Privacy Policy

1. Overview

Strong Technologies LLC d/b/a SLPFlow ("we," "our," or "us") is committed to protecting the privacy and security of your information, including Protected Health Information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

As a Business Associate under HIPAA, we are required by law to maintain the privacy and security of PHI and to provide you with this notice of our legal duties and privacy practices.

BY USING OUR SERVICE, YOU EXPLICITLY CONSENT TO ALL DATA COLLECTION, USE, AND DISCLOSURE PRACTICES DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.

BY USING OUR SERVICE, YOU ALSO:

ACKNOWLEDGE the inherent risks of electronic data processing and transmission
ACCEPT that no data transmission or storage method is 100% secure
WAIVE any claims exceeding the limitations set forth in our Terms of Service
AGREE to maintain your own independent backups of all critical data
UNDERSTAND that data breaches can occur despite security measures
ASSUME all risks associated with providing PHI for electronic processing

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Name and professional credentials
Email address
Password (stored in encrypted form)
Professional license information
Billing information (processed by Stripe)

2.2 Protected Health Information (PHI)

In providing our Service, we process PHI that may include:

Patient names and identifiers
Patient demographics (age, condition)
Session recordings and transcriptions
Clinical notes and assessments
Treatment plans and progress notes
Any other health information you input into the Service

2.3 Usage Information

We automatically collect:

IP addresses
Browser type and version
Device information
Access times and dates
Pages viewed and features used

3. How We Use Your Information

3.1 To Provide Our Service

Process and store patient records
Generate AI-assisted clinical documentation
Transcribe therapy session recordings
Manage your account and subscriptions
Provide customer support

3.2 For Legal and Compliance Purposes

Comply with HIPAA and other healthcare regulations
Respond to legal requests and court orders
Maintain audit logs as required by HIPAA
Investigate and prevent security incidents
Enforce our Terms of Service

3.3 To Improve Our Service

Analyze usage patterns (using de-identified data only)
Develop new features and improvements
Monitor system performance and reliability

4. HIPAA Compliance

4.1 Our Obligations

As a Business Associate under HIPAA, we:

Use and disclose PHI only as permitted by our Business Associate Agreement and HIPAA
Implement administrative, physical, and technical safeguards to protect PHI
Report any breaches of unsecured PHI as required by law
Ensure our subcontractors agree to the same restrictions
Make PHI available to you as required by HIPAA
Maintain an accounting of certain disclosures of PHI

4.2 Minimum Necessary Standard

We adhere to the HIPAA Minimum Necessary Standard, accessing and using only the minimum amount of PHI necessary to accomplish the intended purpose.

5. Data Storage and Security

5.1 Technical Safeguards

We implement commercially reasonable security measures appropriate to the nature of the information we collect. While we strive to protect your information, NO SECURITY SYSTEM IS IMPENETRABLE AND WE CANNOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR DATA. Our measures include:

Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
Access Controls: Role-based access control and secure authentication
Audit Logging: Comprehensive logging of all PHI access and modifications
Infrastructure: HIPAA-compliant AWS infrastructure with dedicated encryption keys
Monitoring: 24/7 security monitoring and intrusion detection

5.2 Physical and Administrative Safeguards

Regular security training for all personnel
Background checks for employees with PHI access
Secure data center facilities (AWS)
Incident response procedures
Regular security assessments and audits

5.3 Limitation of Liability

WE DO NOT ACCEPT LIABILITY FOR UNINTENTIONAL DISCLOSURE OF YOUR INFORMATION. Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We are not responsible for breaches caused by events beyond our reasonable control, including but not limited to acts of God, terrorism, equipment failures, or third-party criminal acts.

6. Information Sharing and Disclosure

6.1 We Do Not Sell Your Information

We never sell, rent, or trade your personal information or PHI to third parties for marketing purposes.

6.2 Service Providers

We may share information with trusted service providers who assist us in operating our Service:

Service Provider	Purpose	Data Shared
Amazon Web Services (AWS)	Cloud infrastructure and storage	All data (encrypted)
Stripe	Payment processing	Billing information only
AWS Bedrock (Claude AI)	AI-powered note generation	Session transcripts (de-identified when possible)

All service providers are required to sign Business Associate Agreements and maintain HIPAA compliance where applicable.

