Privacy Policy

Last Updated: October 5, 2025

Document Version: 2.0.0

1. Introduction

Rainstorm Labs, Inc. ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our electronic medical records/electronic health records platform and related services (the "Service").

This Privacy Policy applies to:

  • Healthcare providers and their staff who use our Service
  • Patients who access our patient portal
  • Visitors to our website
  • All users of our scheduling, billing, and communication features

HIPAA Notice: If you are a healthcare provider, we serve as your Business Associate under HIPAA. A separate Business Associate Agreement (BAA) governs our handling of Protected Health Information (PHI). This Privacy Policy addresses our broader privacy practices beyond HIPAA requirements.

2. Information We Collect

2.1 Protected Health Information (PHI)

When you use our Service as a healthcare provider, we may collect and process PHI on your behalf, including:

Patient Demographics:

  • Names, addresses, phone numbers, email addresses
  • Date of birth, gender, emergency contacts
  • Social Security numbers, insurance information
  • Employment and family information

Clinical Information:

  • Medical history and diagnoses
  • Treatment plans and clinical notes
  • Prescription and medication information
  • Laboratory and diagnostic results
  • Imaging and other medical records

Billing and Payment Information:

  • Insurance claims and payment data
  • Patient payment information and transaction records
  • Billing codes and financial records

2.2 Account and User Information

Provider Account Data:

  • Professional credentials and licensing information
  • Practice information and specialties
  • User roles and access permissions
  • Account settings and preferences

Authentication Information:

  • Login credentials (usernames, passwords)
  • Multi-factor authentication data
  • Session information and access logs

2.3 Technical and Usage Information

System Data:

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system information
  • Access times and usage patterns

Service Analytics:

  • Feature usage and performance metrics
  • Error logs and diagnostic information
  • System optimization data

2.4 Communication Information

  • Messages sent through our platform
  • Appointment reminders and notifications
  • Support communications
  • Marketing communications (with consent)

3. How We Use Information

3.1 Primary Service Functions

We use collected information to:

  • Provide electronic health record management
  • Enable patient scheduling and calendar management
  • Process billing and payments through Stripe
  • Generate superbills and insurance claims
  • Send appointment reminders and notifications
  • Facilitate secure patient-provider communication
  • Maintain clinical documentation systems

3.2 Business Operations

  • User account management and authentication
  • Technical support and customer service
  • Service improvement and development
  • Security monitoring and incident response
  • Regulatory compliance and reporting
  • Quality assurance and training

3.3 Legal and Compliance

  • HIPAA compliance and Business Associate obligations
  • Legal proceedings and regulatory investigations
  • Audit requirements and documentation
  • Risk management and insurance purposes

3.4 With Your Consent

  • Marketing communications
  • Research and analytics (de-identified data)
  • Third-party integrations you authorize
  • Optional service enhancements

4. Information Sharing and Disclosure

4.1 HIPAA-Governed Disclosures

For PHI, we follow the minimum necessary standard and disclose information only as:

  • Required by our Business Associate Agreement
  • Authorized by appropriate patient consent
  • Permitted under HIPAA regulations
  • Required by law or legal process

4.2 Service Providers and Business Associates

We may share information with trusted third parties who assist in providing our Service:

Payment Processing:

  • Stripe, Inc. for credit card and ACH processing
  • Payment networks and financial institutions
  • Fraud prevention and security services

Technology Infrastructure:

  • Cloud hosting providers (SOC 2 Type II certified)
  • Database management services
  • Security and monitoring services
  • Backup and disaster recovery providers

Support Services:

  • Customer support platforms
  • Email and communication services
  • Analytics and performance monitoring tools

All third-party service providers are required to maintain appropriate security and privacy protections through written agreements.

4.3 Legal Requirements

We may disclose information when required by law, including:

  • Court orders and subpoenas
  • Law enforcement investigations
  • Public health reporting requirements
  • Regulatory investigations and audits
  • Protection of rights and safety

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction, subject to appropriate privacy protections.

5. Data Security and Protection

5.1 Technical Safeguards

Encryption:

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive communications

Access Controls:

  • Multi-factor authentication requirements
  • Role-based access permissions
  • Regular access reviews and audits
  • Automatic session timeouts

Infrastructure Security:

  • SOC 2 Type II certified data centers
  • Redundant security systems
  • 24/7 security monitoring
  • Regular penetration testing

5.2 Administrative Safeguards

Personnel Security:

  • Background checks for all employees
  • Confidentiality agreements and training
  • Regular security awareness training
  • Incident response procedures

Policies and Procedures:

  • Comprehensive security policies
  • Regular policy updates and reviews
  • Documented procedures for data handling
  • Vendor management programs

5.3 Physical Safeguards

  • Secure data center facilities
  • Biometric access controls
  • Environmental monitoring
  • Asset tracking and disposal procedures

5.4 Incident Response

In the event of a security incident:

  • Immediate containment and assessment
  • Notification to affected parties as required
  • Forensic investigation and remediation
  • Post-incident analysis and improvements

6. Data Retention and Disposal

6.1 Retention Periods

PHI and Clinical Data:

  • Retained according to applicable medical record retention requirements
  • Typically 7-10 years after last patient encounter
  • Longer periods for pediatric records as required by law

Account and Business Data:

  • Active account data retained during service term
  • Deleted within 30 days of account termination
  • Backup copies deleted within 90 days

Technical and Log Data:

  • System logs retained for up to 12 months
  • Security logs retained for up to 24 months
  • Analytics data retained for up to 36 months

6.2 Secure Disposal

All data disposal follows NIST 800-88 guidelines:

  • Cryptographic erasure for encrypted data
  • Multiple-pass overwriting for unencrypted data
  • Physical destruction of storage media when necessary
  • Documented certificate of destruction

7. Your Rights and Choices

7.1 Access Rights

You have the right to:

  • Access your account information and settings
  • Request copies of your data in portable formats
  • Review audit logs of access to your information
  • Update incorrect or incomplete information

7.2 Control Over Communications

  • Opt out of marketing communications
  • Choose notification preferences
  • Update contact information
  • Request communication via secure methods only

7.3 Data Portability

  • Export data in standard formats (HL7 FHIR, CSV, PDF)
  • Transfer data to other HIPAA-compliant systems
  • Receive assistance with data migration

7.4 Patient Rights

If you are a patient accessing our patient portal:

  • Right to access your medical records
  • Right to request amendments to your records
  • Right to receive accounting of disclosures
  • Right to request restrictions on information use
  • Right to file complaints regarding privacy practices

8. Cookies and Tracking Technologies

8.1 Types of Cookies

We use the following types of cookies:

  • Essential Cookies: Required for service functionality
  • Security Cookies: Authentication and fraud prevention
  • Performance Cookies: Service optimization and analytics
  • Preference Cookies: User settings and customization

8.2 Cookie Management

You can manage cookie preferences through:

  • Browser settings and controls
  • Our cookie preference center
  • Account settings within the Service
  • Third-party opt-out tools

8.3 Analytics and Tracking

We use analytics tools to improve our Service:

  • Google Analytics (with IP anonymization)
  • Internal usage analytics
  • Performance monitoring tools
  • Security event tracking

All analytics use de-identified data when possible and comply with applicable privacy requirements.

9. International Data Transfers

9.1 Data Location

  • Primary data storage within the United States
  • Backup systems located in secure U.S. facilities
  • Limited international processing for support functions

9.2 International Users

If you access our Service from outside the United States:

  • Data will be transferred to and processed in the U.S.
  • We provide appropriate safeguards for international transfers
  • You consent to such transfers by using our Service

9.3 EU General Data Protection Regulation (GDPR)

For EU users, we provide additional protections under GDPR:

  • Lawful basis for processing personal data
  • Data subject rights including deletion and portability
  • Data Protection Officer contact information
  • Privacy impact assessments for high-risk processing

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age, except:

  • Patient portal access with parental consent
  • Pediatric medical records with appropriate authorization
  • Emergency situations involving minors

We do not knowingly collect personal information from children without appropriate parental consent or legal authorization.

11. State Privacy Laws

11.1 California Consumer Privacy Act (CCPA)

For California residents, we provide additional rights:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information
  • Right to non-discrimination for exercising rights

Note: We do not sell personal information to third parties.

11.2 Other State Laws

We comply with applicable state privacy laws including:

  • Illinois Genetic Information Privacy Act
  • Texas Identity Theft Enforcement and Protection Act
  • New York SHIELD Act
  • Virginia Consumer Data Protection Act

12. Changes to This Privacy Policy

12.1 Policy Updates

We may update this Privacy Policy to reflect:

  • Changes in our information practices
  • Updates to applicable laws and regulations
  • New service features or functionality
  • Feedback from users and stakeholders

12.2 Notification of Changes

We will provide notice of material changes through:

  • Email notifications to account holders
  • Prominent notices on our website
  • In-app notifications within the Service
  • Updates to the "Last Updated" date above

12.3 Continued Use

Continued use of our Service after policy changes constitutes acceptance of the updated Privacy Policy.

13. Contact Information and Complaints

13.1 Privacy Contact

For privacy-related questions or concerns:
Email: hello@almondconnect.com

13.2 HIPAA Complaints

For HIPAA-related complaints, you may also contact:
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/

14. Definitions

  • Business Associate: A person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information.
  • Covered Entity: Health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically.
  • De-identified Information: Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
  • Minimum Necessary: The HIPAA requirement that covered entities make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  • Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate.

This Privacy Policy is effective as of the "Last Updated" date above. By using our Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.