Privacy Policy
Facets Novum LLC d/b/a EMRFlow ("EMRFlow", "we", "us", or "our") provides the EMRFlow electronic health records and practice-management software platform (the "Service"). This Privacy Policy describes how we collect, use, share, and protect information when you use the Service or visit our website at https://emrflow.com (the "Site").
By using the Service or the Site, you agree to this Privacy Policy. If you do not agree, do not use the Service.
1. Who We Are and Whom This Policy Applies To
EMRFlow is a software-as-a-service platform sold to healthcare providers (each a "Practitioner" or "Therapist"). The Service stores and processes Protected Health Information ("PHI") of the Practitioner's patients on the Practitioner's behalf.
This Privacy Policy applies to:
- Practitioners who sign up for and use the Service ("you" or "Practitioner").
- Visitors to our Site (https://emrflow.com).
- Patients of Practitioners are not directly users of the Service. Patient PHI in EMRFlow is governed by (a) the Practitioner's own Notice of Privacy Practices and (b) the Business Associate Agreement between EMRFlow and the Practitioner. Patients with questions about their PHI should contact their Practitioner.
2. Information We Collect
Information you provide directly
- Account information — name, email, password (hashed via bcrypt), practice name, license type, NPI number.
- Practice and patient records — when you use the Service, you create patient records, appointments, session notes, intake forms, and similar clinical/administrative content. This is PHI; we are your business associate with respect to this information.
- Billing information — your payment method (handled by Stripe; we do not store your credit card number on our servers), your subscription plan and status.
- Voice recordings — when you use voice dictation, audio is sent to a HIPAA-aligned transcription provider, transcribed to text, and discarded by the provider after transcription. Audio is not stored on EMRFlow's servers.
- Support communications — when you contact us through Freshdesk or by email, we keep a record of the communication. A support ticket may optionally include diagnostic information you choose to attach (your app version, device model, operating system, role, and recent app log entries, with sensitive data automatically removed) to help us resolve your issue. PHI is out of scope for support tickets; please use the channel described in your Business Associate Agreement for patient-specific matters.
Information collected automatically
- Device and log information — IP address, browser/app version, OS, device identifiers, diagnostics, and pages or features used. Used for service operation, security monitoring, customer support, and aggregate analytics.
- Cookies — the Site uses cookies for session management and analytics. You can control cookies via your browser settings.
Information from third parties
- Authentication providers — if you sign in via SMART on FHIR, your EHR sends us a minimal authentication token (no PHI is shared by default during login).
- Stripe — payment status and subscription events.
3. How We Use Information
We use information to:
- Provide, operate, and improve the Service.
- Process payments and manage subscriptions.
- Send transactional notifications (account, billing, service announcements).
- Provide customer support.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
- Comply with legal obligations.
PHI is used only as permitted by the Business Associate Agreement and HIPAA: to provide the Service, for proper management and administration of EMRFlow, and to carry out our legal responsibilities.
4. How We Share Information
We share information only as described below:
Service providers (sub-business associates)
We use third-party service providers ("sub-business associates") to operate the Service. Each is bound by a written agreement (a Business Associate Agreement where the provider handles PHI) that requires the same level of protection we provide. Current providers include:
| Provider | Purpose | BAA in place |
|---|---|---|
| Google Cloud (Firebase, Firestore, Cloud Functions, Cloud Storage, Auth, App Check) | Database, authentication, file storage, serverless compute, device attestation | Yes (Google Cloud BAA) |
| Liquid Web | HIPAA-aligned VPS hosting (PHP backend, PostgreSQL) | Yes |
| InMotion Hosting | Demo/test environment only (no production PHI) | Demo-only; out of scope |
| Stripe | Platform subscription billing; tokenized payments (no PHI) | Not required (no PHI); PCI-DSS Level 1 |
| Stripe Connect | Per-practitioner patient billing in the practitioner's own account (no PHI) | Not required |
| Vercel | Hosting for app.emrflow.com (no PHI processed) | Not required |
| Google Cloud Run + Firebase Hosting | Hosting for forms.emrflow.com patient intake | Yes (Firebase BAA) |
| ClaimMD | Insurance claims clearinghouse (claim submission, eligibility, ERA) | Yes |
| Daily.co | Telehealth video and audio transport (Solo Practice Pro; ephemeral session content) | Yes (Healthcare add-on BAA in place) |
| Deepgram | Voice dictation transcription (nova-2-medical model) | Yes (subcontractor BAA executed 2026-05-18) |
| AWS (Amazon Bedrock) | AI-assisted clinical-note generation (Claude models hosted on Bedrock) | Yes (AWS BAA) |
| AWS (Simple Email Service) | Transactional email (client portal links, balance reminders, cosign notifications, superbill delivery) | Yes (AWS BAA) |
| Cloudflare Turnstile | Bot protection on public submission forms (challenge token only, no PHI) | Not required |
| Freshdesk | Customer support ticketing and feature-request tracking | Not required (PHI is out of scope for support tickets by policy) |
We update this list as our infrastructure evolves. Significant changes will be reflected in this Privacy Policy.
