Legal

Privacy Policy

Last updated: May 26, 2026

BrightPath-IQ, LLC ("BrightPath-IQ," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our practice management platform ("Service"). Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

1. Information We Collect

Information you provide directly:

  • Account registration information (name, email address, practice name).
  • Billing and payment information (processed by Stripe — we do not store full card numbers).
  • Clinical data you enter into the Service, including client records, session notes, goal data, and documents.
  • Team member profiles you create when inviting staff.
  • Communications you send to us (support emails, feedback).

Information collected automatically:

  • Log data including IP address, browser type, pages visited, and timestamps.
  • Cookies and similar tracking technologies used to maintain session state and improve performance.
  • Audit log entries recording every action taken within the Service (who, what, when).

2. Protected Health Information (PHI)

The Service is designed to handle Protected Health Information as defined by HIPAA. PHI entered into the Service (client names, session notes, clinical assessments, diagnoses) is treated with the highest level of care:

  • PHI is stored in encrypted databases and private cloud storage buckets.
  • Access to PHI is restricted by role-based permissions — staff members only see the data their role permits.
  • PHI is never sold, rented, or shared with third parties for marketing purposes.
  • PHI is disclosed only as permitted or required by HIPAA (e.g., for treatment, payment, operations, or when required by law).
  • A Business Associate Agreement (BAA) governs our handling of PHI for all covered entities using the Service. The BAA is accepted electronically during account setup and is included with all paid plans.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Process payments and send billing communications.
  • Send transactional emails (account confirmations, password resets, subscription notices).
  • Respond to support requests and troubleshoot issues.
  • Monitor and analyze usage patterns to improve the Service.
  • Comply with legal obligations, including HIPAA audit retention requirements.
  • Detect, prevent, and address fraud, security incidents, or technical issues.

We do not use your clinical data to train machine learning models or for any purpose other than providing the Service to you.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share information only in the following circumstances:

  • Service Providers. We share data with trusted third-party vendors (listed in Section 7) who assist in operating the Service under confidentiality obligations.
  • Legal Requirements. We may disclose information when required by law, subpoena, court order, or to protect the rights, property, or safety of BrightPath-IQ, our users, or the public.
  • Business Transfers. In the event of a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your personal information becomes subject to a different privacy policy.
  • With Your Consent. We may share information for any other purpose with your explicit consent.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption at rest and in transit. All data is encrypted using AES-256 at rest and TLS 1.2+ in transit.
  • Private cloud storage. Client documents and provider files are stored in private, non-public cloud buckets with expiring signed download URLs (5-minute expiry).
  • Role-based access control. Strict permission tiers limit who can view, edit, or delete each type of data.
  • Append-only audit logs. All actions are logged and cannot be modified or deleted through the application.
  • Multi-factor authentication. Supported via our authentication provider (Clerk).

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

  • Active accounts. Data is retained for as long as your account is active.
  • Audit logs. Retained for a minimum of six (6) years per HIPAA § 164.530(j).
  • After cancellation. Account data is retained for 90 days after cancellation to allow data export, then permanently deleted from production systems.
  • Backups. Encrypted backups may retain data for up to an additional 30 days beyond production deletion as part of disaster recovery procedures.

7. Third-Party Service Providers

We use the following third-party services to operate BrightPath-IQ:

ProviderPurposePrivacy Policy
ClerkAuthentication & user managementclerk.com/legal/privacy
SupabaseDatabase & file storagesupabase.com/privacy
StripePayment processingstripe.com/privacy
VercelHosting & CDNvercel.com/legal/privacy-policy

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Request correction of inaccurate personal information.
  • Deletion. Request deletion of your personal information, subject to legal retention requirements.
  • Portability. Request export of your data in a machine-readable format.
  • Objection. Object to certain types of processing.

To exercise any of these rights, contact us here. We will respond within 30 days.

9. Children's Privacy

The Service is intended for use by healthcare providers, not by children directly. While providers use the Service to manage records for minor clients, we do not knowingly collect personal information directly from children under 13. Providers are responsible for obtaining appropriate consent to store minor client records in accordance with applicable law.

10. Cookies

We use session cookies to maintain your authenticated state while using the Service. We do not use third-party advertising cookies. You can instruct your browser to refuse cookies, but doing so may prevent certain features of the Service from functioning properly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

BrightPath-IQ, LLC

Send us a message →