THIRD-PARTY DISCLAIMER: While we require Business Associate Agreements and contractual protections with our service providers, STRONG TECHNOLOGIES LLC IS NOT RESPONSIBLE FOR:

Third-party data breaches or security failures
Third-party compliance violations or regulatory breaches
Actions of subprocessors beyond our direct control
Government access to data at third-party facilities
Third-party service interruptions or failures
Changes in third-party privacy practices or terms
Data loss or corruption at third-party providers

You acknowledge that using cloud-based services involves accepting these third-party risks. We cannot guarantee third-party compliance and you agree to hold us harmless for any third-party actions or failures.

6.3 Legal Disclosures

We may disclose information when required by law, including:

In response to valid legal processes (subpoenas, court orders)
To comply with HIPAA-permitted disclosures
To protect the rights, property, or safety of SLPFlow, our users, or others
In connection with a merger, acquisition, or sale of assets (with notice to affected users)

7. Your Rights Under HIPAA

Under HIPAA, you have the right to:

7.1 Right to Access

You may request access to your PHI maintained in our designated record set by emailing james@slpflow.com. We will provide access within 30 days of your request.

7.2 Right to Amendment

You may request amendments to your PHI if you believe it is incorrect or incomplete by emailing james@slpflow.com. We will respond within 60 days.

7.3 Right to an Accounting of Disclosures

You may request an accounting of certain disclosures of your PHI made by us in the six years prior to your request by emailing james@slpflow.com.

7.4 Right to Restriction

You may request restrictions on certain uses and disclosures of your PHI by emailing james@slpflow.com. We are not required to agree to all requested restrictions.

7.5 Right to Confidential Communications

You may request that we communicate with you about your PHI in a certain way or at a certain location by emailing james@slpflow.com.

7.6 Right to Notice of Breach

Receive notification if there is a breach of your unsecured PHI.

How to Exercise Your Rights: To exercise any of these HIPAA rights, please submit a written request to our HIPAA Privacy Officer at james@slpflow.com. Include your name, account email, and a clear description of your request. We may require verification of your identity before processing your request.

8. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

PHI: Retained for a minimum of 7 years as required by HIPAA and state regulations
Account Information: Retained for the duration of your account plus 7 years after closure
Audit Logs: Retained for 7 years as required by HIPAA
Billing Records: Retained for 7 years for tax and legal purposes

After the retention period, data is securely destroyed using industry-standard methods. Note: Complete deletion may not be immediately possible due to technical constraints, backup systems, legal holds, or ongoing investigations. Deleted data may persist in encrypted backups for up to 90 days.

Data Deletion Requests: To request deletion of your data before the standard retention period, email james@slpflow.com with "Data Deletion Request" in the subject line. Note that HIPAA may require us to retain certain records despite deletion requests.

Data Export Requests: To request a copy of your personal data, email james@slpflow.com with "Data Export Request" in the subject line. We will provide your data in a commonly used electronic format within 30 days.

YOU ACKNOWLEDGE THAT WE CANNOT GUARANTEE THE COMPLETE REMOVAL OF ALL COPIES OF YOUR DATA FROM ALL SYSTEMS.

9. Cookies and Tracking Technologies

We use minimal cookies and similar technologies solely for:

Authentication: To keep you logged in securely
Security: To detect and prevent fraudulent activity
Functionality: To remember your preferences
Performance: Session replay and error tracking (anonymized)

We may also use web beacons, pixel tags, and similar technologies to track Service usage. We do not use third-party advertising cookies. You can control cookies through your browser settings, but disabling them may limit Service functionality. By using the Service, you consent to our use of cookies and tracking technologies.

10. Children's Privacy

Our Service is intended for use by healthcare professionals and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. While healthcare providers may store information about pediatric patients as part of their clinical records, the Service itself is only for use by adult healthcare professionals.