Legal requirements
We may disclose information when required by law, subpoena, court order, or governmental authority, or when necessary to protect the rights, property, or safety of EMRFlow, our users, or others.
Business transfers
If EMRFlow is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify Practitioners (and where required, individuals whose PHI is involved) before any such transfer.
With your consent
We may share information with third parties when you direct us to.
5. Data Security
We use administrative, physical, and technical safeguards to protect information, including:
- TLS encryption for data in transit (HTTPS, TLS 1.2+)
- AES-256 encryption for data at rest
- Role-based access controls and Firestore security rules scoped per practitioner
- Multi-factor authentication for administrative access
- Regular backups (cPanel daily 2:00 a.m. UTC) and key rotation
- Audit logs for client CRUD, session note creation, and form edits
- Liquid Web HIPAA-aligned VPS with disk encryption, fail2ban, and key-only SSH
Despite these measures, no system is completely secure. If we discover a breach of unsecured PHI, we will notify affected Practitioners as required by HIPAA and applicable state law.
6. Data Retention
We retain Practitioner account information and PHI for the duration of the Practitioner's subscription and for any period required by law. Upon termination:
- Practitioner accounts are scheduled for deletion 30 days after termination unless the Practitioner requests immediate deletion.
- PHI is deleted, returned to the Practitioner, or extended under the Business Associate Agreement's retention provisions, depending on the Practitioner's instructions.
- Audit logs are retained for at least six (6) years per HIPAA's accounting-of-disclosures requirement.
Practitioners may request deletion of their account at any time via the in-app deletion flow or by emailing privacy@emrflow.com.
7. Your Rights
Depending on your jurisdiction, you may have rights regarding your information:
- HIPAA (PHI in the Service) — patients should contact their Practitioner; their rights are described in the Practitioner's Notice of Privacy Practices.
- California (CCPA/CPRA) — California residents may request access to, correction of, or deletion of personal information we hold about them, and may opt out of "sale" or "sharing" (we do not sell or share personal information for cross-context behavioral advertising).
- Other US state privacy laws — Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), and others provide similar rights.
- GDPR (if EU/EEA users) — access, rectification, erasure, portability, restriction, objection. Lawful basis: contract performance and legitimate interest.
To exercise any right, email privacy@emrflow.com with your request. We will respond within the timeframe required by applicable law.
8. Children's Privacy
The Service is sold to healthcare professionals. We do not knowingly collect personal information directly from children under 13. PHI of pediatric patients of Practitioners is governed by HIPAA and applicable state law.
9. International Users
EMRFlow is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. We do not currently offer the Service in regions where it would conflict with applicable privacy law.
10. Cookies and Similar Technologies
The Site uses cookies for:
- Strictly necessary cookies — session management, authentication.
- Analytics cookies — aggregate usage analytics. We do not use cross-site advertising trackers.
You can control cookies via your browser settings. Disabling strictly necessary cookies will impair the Site.
11. Third-Party Links
The Site and Service may contain links to third-party websites. This Privacy Policy does not apply to those sites. We encourage you to read the privacy policies of any third party you visit.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Effective Date" and "Last Updated" dates at the top reflect the current version. If we make material changes, we will notify Practitioners by email and/or post a prominent notice in the Service.
13. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Email: privacy@emrflow.com