formats (CSV, JSON)
- Deletion: Request deletion of your practice data at any time; we'll securely erase it within 30 days
- Consent management: Choose which patient data ChairFlow accesses from your EHR/PMS
If You're a Website Visitor
- Email preferences: Unsubscribe from marketing emails via the link in any email
- Cookie control: Manage cookies in your browser settings
- Do Not Track: We honor Do Not Track (DNT) browser signals and do not use tracking pixels
Data Retention
- Active accounts: Data retained as long as your account is active
- PHI: Deleted within 30 days of account termination (unless longer retention is legally required)
- Audit logs: Retained for 7 years for compliance purposes
- Website analytics: Anonymized data retained for 12 months
- Backups: Encrypted backups may exist for 90 days before final deletion
Hattie SMS Program
ChairFlow Solutions LLC also operates the Hattie AI receptionist and SMS service under the assumed name "Hattie" (Texas SOS File Number 806516481). The Hattie SMS program is separate from the ChairFlow healthcare platform described above and sends low-volume customer-care SMS to opted-in business owners/operators or designated staff. Messages confirm Hattie demos, callbacks, setup requests, and owner/operator lead or call summary alerts after Hattie handles a routed call or setup request.
Opt-in: the primary method is a Hattie web or setup form with an unchecked SMS consent checkbox the business owner/operator or designated staff member affirmatively checks before submitting; every opt-in is recorded (timestamp, IP, user agent, consent version). Verbal opt-in is a limited scripted, recorded fallback only during an inbound or returned call. Consent is not a condition of any purchase.
HELP / STOP: reply HELP for help or STOP to opt out at any time. Message frequency varies. Message and data rates may apply.
Data: we do not sell your personal information. No mobile information — including SMS opt-in data and consent — is shared with third parties or affiliates for marketing or promotional purposes; SMS data is used only to operate the Hattie program you opted in to.
This Hattie SMS program is not used for cold outreach, marketing, billing, or customer-facing SMS sent on behalf of unrelated businesses. Full opt-in details, exact consent language, and sample messages: callhattie.com/sms-consent. Hattie SMS questions: outreach@chairflowsolutions.com.
Contact Us
Questions about this Privacy Policy or how we handle your information? Reach out anytime:
ChairFlowâ„¢ Solutions LLC
710 Reuben St
Fredericksburg, TX 78624
Email: ChristopherHoward@chairflowsolutions.com
Phone: (830) 733-0985
For HIPAA-specific privacy concerns, contact our Privacy Officer at the email above.
Policy Updates: We may update this Privacy Policy occasionally. Continued use of ChairFlow after changes means you accept the updated policy. We'll email practices about material changes affecting their data.