PatientFlo Privacy Policy

1. Who we are

PatientFlo ("PatientFlo," "we," "us," or "our") is operated by PatientFlo.com LLC, a Texas limited liability company. PatientFlo is a HIPAA-compliant platform that helps medical, medical-adjacent, and legal organizations ("Provider Organizations") send and receive patient referrals, securely message one another, and communicate with patients. This Privacy Policy explains how we handle information collected through our website at https://patientflo.com and through the email and SMS notifications we send on behalf of Provider Organizations. By using our website or services, you agree to this Policy.

2. Our role, and how this Policy fits with HIPAA

Most health information in PatientFlo belongs to and is controlled by the Provider Organizations that use the platform. With respect to that protected health information ("PHI"), we act as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), and we use and disclose PHI only as permitted by our Business Associate Agreements (BAAs) with those Provider Organizations and by applicable law.

If you are a patient, the Provider Organization that referred or treated you is the custodian of your medical records. Requests to access, amend, or restrict your clinical records should go to that organization. This Policy governs the website and notification data described below not the clinical records held under HIPAA, which are governed by HIPAA and your provider's Notice of Privacy Practices.
If you are a Provider Organization user, your organization's agreement with us (including the BAA) governs PHI; this Policy governs your use of the public website and your account information.

3. Information we collect

a. Information Provider Organizations give us. To route referrals and notifications, a Provider Organization may enter information about patients for example a patient's name, date of birth, and mobile phone number, and the existence of a referral, message, records request, or authorization. Provider Organizations also provide account details for their own staff (name, work email, role).
b. Information patients provide. If you open a secure link we send you, you may provide your date of birth (to verify your identity), messages you send to your care team, and documents you choose to upload (for example an insurance card or photo ID).
c. Information we collect automatically. When you visit our website, we and our service providers may collect standard technical data such as IP address, browser and device type, pages viewed, and timestamps, using cookies and similar technologies, for security and to operate and understand use of the site.

We do not use this information to build advertising profiles. We do not sell personal information, and we do not use the content of your secure messages, uploaded documents, or clinical data for advertising.

4. How we use information

We use information to:

provide, operate, secure, and improve the PatientFlo platform and website;
deliver notifications (email and SMS) telling you a referral, message, records request, or authorization is waiting in the secure platform;
verify identity (such as the date-of-birth check that gates a patient's secure link);
provide customer support and respond to requests;
maintain security, prevent fraud and abuse, and keep the audit logs required for HIPAA and platform integrity; and
comply with law and enforce our Terms of Service.

5. SMS / text messaging program

This section describes our text-messaging practices for the transactional care notifications PatientFlo sends to patients by SMS. How we obtain your mobile number and consent. PatientFlo does not collect mobile numbers through a public web form. Your healthcare or legal provider enters your mobile number into PatientFlo as part of your care or case relationship, and you consent to receive these messages when you provide your number to that provider for this purpose. We send a message only in response to an actual event in your care. Types of messages. Messages are transactional and care-related only never marketing or promotional. Examples:

"Your provider sent you a secure referral update on PatientFlo. View it: [link]" Bullet List 2
"Your care team is requesting documents on PatientFlo. View the request and upload: [link]"
"Your care team needs your authorization to release records on PatientFlo. Review and sign: [link]"
"Your records were shared with your care team's authorized recipient on PatientFlo.View details:[link]"
"You have a new secure message from your care team on PatientFlo. View it: [link]"

Each message contains only a short notice and a secure, single-use link that expires and is protected by a date-of-birth check. Our text messages never contain medical details or other PHI. Message frequency. Frequency varies and depends on activity in your care you receive a message only when there is a new event for you. There is no fixed or recurring schedule. Cost. Message and data rates may apply based on your mobile carrier and plan. PatientFlo does not charge you for these messages. Opting out and getting help. You can opt out at any time by replying STOP to any message; you will then stop receiving SMS notifications. Reply HELP for assistance, or contact us at [email protected]. If you opt out of SMS, your provider may still contact you about your care by other means.

No sharing of your mobile data for marketing. We will not sell, rent, or share your mobile phone number or your SMS opt-in/consent with third parties or affiliates for their marketing or promotional purposes. We share your mobile number only with the messaging service provider that delivers these messages on our behalf (see Section 6). Text-messaging originator opt-in data and consent are not shared with any third parties

6. How we share information

We share information only as needed to operate the service:

With the Provider Organizations involved in your care or case. The platform exists to connect the providers and patients party to a referral, message, records request, or authorization; information is shared with those parties, under HIPAA where applicable.
With service providers (subprocessors) who process information on our behalf, under contract and only to provide the service. These currently include Twilio (SMS delivery), Resend (email delivery), Supabase (cloud database, file storage, and authentication), and Vercel (application hosting).
For legal and safety reasons to comply with law, respond to lawful requests, enforce our terms, or protect the rights, safety, and security of users, the public, or PatientFlo.
In a business transfer in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy and applicable law. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

7. Data retention

We retain information for as long as needed to provide the service, comply with our legal and contractual obligations (including BAAs and Provider Organization instructions), resolve disputes, and enforce our agreements. Because Provider Organizations control their records, we may be unable to delete certain information except on their instruction or as required by law. Secure access links are short-lived and single-use.

8. How we protect information

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, strict tenant isolation and row-level access controls, identity verification for patient access, least-privilege access for our systems, and audit logging. Notifications are deliberately PHI-free — the secure in-app thread, not the SMS or email, is the system of record for any sensitive content. No method of transmission or storage is 100% secure, but we work to protect your information consistent with HIPAA and industry practice.

9. Your choices and rights

SMS: opt out anytime by replying STOP; reply HELP for help. Bullet List 2
Cookies: you can control cookies through your browser settings; some site features may not function without them.
Clinical records: to access, correct, or restrict your medical records, contact the Provider Organization that holds them; we will support their lawful instructions as their Business Associate.
Website/account data: to ask about the information we hold as a controller of website and account data, contact us at [email protected]

10. State privacy rights

Depending on where you live (for example, Texas, California, and other states with comprehensive privacy laws), you may have rights to access, correct, delete, or obtain a copy of certain personal information, and to appeal a decision. Many of these laws exempt PHI handled under HIPAA, so for clinical records those rights Page 3 PatientFlo.com LLC — Draft for review run through HIPAA and your Provider Organization. To exercise rights in the website/account data we control, contact [email protected]; we will verify and respond as required by law. We do not sell personal information or share it for targeted advertising.

11. Children's privacy

Our website and account registration are intended for adults (Provider Organization staff). We do not knowingly collect personal information directly from children through the website. Where a Provider Organization provides information about a minor patient, that information is handled under HIPAA and the provider's authority.

12. Third-party links

Our website or messages may link to third-party sites or services we do not control. Their privacy practices are governed by their own policies.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here with a new effective date and, where required, provide additional notice.

14. Contact us

PatientFlo.com LLC 6021 Fairmont Pkwy, Suite 250, Pasadena, TX 77505 Email: [email protected]