Privacy Policy

1. Scope

This Policy explains how we collect, use, disclosure, and “protect Personal Information (PI)” and “Protected Health Information (PHI)” processed through Stitch's web app, mobile experience, and SMS integrations.

2. What we collect

Category	Examples	Purpose
Account data	Name, email, phone, password hash, MFA token	Account creation, login
Health data (PHI)	Diagnosis, surgery date, medication list, lab values, symptom check-ins	Care navigation, clinical triage
Device data	IP address, browser, OS, session timestamps	Security, analytics
Communication	Messages, call notes, support tickets	Customer support, quality assurance

3. How we collect

Information you or your care team enter directly.
Data transmitted automatically by EHR integrations (e.g., FHIR, HL7 feeds).
Patient-reported outcomes captured via SMS or in-app forms.
Cookies and similar technologies for session management (no third-party ad tracking).

4. Legal bases for processing

We process PHI under HIPAA Business Associate Agreements with your healthcare provider. For direct-to-consumer users, we process data with your explicit consent under 45 CFR §164.508 and comparable state laws.

5. Use of information

To deliver and improve the platform.
To train de-identified machine-learning models for symptom triage.
To communicate product updates or critical health alerts.
To comply with legal obligations (e.g., audit logs, breach notification).

6. Sharing & disclosures

We never sell PHI. We share data only with:

Authorized care-team members within the same treatment relationship.
Sub-processors who provide secure infrastructure (e.g., AWS, Twilio) under BAAs.
Regulators or law enforcement when legally compelled.

7. Data retention & deletion

Active PHI is retained for the duration of your treatment plus seven (7) years, or longer if required by state law.
De-identified datasets are stored indefinitely.
Upon verified request, we will delete or anonymize personal data not subject to legal retention requirements.

8. Security safeguards

Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Annual HIPAA and SOC 2 Type II audits.
Role-based access control with MFA.
Continuous intrusion detection and third-party penetration testing.

9. Your rights

Depending on your jurisdiction, you may have the right to:

Access or receive a copy of your data.
Correct inaccurate information.
Restrict or object to certain processing.
Lodge a complaint with a supervisory authority.
Submit requests to privacy@stitchcare.io. We'll respond within 30 days.

10. International users

Stitch is hosted in U.S. data centers. If you access the service from outside the U.S., you consent to the transfer of your information to the United States, which may have different different data-protection laws.

11. Children's privacy

Stitch does not knowingly collect PI from anyone under 13 without verified parental consent. If you believe a child has provided us PI without consent, Contact privacy@stitchcare.io.

12. Changes to this Policy

We'll post any Revisions on this page and update the “Effective Date”. Material changes will be highlighted in-app or via email at least 15 days before they take effect.

13. Contact

For privacy questions or complaints, email the Data Protection Officer: dpo@stitchcare.io.