Privacy Policy

1. Introduction

Timber Health, Inc., a Delaware C corporation and developer of the Captrix platform ("Captrix," "we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our practice-management and patient-engagement platform and related services (the "Service").

Captrix is a provider-facing application intended for use by healthcare practices and their authorized staff. It is not intended as a direct-to-patient application; patient-facing surfaces (forms, booking pages, chat) are operated on behalf of the provider and governed by the provider's own notice of privacy practices.

By using Captrix, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account information (name, email address, phone number, practice name)
• Billing information (payment card details, billing address)
• Practice information (specialty, location, EHR system)
• Patient data you upload or integrate with our platform
• Communications with our support team

2.2 Information Collected Automatically

• Device information (IP address, browser type, operating system)
• Usage data (features accessed, actions taken, time spent)
• Cookies and similar tracking technologies
• Log data and analytics information

2.3 Information from Third Parties

• Data from integrated EHR systems (with the provider's explicit OAuth authorization , see Section 6)
• Information from marketing platforms you connect
• Data from analytics and advertising partners

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send marketing communications (with your consent)
• Respond to your comments, questions, and support requests
• Analyze usage patterns to enhance user experience
• Detect, prevent, and address technical issues and fraud
• Comply with legal obligations

Information retrieved from an EHR via SMART on FHIR or similar integration is used only to provide the requested feature to the authenticated provider (e.g., displaying an appointment, populating a scheduling field). It is not used to train models, sold, or shared with third parties outside the limited service-provider scope described in Section 4.

4. Data Sharing and Disclosure

We may share your information with:

• Service providers: Third parties who perform services on our behalf (hosting, analytics, payment processing) and who are bound by confidentiality and HIPAA Business Associate obligations where applicable.
• Business partners: EHR systems and marketing platforms you choose to integrate.
• Legal requirements: When required by law or to protect our rights.
• Business transfers: In connection with a merger, acquisition, or sale of assets.

We do not sell your personal information to third parties. We do not use protected health information (PHI) obtained through EHR integrations for advertising or model training.

5. HIPAA Compliance

As a service provider to healthcare practices, we understand the importance of protecting patient health information. Captrix:

• Enters into Business Associate Agreements (BAAs) with covered entities
• Implements administrative, physical, and technical safeguards
• Maintains audit trails and access controls
• Provides breach notification as required by law
• Trains employees on HIPAA requirements

6. EHR Integration & SMART on FHIR

Captrix connects to electronic health record (EHR) systems using the SMART on FHIR authorization framework. Connections are initiated by an authenticated provider and use OAuth 2.0; Captrix never receives or stores end-user EHR passwords.

6.1 Scopes Requested

The specific FHIR scopes Captrix requests depend on the features you enable. Typical scopes include, but are not limited to:

• launch, openid, fhirUser, profile , standard SMART app launch
• offline_access , refresh tokens so the integration survives session expiry
• user/Patient.read, user/Appointment.read, user/Appointment.write, user/Practitioner.read, user/Schedule.read, user/Slot.read , operational scopes for scheduling and patient lookup
• user/Encounter.read, user/Observation.read, user/Condition.read , read-only clinical context where the practice has opted in
• Equivalent patient/* scopes where the integration is launched from a patient-context EHR session

Captrix requests the minimum scopes necessary for the features the provider has enabled. Providers can review or revoke connections from their Captrix Settings → Integrations page at any time, which immediately invalidates Captrix's access tokens.

6.2 Confidential Client

Captrix registers with EHR vendors as a confidential client. Client secrets are stored encrypted at rest in AWS Secrets Manager and are never embedded in browser-delivered code, mobile binaries, or any client-side artifact. Captrix attests that it is capable of, and does, securely store client secrets.

6.3 Data Handling

• PHI retrieved via FHIR is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• FHIR resources are cached only as needed to serve the active session; long-term storage is limited to identifiers and references required to re-resolve the resource on subsequent reads.
• Every PHI read or write is recorded in an immutable audit log including actor, timestamp, resource type, and resource identifier (HIPAA §164.312(b)).
• Access tokens, refresh tokens, and any cached PHI are deleted within 30 days of the provider revoking the connection or terminating their Captrix account.
• PHI from EHR integrations is never used to train machine-learning models, never sold, and never shared with advertising or analytics partners.

7. Data Security

We implement industry-standard security measures including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls, multi-factor authentication, and least-privilege principles
• Secure cloud infrastructure with documented physical security (AWS data centers)
• Employee security training and background checks

8. Data Retention

We retain your information for as long as your account is active or as needed to provide services. We may retain certain information as required by law or for legitimate business purposes, such as resolving disputes and enforcing agreements. PHI retrieved via EHR integrations is deleted within 30 days of connection revocation or account termination, as described in Section 6.3.

9. Your Rights and Choices

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information
• Object to or restrict certain processing
• Data portability
• Withdraw consent where processing is based on consent
• Opt out of marketing communications
• Revoke EHR integrations at any time from your Captrix Settings page

To exercise these rights, please contact us at jack@captrix.ai. Patients whose information is processed by Captrix on behalf of a healthcare provider should direct access, correction, or deletion requests to that provider, who is the data controller.

10. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you logged in
• Remember your preferences
• Understand how you use our services
• Improve and personalize your experience

You can control cookies through your browser settings. Note that disabling cookies may affect functionality. We do not place advertising or cross-site tracking cookies on pages that surface PHI.

11. Children's Privacy

Captrix is intended for use by adult healthcare professionals. We do not knowingly collect personal information directly from children. Pediatric patient information processed on behalf of a provider is treated as PHI and governed by the provider's notice of privacy practices and applicable law.

12. International Data Transfers

Captrix processes data in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable law.

13. ONC Model Privacy Notice

Captrix's data practices align with the Office of the National Coordinator for Health Information Technology (ONC) Model Privacy Notice. The following summarizes the standard ONC categories as applied to Captrix:

• How this app accesses, uses, and discloses your data: Captrix accesses data via SMART on FHIR OAuth scopes a provider has authorized; uses data to power scheduling, patient engagement, and workflow features the provider has enabled; and discloses data only to subprocessors bound by HIPAA Business Associate agreements (Section 4).
• Data the app collects: See Section 2. EHR-sourced PHI is enumerated in Section 6.1.
• Whether data is shared with third parties: Only with service providers under BAA, never with advertisers or data brokers (Section 4).
• Whether data is sold: No (Section 4).
• Whether data is de-identified or aggregated for any purpose: Captrix may produce de-identified, aggregated usage statistics for product improvement; PHI is never used to train ML models.
• Security practices: See Sections 5 and 7.
• How to revoke access: Providers may revoke EHR connections from Settings → Integrations at any time; Captrix deletes associated tokens and cached PHI within 30 days (Section 6.3).
• How to contact the app developer: jack@captrix.ai (Section 15).
• Whether data is encrypted in transit and at rest: Yes , TLS 1.2+ in transit, AES-256 at rest.
• App developer's breach-notification practices: Captrix follows HIPAA Breach Notification Rule timing (notice to covered entity within 60 days of discovery).

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: