Praxo Privacy Policy

1. Information We Collect

Information from Subscribers: When you create an Account or use our Platform, we collect information you provide directly, including: full name, email address, phone number, practice name and address, professional credentials and licensure information (e.g., NPI number, discipline), billing and payment information (processed through Stripe), team member information (for Team Plans), and practice configuration preferences.

Patient Data Entered by Subscribers: In the course of using the Platform, Subscribers and their Authorized Users enter Patient Data, including: patient demographics (name, date of birth, contact information, address), clinical records and notes (including SOAP notes, assessments, and treatment plans), appointment history and scheduling data, billing and insurance information, documents (uploaded files, signed forms, compliance documents), and communications (SMS messages, emails, portal messages).

Information Collected Automatically: When you access the Platform, we automatically collect certain technical information, including: device information (browser type, operating system, device type), IP address, log data (pages visited, features used, timestamps, referral URLs), usage analytics (feature adoption, session duration, interaction patterns), and cookies and similar technologies as described in Section 7.

Information from Third Parties: We may receive information from third-party services integrated with the Platform, including: payment confirmation and billing details from Stripe, message delivery status from Twilio, AI model responses from Anthropic (note: Anthropic does not store or train on data sent through their API), and authentication data from OAuth providers (e.g., Google).

2. How We Use Information

We use the information we collect for the following purposes: (a) to provide, maintain, operate, and improve the Platform and Services; (b) to process payments and manage Subscription Plans through Stripe; (c) to provide customer support and respond to inquiries; (d) to power AI features, including clinical note generation, scheduling intelligence, and follow-up recommendations (Patient Data sent to AI models is processed in real-time and is not stored by or used to train third-party AI models); (e) to improve and develop new features using de-identified and aggregated data that cannot be used to identify any individual; (f) to communicate with Subscribers about service updates, maintenance, security alerts, and administrative notices; (g) to detect, prevent, and address technical issues, fraud, and security threats; and (h) to comply with applicable laws, regulations, and legal processes.

3. How We Share Information

We do not sell, rent, or lease personal information or Patient Data to third parties. We will never sell your data.

We share information with third-party service providers solely as necessary to operate the Platform, and only under contractual obligations that require these providers to protect the confidentiality and security of the data. Our service providers include: Supabase (database hosting and authentication), Stripe (payment processing), Twilio (SMS and communication delivery), email service providers (transactional email delivery), and Anthropic (AI model processing for clinical features).

We may disclose information when required to do so by law, regulation, subpoena, court order, or other valid legal process, or when we believe in good faith that disclosure is necessary to: protect the rights, property, or safety of Praxo, our users, or the public; enforce our Terms of Service; or respond to an emergency involving danger to the life, health, or safety of any person.

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, Subscriber Data may be transferred to the acquiring entity, provided that the acquiring entity agrees to be bound by the terms of this Privacy Policy. We shall provide at least thirty (30) days notice to affected Subscribers before any such transfer.

4. Data Security

We implement and maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of all data processed through the Platform. These measures include: encryption of data in transit using TLS 1.2 or higher, encryption of data at rest using AES-256, role-based access controls with granular, configurable permissions for each team member role, comprehensive audit logging of all data access, modifications, and administrative actions, support for multi-factor authentication, regular security assessments and vulnerability testing, employee security training and background checks, and incident response procedures.

While we implement commercially reasonable security measures, no method of electronic transmission or data storage is completely secure. We cannot guarantee the absolute security of your data. In the event of a security breach, we shall comply with all applicable breach notification laws and the terms of any executed Business Associate Agreement.

5. Data Retention

Subscriber Data, including Patient Data, shall be retained for a minimum of seven (7) years after Account cancellation in accordance with applicable healthcare record retention standards and regulatory requirements.

System logs, usage analytics, and similar operational data shall be retained for up to twenty-four (24) months from the date of collection.

Subscribers may request early deletion of their data in writing. Any such request shall be subject to applicable legal and regulatory data retention requirements. Where early deletion is not permitted by law, we shall restrict access to the data rather than delete it.

6. Your Rights

Subscriber Rights: As a Subscriber, you have the right to: access and review your Subscriber Data at any time through the Platform; export your Subscriber Data in standard machine-readable formats (CSV, PDF); correct or update inaccurate Subscriber Data; request deletion of your Subscriber Data, subject to applicable retention requirements; and receive notification of any data breach affecting your Account.

Patient Rights: Patients who wish to exercise rights regarding their data should direct their requests to their healthcare provider (the Subscriber). As a data processor acting on behalf of Subscribers, Praxo shall cooperate with Subscribers in responding to Patient data requests in accordance with HIPAA and other applicable laws.

California Residents (CCPA/CPRA): If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including: the right to know what personal information is collected, used, and shared; the right to request deletion of personal information; the right to opt out of the sale of personal information (note: we do not sell personal information); the right to non-discrimination for exercising your privacy rights; and the right to correct inaccurate personal information. To exercise these rights, contact us at [email protected].

7. Cookies

The Platform uses only essential cookies that are strictly necessary for the operation of the Platform, including authentication cookies to maintain your session and security cookies to prevent cross-site request forgery.

We do not use advertising cookies, marketing cookies, or cross-site tracking technologies. We do not participate in third-party advertising networks or sell cookie data.

8. SMS/Text Messaging

When you opt in to receive text messages from a healthcare practice using the Praxo platform, we collect your mobile phone number and record your consent to receive messages.

What We Send: Appointment reminders, scheduling confirmations, practice updates, intake form links, and follow-up communications.

What We Never Send: We will never send diagnosis information, treatment details, medication names, insurance information, or any protected health information (PHI) via text message. SMS messages are limited to: your first name, appointment date and time, practice name, and general action prompts.

Data Sharing: Your mobile phone number and SMS opt-in data will not be shared with or sold to third parties or affiliates for marketing or promotional purposes. No mobile information will be shared with third parties for purposes unrelated to providing the messaging services you consented to.

Opt-Out: You may opt out of SMS at any time by replying STOP to any message or by contacting your practice. Your opt-out will be processed immediately.

Data Retention: We retain your phone number and consent status for as long as you are an active patient at the practice. If you opt out, we retain a record of your opt-out to ensure we do not message you again.

For full SMS program details, view our SMS Terms & Conditions.

9. Children's Privacy

The Platform is not directed to and is not intended for use by individuals under the age of thirteen (13). We do not knowingly collect personal information from children under thirteen.

Patient Data of minors may be entered into the Platform by Subscribers in the course of providing healthcare services. The management of minor patient data is the responsibility of the Subscriber in accordance with HIPAA, COPPA, and other applicable laws governing the privacy of children's health information.

10. International Users

The Platform is hosted in the United States and is intended primarily for use by healthcare practices operating within the United States. If you access the Platform from outside the United States, you consent to the transfer, processing, and storage of your data in the United States, which may have different data protection laws than your jurisdiction.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we shall provide at least thirty (30) days prior notice via email or a prominent notice on the Platform.

Your continued use of the Platform after the effective date of any modifications constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: MisFit Innovations LLC, d/b/a Praxo, [ADDRESS], Email: [email protected].