← Back to Login

Privacy Policy

Last Updated: January 13, 2026

1. Introduction

OVS Intelligence LLC ("Company," "we," "us," or "our") operates the Patient Recall Dashboard ("Service"). This Privacy Policy describes how we collect, use, and protect information when you use our Service.

Our Service is designed to help healthcare practices manage patient recall and outreach. We are committed to protecting the privacy and security of all information processed through our platform, including Protected Health Information (PHI) as defined by HIPAA.

2. Information We Collect

2.1 Patient Information (PHI)

The Service processes patient information uploaded by authorized healthcare practice staff, including:

  • Patient names and contact information (phone, email)
  • Date of birth
  • Visit history and appointment counts
  • Treatment notes and clinical information (when uploaded)
  • ICD-10 diagnostic codes

2.2 What We Do NOT Collect

We do not collect or request:

  • Social Security numbers
  • Financial account numbers or credit card information (payment processing is handled by Stripe)
  • Biometric data
  • Genetic information
  • Patient photographs or images

2.3 Usage Information

We collect information about how the Service is used, including:

  • Login timestamps and IP addresses
  • Actions taken within the application (audit logs)
  • Outreach attempts and outcomes

3. How We Use Information

We use the information collected to:

  • Provide and maintain the patient recall Service
  • Prioritize patient outreach based on visit history and conditions
  • Generate reports and analytics for practice management
  • Maintain audit trails for HIPAA compliance
  • Improve and optimize the Service
  • Communicate with you about your account and Service updates

We do NOT use PHI for: Marketing, advertising, sale to third parties, de-identification for research, or any purpose not directly related to providing the Service.

4. Data Protection & Security

4.1 Technical Safeguards

We implement appropriate technical measures to protect data, including:

  • Encryption in Transit: All data transmitted via TLS 1.2+ (HTTPS)
  • Encryption at Rest: AES-256 encryption for stored data
  • Password Security: PBKDF2-SHA256 with 600,000 iterations
  • Session Management: Secure, HTTP-only, same-site cookies with 8-hour timeout
  • Rate Limiting: Protection against brute force attacks
  • Account Lockout: Automatic lockout after 5 failed login attempts
  • Comprehensive Audit Logging: All access and modifications logged

4.2 Infrastructure

Our Service is hosted on Railway infrastructure located in the United States. Railway maintains SOC 2 Type II certification and provides:

  • Physical access controls and 24/7 security
  • Encrypted storage volumes
  • Automated backups with encryption
  • Network isolation and firewalls

4.3 Data Retention

Patient Data: Retained for the duration of the service agreement. Upon termination, you have 30 days to export your data, after which it will be securely deleted.

Audit Logs: Retained for 6 years per HIPAA requirements (45 CFR § 164.530(j)).

Backups: Encrypted backups retained for 30 days for disaster recovery.

5. Our Role as Business Associate

OVS Intelligence LLC operates as a Business Associate under HIPAA when processing PHI on behalf of healthcare practices (Covered Entities). This means:

  • We only use PHI as permitted by our Terms of Service and applicable law
  • We implement required administrative, physical, and technical safeguards
  • We report any Security Incident or Breach within 60 days of discovery
  • We ensure our subcontractors maintain equivalent protections
  • We support your patients' rights to access, amend, and receive accounting of disclosures

By accepting our Terms of Service, you execute the Business Associate Agreement (BAA) governing our relationship.

6. Data Sharing & Sub-Processors

We do not sell, rent, or share patient information with third parties except as follows:

6.1 Sub-Processors

We use the following third-party services to operate our platform:

Provider Purpose Data Processed Certification
Railway Infrastructure/Hosting All Service data SOC 2 Type II
Stripe Payment Processing Payment info only (no PHI) PCI DSS Level 1
SendGrid Transactional Email Email addresses for notifications (no PHI) SOC 2 Type II

We will not add sub-processors that handle PHI without updating this policy and providing notice to affected users.

6.2 Legal Requirements

We may disclose information if required by law, subpoena, court order, or to:

  • Comply with legal obligations
  • Protect the rights, property, or safety of OVS Intelligence LLC, our users, or others
  • Respond to lawful government requests

Where permitted by law, we will notify you of such requests before disclosure.

7. Your Rights

7.1 HIPAA Rights (All Users)

Under HIPAA, patients whose PHI is processed through our Service have the right to:

  • Access: Request copies of their PHI
  • Amendment: Request corrections to inaccurate PHI
  • Accounting of Disclosures: Request a list of disclosures made
  • Restrictions: Request restrictions on certain uses

These requests should be directed to your healthcare provider (the Covered Entity), who will coordinate with us as needed.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: What personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Note: CCPA exempts information covered by HIPAA from its scope. These rights apply to non-PHI personal information only.

7.3 Virginia Residents (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides:

  • Right to access, correct, and delete personal data
  • Right to data portability
  • Right to opt-out of targeted advertising (we do not engage in targeted advertising)

7.4 Colorado Residents (CPA)

If you are a Colorado resident, the Colorado Privacy Act (CPA) provides similar rights to access, correct, delete, and port your personal data.

7.5 Exercising Your Rights

To exercise any of these rights, contact us at privacy@ovsintelligence.com. We will respond to verified requests within 45 days. We may request additional information to verify your identity before processing your request.

8. Cookies & Tracking

Session Cookies: We use strictly necessary session cookies to maintain your login session. These cookies are:

  • HTTP-only (not accessible to JavaScript)
  • Secure (transmitted only over HTTPS)
  • Same-site (not sent with cross-site requests)
  • Automatically deleted when your session ends or after 8 hours of inactivity

No Tracking: We do not use third-party analytics, advertising cookies, tracking pixels, or similar technologies. We do not track your activity across other websites.

9. Data Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify affected Covered Entities within 60 days of discovery
  • Provide details of the breach, types of information involved, and steps taken
  • Cooperate with your breach notification obligations to affected individuals and HHS
  • Document the breach and our response in accordance with HIPAA requirements

10. International Users

This Service is intended for use within the United States and is designed to comply with U.S. healthcare regulations including HIPAA. If you access the Service from outside the United States, you acknowledge that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The "Last Updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

OVS Intelligence LLC
Privacy Inquiries: privacy@ovsintelligence.com
General Support: support@ovsintelligence.com
Legal Matters: legal@ovsintelligence.com

For HIPAA-related concerns or to report a potential security incident, please contact privacy@ovsintelligence.com immediately.

© 2025-2026 OVS Intelligence LLC. All rights reserved.