Privacy Policy

1. What We Collect

Account and Contact Data

When your administrator provisions an account, we collect your name, work email address, and optionally your mobile phone number (used for case alert SMS and voice notifications).

Case Data

Flow coordinators enter case scheduling records that include: procedure type, vendor and device manufacturer, attending physician name, room assignment, scheduled date, and case status. We do not collect patient names, medical record numbers, or any other protected health information. See our Terms of Service for the full PHI policy.

Usage and Activity Data

We log actions taken within the Service (case creation, status changes, alerts sent) along with timestamps and the user account that performed the action. This is used for audit, support, and service improvement.

Technical Data

We collect standard web server logs including IP addresses, browser type, and pages visited, used for security monitoring and performance optimization.

2. How We Use Your Information

We use the information we collect to:

• Operate and maintain the Service, including real-time board updates and case alert delivery;
• Analyze and aggregate usage data to improve the Service and develop derived data products;
• Send operational notifications via email, SMS, and voice to users who have provided contact information;
• Comply with applicable legal obligations and enforce our Terms of Service.

3. How We Share Information

We may share information in the following circumstances:

• Derived data products — aggregated and derived reports developed from submitted case data may be licensed to healthcare industry participants including device manufacturers, distributors, and analysts. Raw submitted records are not sold.
• Service providers — sub-processors that help us operate the platform (see list below).
• Legal compliance — in response to valid legal process or to protect user safety.
• Business transfers — in connection with a merger, acquisition, or sale of assets.

Service Providers (Data Processors)

We use the following sub-processors to operate the Service. Each is bound by data processing agreements consistent with this Policy:

• Supabase — database hosting and authentication
• Vercel — application hosting and content delivery
• Resend — transactional email delivery
• Twilio — SMS and voice notification delivery
• Google (Gemini) — optical character recognition for whiteboard photo imports (images are processed transiently and not stored)

4. Data Retention

We retain case data and account records for the duration of your subscription and for two years following account termination, after which they are deleted. Aggregated Analytics derived from your data may be retained indefinitely as they do not constitute raw personal or organizational records.

Activity and audit logs are retained for 90 days for operational purposes and up to one year for security investigations.

5. HIPAA and PHI

The Board is not a HIPAA covered entity. The Service is designed to operate exclusively with non-PHI scheduling data. Do not submit protected health information. If PHI is inadvertently submitted, contact us immediately at privacy@theboard.app and we will delete it promptly.

6. Security

We implement industry-standard security measures including: database-level row security policies that restrict each organization's access to its own data, TLS encryption in transit, and access controls on all administrative systems. No system is completely secure; if you believe your account has been compromised, contact us immediately.

7. Your Rights

As an Organization administrator, you may request:

• Data export— a copy of your Organization's raw case data in a standard format.
• Account deletion— deletion of your Organization's account and all associated raw data (subject to the retention periods in Section 4). Aggregated Analytics derived from your data prior to deletion may be retained.
• Correction — correction of inaccurate account or contact information.

Individual users (not administrators) may update their own name and phone number at any time from their account settings page.

To exercise organizational rights, email privacy@theboard.app.

8. SMS and Voice Communications

For our full SMS and voice messaging consent policy — including how to opt out — see our SMS & Voice Messaging Policy. Phone numbers are never sold or shared with third parties and are used only for operational case alerts.

9. Children

The Service is not directed to individuals under 18. We do not knowingly collect information from minors.

10. Changes to This Policy

We may update this Policy periodically. We will notify administrators by email at least 14 days before material changes take effect. Continued use after the effective date constitutes acceptance of the updated Policy.

11. Contact

Privacy questions: privacy@theboard.app
Legal / Terms questions: legal@theboard.app