Privacy
Policy

FlowPod Incorporated ("FlowPod," "Company," "we," "us," or "our") was created to help healthcare providers improve patient care and spend less time on the administrative burden of modern healthcare operations. This Privacy Policy ("Policy") governs the personal information FlowPod collects, how we use and share that data, and your choices concerning our data practices.

We provide AI-powered healthcare workflow automation services through our website (the "Site") and our software platform, including our modular Pod system covering Intake, Authorization, Scheduling, RCM, and Sleep Therapy workflows (collectively, the "Services"). The Services are directed towards our healthcare provider customers. Before using the Services or submitting any personal information to us, please review this Privacy Policy carefully.

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not provide us with your personal information through the Site or otherwise use the Services.

1. Personal Information We Collect

Information You Provide

We collect personal information from you when you request a demo, use our Services, contact us, visit our Site, apply for jobs, or otherwise provide personal information to us. The information we collect may include:

• Your name, phone number, mailing address, and email address
• Job title, company name, and organization details
• Billing address and payment information
• Information you provide when submitting forms through our Pods (Intake, Authorization, Scheduling, RCM, Sleep Therapy)
• Communications you send to us, including support requests and feedback

Information Collected Automatically

When you visit, use, and interact with the Services, we may automatically receive certain information about your visit, use, or interactions, including:

• Log Data: Your Internet Protocol address, browser type and settings, the date and time of your request, and how you interacted with the Site.
• Device Data: Device name, operating system, and browser information. Information collected may depend on the type of device you use and its settings.
• Usage Data: Information about how you use our Services, such as the types of content you view or engage with, the features you use, the actions you take, and the time, frequency, and duration of your activities.
• Location Data: We derive a rough estimate of your location from your IP address.
• Cookies Data: Please see Section 5 below to learn more about how we use cookies.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

• To provide the Services: Including operating our AI-powered Pods for intake processing, authorization management, scheduling, RCM, and sleep therapy workflow automation.
• To communicate with you: Responding to your inquiries, sending service-related notices, and providing customer support.
• To improve our Services: Analyzing usage patterns to enhance our platform, develop new features, and improve our AI models.
• To ensure security: Protecting against unauthorized access, fraud, and other security threats.
• To comply with legal obligations: Meeting our regulatory requirements, including HIPAA compliance.
• To send marketing communications: With your consent, we may send you information about new features, products, or services. You can opt out at any time.

3. Healthcare Data and HIPAA Compliance

FlowPod processes healthcare data on behalf of our healthcare provider customers. This includes patient intake forms, referral documents, insurance verification data, authorization requests, scheduling information, billing records, and sleep therapy compliance data processed through our Pods.

We process this healthcare data pursuant to Business Associate Agreements (BAAs) with our healthcare provider customers and apply HIPAA privacy and security standards to all protected health information (PHI) that we collect and process. Our key commitments include:

• HIPAA Compliance: We maintain full compliance with the Health Insurance Portability and Accountability Act, including the Privacy Rule, Security Rule, and Breach Notification Rule.
• Business Associate Agreements: We enter into BAAs with all healthcare provider customers before processing any PHI.
• Minimum Necessary Standard: We only access, use, and disclose the minimum amount of PHI necessary to perform our Services.
• Encryption: All PHI is encrypted both in transit (TLS 1.2+) and at rest (AES-256).
• Access Controls: We implement role-based access controls and maintain detailed audit logs of all access to PHI.
• SOC 2 Type II: We are SOC 2 Type II ready, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.

De-Identified Data

We may create de-identified data that cannot reasonably be used to identify an individual. We use de-identified data for research and development, to improve our AI models and Pod algorithms, and to generate aggregate insights. We may disclose such information publicly and to third parties, for example, in industry reports or benchmarking data we provide to our healthcare provider customers.

If you are a patient of one of our healthcare provider customers and have questions about the processing of your health data, please contact us using the information in Section 11 below.

4. Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with third-party service providers who help us operate our business, such as cloud hosting providers, analytics services, and customer support tools. These providers are contractually bound to protect your information.
• Healthcare Provider Customers: We share processed data with our healthcare provider customers as part of delivering our Pod services (e.g., processed intake forms, authorization statuses, scheduling confirmations).
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• With Your Consent: We may share information with your explicit consent or at your direction.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and administer our Site, gather usage data, and improve your experience.

A "cookie" is a piece of information sent to your browser by a website you visit. Cookies can be stored on your computer for different periods of time. Some cookies expire after a certain amount of time or upon logging out (session cookies), while others persist after your browser is closed until a defined expiration date (persistent cookies).

We use the following types of cookies:

• Essential Cookies: Required for the Site to function properly. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our Site. We use Google Analytics and similar tools to collect this data.
• Functional Cookies: Remember your preferences and settings to enhance your experience.
• Marketing Cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect your ability to use some features of our Site.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals because there is no industry-standard approach to DNT. We will continue to review new technologies and may adopt a DNT standard in the future.

6. Data Security

We implement industry-standard security measures to protect your personal information and healthcare data. Our security program includes:

• Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access controls with multi-factor authentication for all team members.
• Infrastructure Security: Our Services are hosted on SOC 2 certified cloud infrastructure with continuous monitoring and intrusion detection.
• Regular Audits: We conduct regular security assessments, penetration testing, and vulnerability scanning.
• Incident Response: We maintain a comprehensive incident response plan and will notify affected parties in accordance with applicable laws in the event of a data breach.
• Employee Training: All FlowPod team members undergo regular security awareness and HIPAA compliance training.

While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data: Retained for the duration of your account and for a reasonable period thereafter.
• Healthcare Data: Retained in accordance with HIPAA requirements and our agreements with healthcare provider customers, typically for a minimum of six (6) years.
• Usage Data: Retained for up to twenty-four (24) months for analytics purposes.
• Marketing Data: Retained until you opt out or withdraw consent.

When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we correct inaccurate or incomplete personal information.
• Deletion: You may request that we delete your personal information, subject to certain exceptions.
• Portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
• Opt-Out: You may opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails or contacting us directly.
• Restriction: You may request that we restrict the processing of your personal information in certain circumstances.

To exercise any of these rights, please contact us at info@flowpod.com. We will respond to your request within thirty (30) days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at info@flowpod.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where required by law, by sending you a notification. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: