Privacy Policy

Introduction

SpaStream ("we," "our," or "us") is committed to protecting your privacy and maintaining the security of your protected health information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws.

HIPAA Compliance

As a platform serving healthcare providers, we maintain strict HIPAA compliance standards:

• All PHI is encrypted both in transit (TLS 1.3) and at rest (AES-256)
• Access to PHI is restricted through authentication and role-based access controls
• We maintain comprehensive audit logs of all PHI access and modifications
• Our infrastructure partner (Supabase) is HIPAA-compliant and operates under a Business Associate Agreement (BAA)
• Regular security assessments and vulnerability scanning
• Breach notification procedures as required by HIPAA

Information We Collect

Protected Health Information (PHI)

Healthcare providers using our platform may store the following PHI about their clients:

• Name, date of birth, contact information
• Medical history and treatment records
• Appointment history and notes
• Photos documenting treatment progress
• Consent forms and medical documentation
• Payment and billing information

Account Information

• Email address and password (encrypted)
• Practice information and business details
• Usage data and application logs

How We Use Your Information

We use collected information for:

• Treatment: To enable healthcare providers to deliver and coordinate care
• Payment: To process payments and manage billing
• Operations: To provide, maintain, and improve our services
• Communication: To send appointment reminders and system notifications
• Security: To protect against fraud, unauthorized access, and security threats
• Compliance: To meet legal and regulatory requirements

Information Sharing and Disclosure

We do not sell your information. We may share information only in the following circumstances:

• With Your Consent: When you explicitly authorize disclosure
• Service Providers: With HIPAA-compliant vendors who assist in operating our platform (all operate under BAAs)
• Legal Requirements: When required by law, court order, or government request
• Emergency Situations: To prevent serious harm or threat to health or safety
• Business Transfers: In connection with a merger or acquisition (with continued privacy protections)

Data Security

We implement comprehensive security measures:

• End-to-end encryption for all data transmission
• Encrypted database storage with AES-256
• Multi-factor authentication options
• Regular security audits and penetration testing
• Automatic session timeouts and access controls
• Employee training on HIPAA compliance
• Incident response and breach notification procedures

Your Rights Under HIPAA

As a patient or client, you have the right to:

• Access: Review and obtain copies of your health information
• Amendment: Request corrections to inaccurate information
• Accounting: Receive a list of disclosures of your information
• Restriction: Request limits on use or disclosure of your information
• Confidential Communication: Request communication through alternative means
• Breach Notification: Be notified of any breach of your PHI

To exercise these rights, contact your healthcare provider directly.

Data Retention

We retain your information as long as your account is active or as needed to provide services. Healthcare providers are responsible for maintaining records according to applicable state and federal laws (typically 7-10 years for medical records). When data is deleted, it is securely destroyed from all systems including backups.

Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect information from minors without parental consent as required by law.

International Data Transfers

Your information is stored on servers located in the United States. If you are accessing our services from outside the US, please be aware that your information may be transferred to, stored, and processed in the US where our servers are located.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through the application. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our privacy practices: