We do NOT sell, rent, or share your personal data with third parties for marketing purposes.
1. Information We Collect
Information You Provide to Us
- Account Information: Email address, name, password
- Log User Profiles: Names, birthdates, diagnosis information (formal and suspected), profile summaries
- Health Data: Daily logs including:
- Medication information (names, dosages, timing, adherence)
- Sleep patterns and quality
- Food and nutrition logs
- Activity logs
- Behavioral observations and reflections
- Menstrual cycle data (if tracked)
- Out-of-norm events (both positive and negative)
- Care provider information
- Care visit records
Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers
- Usage Data: Features used, time spent in app, error logs
- Authentication Data: Session tokens, login timestamps
Information We Do NOT Collect
- We do NOT track your location
- We do NOT access your contacts
- We do NOT collect data from other apps on your device
- We do NOT use cookies for tracking or advertising
2. How We Use Your Information
We use your information only for the following purposes:
To Provide Our Services
- Display your family's health data and logs
- Generate AI-powered insights and analyses
- Create reports for teachers and healthcare providers
- Provide personalized research article recommendations
- Enable AI Coach (Sage) conversations
- Send medication refill reminders (if you enable them)
To Improve Our Services
- Identify and fix technical issues
- Analyze app performance and usage patterns (aggregated, anonymized)
- Improve AI analysis accuracy
To Communicate With You
- Send important service updates
- Respond to your support requests
- Send account security notifications
3. How We Protect Your Information
HIPAA Compliance
ThrivingFam is built with HIPAA (Health Insurance Portability and Accountability Act) compliance as a foundational requirement:
- Encryption at Rest: All data stored in our database is encrypted using AES-256 encryption
- Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
- Secure Authentication: Passwords are hashed using bcrypt; we never store plain-text passwords
- Session Management: Encrypted session tokens with automatic expiration
- Audit Logging: All access to protected health information is logged for security monitoring
- Access Controls: Strict role-based access controls limit who can view your data
Data Storage
- Database: AWS RDS PostgreSQL with encryption enabled
- File Storage: AWS S3 with KMS encryption and private bucket access
- Backups: Automated encrypted backups with point-in-time recovery
- Region: All data is stored in the US (AWS us-east-2 region)
Mobile App Security
- Local Storage: All sensitive data on your device is encrypted using iOS Keychain or Android Keystore
- Biometric Authentication: Optional Face ID/Touch ID support
- Automatic Timeout: Sessions expire after 15 minutes of inactivity
- Secure Deletion: Data is securely cleared when you log out
4. Information Sharing and Disclosure
We Do NOT Sell Your Data
Your personal health information is NEVER sold, rented, or shared for advertising or marketing purposes.
We Do NOT Share Your Data Except:
With Your Explicit Permission
- When you choose to share reports with teachers or care providers
- When you invite collaborators to view specific log user data
Service Providers (Limited, Necessary)
- AWS (Amazon Web Services): Cloud infrastructure hosting (HIPAA-compliant)
- Anthropic: AI analysis via Claude 3.5 Sonnet (we send anonymized behavioral data only, not personally identifiable information)
- Stripe: Payment processing for subscriptions (they receive billing information only, not health data)
- SendGrid/AWS SES: Email delivery for system notifications
All service providers are bound by strict confidentiality agreements and HIPAA Business Associate Agreements where applicable.
Legal Requirements
- To comply with valid legal process (subpoena, court order)
- To protect the rights, property, or safety of ThrivingFam, our users, or others
- In connection with suspected fraud, security, or technical issues
Business Transfers
- If ThrivingFam is acquired or merged, your information may be transferred to the new owner, subject to this Privacy Policy
5. Your Data Rights
Access and Control
- View Your Data: Access all your data through the app at any time
- Update Your Data: Edit or correct your information
- Delete Specific Entries: Remove individual log entries or entire log users
- Export Your Data: Request a copy of your data in portable format
- Delete Your Account: Permanently delete your account and all associated data
Data Retention
- Active Accounts: Data is retained as long as your account is active
- Deleted Accounts: Data is permanently deleted within 30 days of account deletion
- Backup Retention: Encrypted backups are retained for 90 days for disaster recovery
Collaborator Access
- You control who can view your log user data by managing collaborator invitations
- Collaborators can only view data for log users you've explicitly shared with them
- Collaborators do NOT have access to your AI Coach (Sage) conversations or AI Analysis results
- You can revoke collaborator access at any time
6. Children's Privacy
ThrivingFam is designed for families to log data about children and adults with neurodevelopmental differences. However:
- Our service is intended for use by adults (18+) who create accounts
- Parents/guardians create log user profiles for their children
- We do not knowingly collect information directly from children under 13
- Parents/guardians have full control over their children's log user data
7. Third-Party Services
AI Analysis (Anthropic Claude)
- We send anonymized behavioral data to Anthropic for AI analysis
- We do NOT send personally identifiable information (names, email, birthdates)
- Anthropic is HIPAA-compliant and bound by confidentiality agreements
- Data sent: Behavior scores, medication patterns (anonymized), sleep patterns, food logs, activity logs
- Data NOT sent: Names, contact information, specific addresses, photos
Payment Processing (Stripe)
- Stripe handles all payment information (credit cards, billing addresses)
- We do NOT store credit card numbers
- Stripe receives billing information only, NOT health data
- Stripe is PCI-DSS compliant
Research Articles (PubMed)
- We query the public PubMed database for research articles
- We do NOT share your personal information with PubMed
- Search queries are based on diagnosis information you provide
8. International Users
ThrivingFam is based in the United States. If you access our services from outside the US:
- Your data will be transferred to and stored in the US
- By using our services, you consent to this transfer
- We comply with applicable international data protection laws
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Sending an email to your registered email address
- Displaying a prominent notice in the app
- Updating the "Last Updated" date at the top of this policy
Your continued use of ThrivingFam after changes indicates acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy or our privacy practices:
For data access, correction, or deletion requests, please email us with "Privacy Request" in the subject line.
11. Your Consent
By using ThrivingFam, you consent to this Privacy Policy and our collection, use, and protection of your information as described herein.
Summary: We take your privacy seriously. We do NOT sell your data. We use HIPAA-compliant encryption and security practices. You control your data and can delete it at any time. We only share data when absolutely necessary to provide our services, and never for marketing purposes.