Legal

Website & App Privacy Policy

Effective date:

Download PDF

This policy explains how SecurePractice collects, uses, and safeguards information when you use the Services.

This Privacy Policy explains how SecurePractice.app (“we,” “our,” or “us”) collects, uses, discloses, and safeguards information when you use the Services. This policy is separate from the HIPAA Notice of Privacy Practices (NPP) that practices provide to patients.

Where a customer uploads content that contains protected health information (PHI), we process that content solely on behalf of the customer as their Business Associate under applicable agreements.

Who We Are

SecurePractice (also known as HIPAA Assistant) is a software-as-a-service platform that helps healthcare practices, clinics, and similar organizations manage HIPAA compliance tasks, policies, and related documentation. Our services are provided through the websites securepractice.app and securepractice.health, as well as any related applications, tools, and content we operate.

1) Information We Collect

  • Account & Profile Data: name, business/practice name, role/title, address, phone, avatar, office type, display name, time zone, years in practice; credentials for sign-in (email/password); TOTP MFA secret/verification (Premium).
  • Customer-Uploaded Content: files uploaded via the Document Uploader (e.g., policies, logs, BAAs, incident forms, evidence). These files may contain personal information and, depending on customer use, PHI; we do not use upload contents for advertising.
  • Usage/Device Data: device/browser info, IP address, pages viewed; used to operate the Services.
  • Analytics: Google Analytics 4 (GA4) on the marketing site only; we do not send PHI to analytics.
  • Communications & Support: emails/SMS and our correspondence (reminders, product updates, support).
  • Payments: processed by Paddle. We do not store full payment card numbers; we may receive limited billing metadata (e.g., payer email, transaction IDs).

2) How We Use Information

Provide, secure, and maintain the Services (including authentication and TOTP MFA for Premium); operate features (Document Uploader, templates, reports); send reminders and product communications (marketing preferences can be managed in profile settings); monitor performance, troubleshoot, and improve reliability; comply with law and enforce agreements.

We do not sell personal information or share it for cross-context behavioral advertising.

3) Cookies & Similar Technologies

Essential cookies (e.g., auth/session) are required to run the app. Non-essential cookies (e.g., analytics on the marketing site) help us understand site usage. We display a cookie banner with granular controls on the marketing site.

You can adjust your browser to block non-essential cookies.

4) When We Disclose Information

We disclose information to service providers who help us operate the Services, under contracts that limit their use to our instructions: Firebase (Google) for Auth/Firestore/Storage/Cloud Functions; Paddle for payments; SendGrid for email; Twilio for SMS; Google Cloud Logging and Firebase Performance Monitoring for operational telemetry (no PHI).

We may disclose information to comply with law, protect rights or safety, or in a corporate transaction. We do not grant vendor “support-only” access to customer data.

5) PHI, HIPAA, and Customer-Uploaded Content

Customers control whether uploads include PHI. Where uploads include PHI, we act as a Business Associate and process such data solely on behalf of the customer under applicable agreements, with TLS in transit, encryption at rest, role-based access, and customer-controlled retention.

PHI is not sent to analytics or error trackers. For patient rights and permitted uses/disclosures of PHI, see the practice’s Notice of Privacy Practices (NPP).

6) Access Controls, Roles & Sessions

Roles (per customer): Practice Admin/Compliance Officer (designated privacy lead) manages users/roles; may view/upload/download/edit content (including PHI as permitted), run/export reports, manage subscription/billing, change org settings (e.g., retention, IP allowlists), and access audit logs. Practice User can be granted Document Uploader access; when granted, may view/upload/download/edit permitted content.

  • MFA: TOTP required for all Premium users.
  • SSO/SAML: Not used.
  • Idle timeout: 30 minutes.
  • Max session age: 12 hours (contact us if you need a different value).
  • Re-auth for sensitive actions: Not required.
  • Auditing: We log logins, role changes, uploads/downloads, exports (retained 2 years).
  • Tenant isolation: Users are restricted to their own practice; no cross-tenant features.

7) Data Retention

  • Account data: active + 24 months after last activity.
  • Uploaded evidence/docs: 6 months after Premium account cancellation/expiration.
  • Logs/analytics: active + 24 months after last activity.

8) Security

We use administrative, technical, and physical safeguards, including TLS in transit and encryption at rest (Firestore/Storage), role-based access controls, least-privilege practices, audit logging, and regular reviews. No method is 100% secure; customers must protect credentials and MFA.

9) Children’s Privacy

The Services are intended for organizations and their authorized adult users. We do not knowingly collect personal information directly from children under 13 (or under 16 where applicable). Customer-uploaded content may include information about minors when processed by authorized adult users; we handle such content solely on behalf of the customer.

10) California Notice (CPRA)

We do not sell personal information and do not share it for cross-context behavioral advertising. California residents may contact us regarding personal information as required by law.

11) Your Choices

  • Marketing emails: manage in profile or use the unsubscribe link.
  • Access/Deletion requests: privacy@securepractice.app.
  • Cookies: manage via the cookie banner and your browser settings.

12) International Users

We operate in the United States (Florida) and currently do not target EU/UK users.

13) Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new Effective date. If changes materially affect your rights, we will provide additional notice where required.

14) Contact Us

If you have questions about this Privacy Policy or our privacy practices, you can contact us at: