Privacy policy

Privacy policy

Effective Date: June 17, 2025

1. Scope

This Policy explains how we collect, use, disclose, and protect Personal Information (“PI”) and Protected Health Information (“PHI”) processed through Stitch’s web app, mobile experience, and SMS integrations.

2. What we collect
3. How we collect

● Information you or your care team enter directly.
● Data transmitted automatically by EHR integrations (e.g., FHIR, HL7 feeds).
● Patient-reported outcomes captured via SMS or in-app forms.
● Cookies and similar technologies for session management (no third-party ad tracking)

4. Legal bases for processing

We process PHI under HIPAA Business Associate Agreements with your healthcare provider. For direct-to-consumer users, we process data with your explicit consent under 45 CFR §164.508 and comparable state laws.

5. Use of information

● Deliver and improve the platform.
● Train de-identified machine-learning models for symptom triage.
● Communicate product updates or critical health alerts.
● Comply with legal obligations (e.g., audit logs, breach notification).

6. Sharing & disclosures

We never sell PHI. We share data only with:

1. Authorized care-team members within the same treatment relationship.
2. Sub-processors who provide secure infrastructure (e.g., AWS, Twilio) under BAAs.
3. Regulators or law enforcement when legally compelled.

7. Data retention & deletion

● Active PHI is retained for the duration of your treatment plus seven (7) years, or longer if required by state law.
● De-identified datasets are stored indefinitely.
● Upon verified request, we will delete or anonymize personal data not subject to legal retention requirements

8. Security safeguards

● Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
● Annual HIPAA and SOC 2 Type II audits.
● Role-based access control with MFA.
● Continuous intrusion detection and third-party penetration testing

9. Your rights

Depending on your jurisdiction, you may have the right to:
● Access or receive a copy of your data.
● Correct inaccurate information.
● Restrict or object to certain processing.
● Lodge a complaint with a supervisory authority.
○ Submit requests to privacy@stitchcare.io. We’ll respond within 30 days

10. International users

Stitch is hosted in U.S. data centers. If you access the service from outside the U.S., you consent to the transfer of your information to the United States, which may have different data-protection laws.

11. Children’s privacy

Stitch does not knowingly collect PI from anyone under 13 without verified parental consent. If
you believe a child has provided us PI without consent, contact privacy@stitchcare.io

12. Changes to this Policy

We’ll post any revisions on this page and update the “Effective Date.” Material changes will be highlighted in-app or via email at least 15 days before they take effect.

13. Contact

For privacy questions or complaints, email the Data Protection Officer: dpo@stitchcare.io.