Privacy Policy

1. Introduction

ARDodo ("we," "our," or "us") is committed to protecting your privacy and maintaining the security of your personal and protected health information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws.

2. HIPAA Compliance

ARDodo is a HIPAA-compliant platform designed for healthcare funding companies and medical accounts receivable management. We implement comprehensive technical, administrative, and physical safeguards to protect all PHI processed through our system.

• 100/100 HIPAA Security Rule compliance
• AES-256-GCM encryption for data at rest
• TLS 1.3 encryption for data in transit
• Row-level security on all database tables
• Comprehensive audit logging of all PHI access
• Automatic account lockout and session management

3. Information We Collect

3.1 Protected Health Information (PHI)

We collect and process PHI necessary for medical accounts receivable management, including:

• Patient names, dates of birth, and contact information
• Medical record numbers and case identifiers
• Treatment information and medical procedures
• Healthcare provider and law firm information
• Insurance and billing information
• Medical lien and funding details

3.2 Account Information

When you create an account, we collect:

• Name, email address, and phone number
• Company name and role
• Login credentials (passwords are hashed and never stored in plain text)
• User preferences and settings

3.3 Usage Information

We automatically collect certain information about your use of the platform:

• IP addresses and device information
• Browser type and operating system
• Pages visited and features used
• Date and time of access
• Audit logs of PHI access (required by HIPAA)

4. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: To provide accounts receivable management, case tracking, document generation, and reporting services
• Communication: To send service-related notifications, updates, and support responses
• Security: To detect, prevent, and respond to security incidents and unauthorized access
• Compliance: To maintain audit logs and comply with HIPAA and other legal requirements
• Improvement: To analyze usage patterns and improve our platform (using de-identified data only)

5. Information Sharing and Disclosure

We do not sell, rent, or trade your information. We only share information in the following limited circumstances:

• With Your Consent: When you explicitly authorize us to share information
• Service Providers: With HIPAA-compliant vendors who assist in providing our services (covered by Business Associate Agreements)
• Legal Requirements: When required by law, court order, or government regulation
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with continued HIPAA compliance)
• Protection: To protect the rights, property, or safety of ARDodo, our users, or others

6. Data Security

We implement industry-leading security measures to protect your information:

• AES-256-GCM encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• Multi-factor authentication options
• Role-based access controls and row-level security
• Automatic session timeout after 8 hours of inactivity
• Account lockout after failed login attempts
• Rate limiting to prevent brute force attacks
• Comprehensive audit logging of all PHI access
• Regular security assessments and penetration testing
• SOC 2 Type II certified infrastructure
• Automated encrypted backups with disaster recovery

7. Your Rights

Under HIPAA and applicable privacy laws, you have the right to:

• Access: Request access to your PHI and account information
• Amendment: Request corrections to inaccurate or incomplete information
• Accounting: Receive an accounting of PHI disclosures
• Restriction: Request restrictions on certain uses and disclosures
• Confidential Communications: Request communications through alternative means
• Breach Notification: Be notified of any breach of unsecured PHI
• Complaint: File a complaint if you believe your privacy rights have been violated

8. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• PHI: Retained for 6 years after the last service date (HIPAA requirement)
• Audit Logs: Retained for 6 years (HIPAA requirement)
• Account Information: Retained while your account is active and for 90 days after closure
• Backups: Retained for 30 days with encrypted storage

9. Cookies and Tracking

We use essential cookies and similar technologies to:

• Maintain your login session
• Remember your preferences
• Ensure platform security
• Analyze usage patterns (using de-identified data)

You can control cookies through your browser settings, but disabling essential cookies may affect platform functionality.

10. Third-Party Services

We use the following HIPAA-compliant third-party services:

• Supabase: Database and authentication (covered by Business Associate Agreement)
• Vercel: Hosting and infrastructure (covered by Business Associate Agreement)

All third-party services are required to maintain HIPAA compliance and sign Business Associate Agreements.

11. Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify affected individuals within 60 days of discovery
• Notify the Secretary of Health and Human Services if required
• Notify prominent media outlets if the breach affects more than 500 individuals in a state
• Provide information about the breach, steps taken, and recommended actions

12. Children's Privacy

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

13. International Users

Our services are provided from the United States. If you access our platform from outside the U.S., your information will be transferred to, stored, and processed in the United States in accordance with U.S. privacy laws and HIPAA regulations.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• Sending email notifications for significant changes

Your continued use of the platform after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact: