Privacy Policy

1. Introduction

WISE IT LLC ("FluxPT," "we," "us," or "our") operates the FluxPT platform, a HIPAA-compliant clinical documentation and practice management solution for physical therapy clinics. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our services.

We are committed to protecting the privacy and security of your personal information, including Protected Health Information (PHI), in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and other applicable laws.

2. Information We Collect

2.1 Information You Provide

• Account registration information (name, email, phone number, clinic name)
• Professional credentials and licensing information
• Billing and payment information
• Communications with our support team

2.2 Protected Health Information (PHI)

Through your use of FluxPT, we may process PHI on behalf of healthcare providers, including:

• Patient names and contact information
• Medical record numbers (MRN)
• Dates of birth and demographic information
• Clinical documentation (SOAP notes, assessments)
• Diagnosis and treatment information
• Insurance and billing information

2.3 Automatically Collected Information

• Device and browser information
• IP address and location data
• Usage patterns and analytics
• Cookies and similar tracking technologies

3. SMS/Text Messaging Communications

3.1 SMS Opt-In Consent

By providing your mobile phone number during registration or through your healthcare provider, you expressly consent to receive SMS text messages from FluxPT for:

• Appointment reminders and confirmations
• Schedule changes and cancellation notices
• Important account notifications
• Two-factor authentication codes

3.2 Mobile Information Protection

Your mobile phone number and SMS opt-in data will NEVER be shared with third parties or affiliates for marketing or promotional purposes.

Mobile information may only be shared with service providers (such as Twilio) who assist us in delivering SMS services, and such providers are contractually bound to maintain the confidentiality of your information.

4. How We Use Your Information

We use your information to:

• Provide and maintain our clinical documentation platform
• Process and complete transactions
• Send administrative information, including appointment reminders via SMS
• Respond to inquiries and provide customer support
• Improve our services and develop new features
• Ensure compliance with HIPAA and other regulatory requirements
• Detect, prevent, and address technical issues or security breaches

5. HIPAA Compliance

FluxPT is designed to comply with HIPAA requirements for protecting PHI. Our compliance measures include:

• Encryption of data in transit and at rest (AES-256)
• Access controls and audit logging
• Business Associate Agreements (BAA) with covered entities
• Regular security assessments and vulnerability testing
• Employee training on HIPAA requirements
• Incident response and breach notification procedures

We will enter into a Business Associate Agreement (BAA) with healthcare providers who use our platform to process PHI, as required by HIPAA.

6. Information Sharing and Disclosure

We may share your information in the following circumstances:

• Service Providers: With vendors who assist in providing our services, subject to Business Associate Agreements (BAAs) and confidentiality requirements
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Consent: When you have provided explicit consent

6.1 Our Service Providers

We work with the following service providers who may process data on our behalf. All providers handling PHI have signed Business Associate Agreements:

We do NOT sell, rent, or trade your personal information or PHI to third parties for marketing purposes.

7. Data Security

We implement appropriate technical and organizational security measures to protect your information, including:

• SSL/TLS encryption for data transmission
• AES-256 encryption for data at rest
• Multi-factor authentication (MFA)
• Regular security audits and penetration testing
• SOC 2 Type II certified infrastructure
• Role-based access controls

8. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations. For PHI, we follow HIPAA retention requirements and the policies established by the healthcare provider. Upon termination of services, we will securely delete or return PHI as directed by the covered entity.

9. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your information (subject to legal requirements)
• Opt out of marketing communications
• Opt out of SMS communications by replying STOP
• Request a copy of your data in a portable format

For PHI-related requests, patients should contact their healthcare provider directly.

10. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyze usage patterns, and improve our services. You can manage cookie preferences through your browser settings.

11. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. Healthcare providers using our platform are responsible for ensuring appropriate consent for minors in accordance with applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

14. GDPR Compliance (European Users)

14.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services to you
• Legitimate Interests: Processing for fraud prevention, security, and service improvement
• Legal Obligation: Processing required to comply with applicable laws
• Consent: Processing based on your explicit consent (e.g., marketing communications, SMS notifications)

14.2 Your GDPR Rights

Under GDPR, you have the following rights:

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restriction: Request limitation of processing of your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with a supervisory authority

14.3 International Data Transfers

Your data may be transferred to and processed in countries outside the EEA, including the United States (for AWS hosting). We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party processors
• AWS participates in the EU-US Data Privacy Framework

14.4 Data Protection Officer

For GDPR-related inquiries or to exercise your rights, contact our Data Protection Officer:

14.5 Supervisory Authority

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or your local data protection authority:

15. Data Storage and Infrastructure

FluxPT uses HIPAA-compliant cloud infrastructure to store and process your data:

• Cloud Provider: Amazon Web Services (AWS) with signed Business Associate Agreement
• Data Centers: US-based AWS regions with SOC 2 Type II certification
• Database: PostgreSQL with encryption at rest (AES-256)
• Backups: Automated daily backups with 30-day retention, encrypted and stored in separate availability zones
• Network Security: VPC isolation, WAF protection, and DDoS mitigation