Privacy Policy
UPStandards LLC ("UPStandards," "we," "us," or "our") provides a business-to-business software platform for behavioral health accreditation, audit, facility-rounds, policy, safety-observation, restraint/seclusion documentation workflow support, and compliance-readiness workflows. This Privacy Policy explains how we collect, use, disclose, retain, and protect information in connection with our website, platform, and related services.
1. Scope
This Policy applies to business contact information, website information, account information, platform usage information, support information, billing/subscription metadata, and Customer Data processed by UPStandards. It is intended for organizational customers, prospective customers, authorized users, and website visitors. It is not a patient-facing HIPAA Notice of Privacy Practices.
2. Information We Collect
We may collect the following categories of information depending on how the Services are used:
Business contact information: name, job title, organization, email, phone number, mailing address, and communication preferences.
Account information: login credentials, role, permissions, site affiliation, authentication data, account settings, and account activity.
Subscription and billing information: subscription tier, Site count, billing cycle, invoices, payment status, renewal status, and transaction metadata. Payment card data is expected to be processed by Stripe or another payment processor, not stored by UPStandards.
Platform content and Customer Data: compliance rounds, chart-audit workflow data, accreditation-standard findings, risk scores, timestamps, reviewer notes, clinician names/credentials, environment-of-care findings, policy library content, Q15 patient safety observation workflow data, restraint and seclusion documentation workflow data, and related reports.
Limited PHI where submitted by covered entity customers: case numbers, initials, names or other patient identifiers where required for specific compliance workflows, admission/discharge or program enrollment dates, audit findings tied to an individual, Q15 logs, restraint/seclusion documentation fields, and reviewer notes.
Technical and usage data: IP address, device type, browser, operating system, pages viewed, features used, logs, diagnostic data, security events, and similar telemetry.
Support communications and feedback: emails, messages, uploaded materials, issue reports, screenshots, product requests, and other communications with us.
3. Information We Are Not Designed to Collect
UPStandards is designed to avoid storing full clinical records. Unless expressly agreed in writing or supported by a specific workflow, users should not enter diagnoses, SUD diagnoses, treatment plan content, goals, interventions, modalities, progress notes, psychotherapy notes, SUD counseling notes, complete medical records, lab results, imaging, prescriptions, billing PHI, financial PHI, or other non-required clinical data. The Services may contain named-patient identifiers in specific compliance workflows such as Q15 logs, restraint/seclusion documentation, and chart-audit fields, but that does not make UPStandards an EHR or full clinical record repository.
4. How We Use Information
We may use information to provide, host, operate, maintain, secure, troubleshoot, and improve the Services; administer accounts; authenticate users; process subscriptions; provide support; generate reports and audit outputs; maintain security logs; communicate with customers; comply with legal obligations; enforce agreements; create de-identified or aggregated information where permitted; and support customer-requested workflows.
5. PHI and Business Associate Role
When we process PHI for a covered entity, our use and disclosure of PHI is governed by the applicable BAA. Customer covered entities remain responsible for patient notices, consents, authorizations, Part 2 determinations, patient-rights responses, designated record sets, medical-record retention, and clinical/provider obligations. If there is a conflict between this Policy and a BAA regarding PHI, the BAA controls.
6. 42 CFR Part 2
Some customers may operate substance use disorder programs or submit information that is subject to 42 CFR Part 2. Customers are responsible for identifying Part 2 Records, obtaining and managing consents or other legal permissions, and controlling which users may access such records. UPStandards handles Part 2 Records only as described in the applicable BAA, Part 2 schedule, customer instructions, and law.
7. California CMIA and State Medical Privacy Laws
California customers may be subject to the California Confidentiality of Medical Information Act (CMIA) or other state medical privacy laws. UPStandards is drafted and operated with CMIA-aware language for California medical information where applicable. HIPAA is not the only relevant privacy framework, and more protective state medical-privacy requirements may apply depending on the customer and data.
8. AI-Assisted Features
UPStandards may use Anthropic or similar AI tools for policy drafting, report refinement, summaries, or administrative assistance. The current product position is that PHI, Part 2 Records, named-patient logs, identifiable audit findings, and other identifiable patient information should not be transmitted to Anthropic. AI inputs should be aggregate, de-identified, or otherwise non-PHI. Users remain responsible for reviewing AI-assisted outputs before relying on them.
9. Transactional Email; No-PHI Email Content
UPStandards may use Postmark to deliver transactional emails such as account notices, authentication messages, administrative notices, billing notices, support communications, and security alerts. UPStandards is using a no-PHI email-content architecture. Transactional emails should not contain PHI, Part 2 Records, patient names, patient identifiers, Q15 log content, restraint/seclusion content, chart-audit findings, or clinical details. Users should not request or configure email notifications to include PHI unless UPStandards has expressly approved a compliant workflow in writing.
10. Current Expected Vendors and Subprocessors
The current expected vendor/subprocessor structure is as follows and should be updated as the product stack changes:
| Vendor | Role | Privacy / HIPAA Position |
|---|---|---|
| Supabase | Managed Postgres database, authentication, storage, and backend infrastructure | HIPAA-tier infrastructure; BAA required/in progress before production PHI use; expected to host the platform PHI database and related access/authentication components. |
| Postmark | Transactional email delivery only | No PHI in email content. No BAA expected or relied on under Path A architecture. Product and operational controls should prevent patient identifiers, chart/audit details, Part 2 information, or other PHI from being placed in transactional emails. |
| Stripe | Payments, invoices, and subscription billing | No PHI in payment flow. Should receive billing/account metadata only, not patient, clinical, audit, or accreditation-record details. |
| Netlify | Frontend hosting/CDN for static HTML/JS assets | No PHI stored on frontend servers. Avoid embedding PHI in URLs, query strings, static files, logs, or client-side telemetry. |
| Anthropic | AI-assisted policy drafting and report refinement | Aggregate/de-identified inputs only. No PHI, patient identifiers, Part 2 Records, named-patient logs, or identifiable audit findings should be transmitted. |
11. How We Disclose Information
We may disclose information to vendors/subprocessors, customer administrators, authorized users, payment processors, infrastructure providers, security/support providers, professional advisors, legal/regulatory authorities where required, successors in a corporate transaction, and others as directed or authorized by the customer. We do not sell PHI and do not use PHI for third-party advertising.
12. De-Iden****tified and Aggregated Information
We may create and use de-identified or aggregated information to improve the Services, develop benchmarks, analyze feature usage, support security, and generate non-identifiable insights. Where HIPAA applies, de-identification should follow HIPAA requirements. We do not attempt to re-identify de-identified information except to test de-identification effectiveness or as permitted by law.
13. Cookies and Website Data
Our website may use cookies, logs, analytics, or similar technologies for security, performance, site functionality, usage analysis, and user experience. The website is not intended to collect PHI. Users should not submit PHI through general website forms, non-secure channels, or marketing/contact forms unless instructed through an approved workflow.
14. Data Retention
We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business purposes. Customer Data export and deletion after termination are handled under the applicable customer agreement, BAA, DPA, and retention practices. Standard self-serve accounts generally receive a 30-day post-termination export window; enterprise Order Forms may provide 60-90 days. Backup copies may persist temporarily according to backup cycles.
15. Security
We use commercially reasonable administrative, physical, and technical safeguards designed to protect information, including access controls, role-based permissions, authentication, encryption in transit, encryption at rest where supported, logging, backup/recovery processes, vendor review, and incident response. No method of transmission, storage, or security is perfect, and we cannot guarantee absolute security.
16. Customer Administrator Access
Customer administrators may be able to view, export, restrict, or delete certain account or Customer Data; manage Authorized Users; assign roles; and configure workflows. Customers are responsible for administrator selections, user permissions, workforce training, and compliance with the minimum necessary standard.
17. Individual Rights and Requests
If we receive a request from an individual relating to PHI or Customer Data controlled by a covered entity customer, we may direct the requester to the customer. Customers are responsible for responding to patient and individual rights requests unless a written agreement assigns specific support obligations to UPStandards. For business contact or website information that we control, individuals may contact us using the contact information below.
18. California Privacy Rights
California residents may have rights under California privacy laws depending on context and applicable exemptions. Many records processed by UPStandards for covered entity customers may be governed by HIPAA, CMIA, customer BAAs, or other health privacy rules rather than ordinary consumer privacy rules. To submit a privacy request concerning information UPStandards controls, contact us using the information below. Requests relating to patient records or customer-controlled PHI should be directed to the applicable healthcare organization.
19. International Use
UPStandards is intended for U.S. customers at launch. We do not currently target EU or UK customers. If international processing becomes applicable, UPStandards may require a Data Processing Addendum, updated privacy disclosures, transfer mechanism, cookie/consent review, and subprocessor review before processing begins.
20. Children
The Services are not directed to children for personal use. Customers may process information relating to minors in their capacity as healthcare organizations, subject to the customer legal obligations, consents, clinical responsibilities, and privacy requirements.
21. Changes to this Policy
We may update this Policy from time to time. The updated version will be posted with a new effective date. If changes materially affect how we process PHI or Customer Data, we will provide notice as required by the applicable customer agreement, BAA, DPA, or law.
22. Contact
Questions about this Privacy Policy may be sent to UPStandards LLC, PO Box 1554, Cobb, CA 95426, or privacy@upstandards.net">privacy@upstandards.net. General inquiries may be sent to bbrody@upstandards.net.