11. International Users

Our Service is currently designed for use within the United States and complies with U.S. healthcare regulations. If you access the Service from outside the United States:

Your information will be transferred to and processed in the United States
You consent to such transfer and processing
You acknowledge that U.S. privacy laws may differ from those in your jurisdiction
YOU TRANSFER DATA AT YOUR OWN RISK AND WAIVE ANY CLAIMS RELATED TO YOUR JURISDICTION'S PRIVACY LAWS

We recommend that international users consult with local legal counsel regarding compliance with their jurisdiction's healthcare privacy laws. By using the Service from outside the U.S., you explicitly waive any rights under foreign data protection laws that exceed U.S. protections.

12. Data Breach Notification

In the event of a breach of unsecured PHI, we will:

Notify affected individuals within 60 days of discovery
Notify the U.S. Department of Health and Human Services as required
Notify prominent media outlets for breaches affecting 500+ individuals
Maintain a breach log and provide annual summaries to HHS
Conduct a risk assessment and implement remediation measures

Notifications will include the nature of the breach, types of information involved, steps individuals should take, and our response actions.

13. Changes to This Policy

We may update this Privacy Policy at any time in our sole discretion. We will attempt to notify you of material changes by:

Posting the new Privacy Policy on this page
Updating the "Effective Date" at the top
Sending an email notification for material changes (if possible)

YOUR CONTINUED USE OF THE SERVICE AFTER ANY CHANGES CONSTITUTES ACCEPTANCE OF THE UPDATED PRIVACY POLICY. If you do not agree with changes, you must stop using the Service immediately. Failure to receive notice does not invalidate any changes.

14. California Privacy Rights

California Consumer Privacy Act (CCPA) Notice:

If you are a California resident, you have additional rights under the CCPA. To exercise any of these rights, email james@slpflow.com with "California Privacy Request" in the subject line:

Right to know what personal information we collect, use, and disclose
Right to delete personal information (subject to exceptions)
Right to opt-out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising privacy rights

California "Do Not Sell" Notice: We do not sell personal information. However, we may share information with service providers in ways that could be considered a "sale" under California law. To opt-out, email james@slpflow.com with "Do Not Sell Request" in the subject line.

Nevada Privacy Rights: Nevada residents may opt-out of the sale of covered information by emailing james@slpflow.com with "Nevada Privacy Request" in the subject line. We do not currently sell covered information as defined under Nevada law.

15. Data Accuracy Disclaimer

WE DO NOT GUARANTEE THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY DATA OR AI-GENERATED CONTENT. You are solely responsible for verifying all information, particularly AI-generated clinical documentation, before use in any professional context. We expressly disclaim liability for any errors, omissions, or inaccuracies in data or AI-generated content.

16. General Limitations and Disclaimers

USE OF THE SERVICE IS AT YOUR OWN RISK. To the maximum extent permitted by law:

We disclaim all warranties regarding data security and privacy
We are not liable for any unauthorized access to or use of your data
We are not responsible for the actions of any third parties who access your data
Our liability for any privacy breach is limited as set forth in our Terms of Service
You waive any claims exceeding the limitations in our Terms of Service

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OF LIABILITY, SO SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

No security measure is perfect. By using the Service, you acknowledge and accept these inherent risks.

16.1 Force Majeure for Data Breaches

STRONG TECHNOLOGIES LLC IS NOT LIABLE FOR DATA BREACHES OR SECURITY INCIDENTS CAUSED BY:

Acts of God, war, terrorism, or civil unrest
Government actions, court orders, or law enforcement requests
Third-party criminal acts including hacking, ransomware, or cyberattacks
Infrastructure failures beyond our reasonable control
Zero-day vulnerabilities unknown to the security community at the time
Employee actions contrary to our policies and training
Social engineering attacks targeting authorized users
Physical security breaches at third-party data centers
Supply chain attacks or compromised software dependencies

You acknowledge that these events are beyond our reasonable control and agree to hold us harmless for any resulting damages or losses.

17. Contact Information

HIPAA Privacy Officer
SLPFlow
Email: james@slpflow.com

For Privacy Concerns or Complaints:
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-free: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/