Privacy Policy

1. Introduction

OptimalGap ("we," "our," or "us") operates the OptimalGap platform, which provides clinical triage and patient education tools for functional medicine practitioners. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform.

We are committed to protecting the privacy of healthcare practitioners ("Practitioners") and the patients ("End Users") who interact with Practitioner-branded instances of our tools.

2. Information We Collect

2.1 Practitioner Information

When you sign up as a Practitioner, we collect:

• Account Information: Practice name, doctor name, email address, website URL
• Clinical Configuration: Your custom optimal ranges, symptom preferences, and clinical language
• Branding Assets: Practice logo, colors, and customization preferences
• Billing Information: Payment details processed securely through our payment processor (Stripe)
• Integration Credentials: API keys or webhook URLs for your CRM/EHR integrations

2.2 End User (Patient) Information

When patients use your OptimalGap-powered tools, the following may be collected:

• Contact Information: Name, email address, phone number (as configured by Practitioner)
• Health Information: Lab values entered by the patient (e.g., TSH levels), symptom selections
• Engagement Data: Time spent on tool, completion status, report views

2.3 Automatically Collected Information

We automatically collect certain technical information:

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, features used, error logs
• IP Address: For security and fraud prevention (anonymized for analytics)
• Cookies: Essential cookies for authentication and preferences (see Section 7)

3. How We Use Information

3.1 Practitioner Data

• To provide and maintain the OptimalGap platform
• To customize patient-facing tools with your clinical ranges and branding
• To process payments and manage your subscription
• To send service-related communications (setup updates, feature releases)
• To provide customer support
• To improve our platform based on usage patterns (aggregated, anonymized)

3.2 End User Data

• To generate personalized health gap reports
• To transmit lead data to Practitioner's CRM/EHR
• To display relevant calls-to-action configured by the Practitioner

4. HIPAA Compliance

OptimalGap is designed with healthcare privacy in mind. While we implement robust security measures, our primary compliance strategy is data minimization:

• Pass-Through Architecture: Patient health data flows directly from the intake form to your CRM/EHR via encrypted webhook. We do not store Protected Health Information (PHI) on our servers.
• Business Associate Agreement (BAA): We provide a signed BAA upon request for Practitioners who require one for their compliance programs.
• Encryption: All data in transit uses TLS 1.3. All data at rest uses AES-256 encryption.
• Access Controls: Role-based access with audit logging for all administrative actions.

To request a BAA, contact us at privacy@optimalgap.com.

5. Data Sharing & Third Parties

5.1 We Share Data With:

• Your CRM/EHR: Patient lead data is transmitted to your designated integration (Practice Better, HubSpot, etc.)
• Payment Processor: Stripe processes payments; we don't store full card numbers
• Infrastructure Providers: Cloud hosting (encrypted, US-based data centers)
• Analytics: Aggregated, anonymized usage data only (no PHI)

5.2 We Do NOT:

• Sell personal data to third parties
• Share patient data with advertisers
• Use patient data for our own marketing
• Provide data to other Practitioners

6. Data Retention

• Practitioner Accounts: Data retained while account is active, plus 30 days after cancellation for data export
• Patient Health Data: NOT retained (pass-through only)
• Patient Contact Data: Transmitted to your CRM immediately; deleted from our queue within 24 hours
• Analytics Data: Aggregated data retained for 2 years
• Billing Records: Retained for 7 years per tax requirements

7. Cookies & Tracking

We use minimal, essential cookies:

• Authentication Cookies: To keep you logged in
• Preference Cookies: To remember your settings
• Security Cookies: To prevent fraud and abuse

We do NOT use third-party advertising cookies or cross-site tracking pixels on patient-facing tools.

8. Your Rights

8.1 Practitioners

You have the right to:

• Access: Request a copy of all data we hold about your practice
• Correction: Update inaccurate information
• Deletion: Request deletion of your account and associated data
• Portability: Export your clinical configuration and lead data
• Restriction: Limit certain processing activities

8.2 End Users (Patients)

Patients should contact the Practitioner directly for data access or deletion requests, as patient data is stored in the Practitioner's CRM/EHR, not on OptimalGap servers.

9. Security Measures

• 256-bit AES encryption at rest
• TLS 1.3 encryption in transit
• SOC 2 Type II compliant infrastructure
• Regular penetration testing
• Role-based access controls
• Audit logging for all administrative actions
• 24/7 security monitoring

10. International Data Transfers

Our servers are located in the United States. If you access OptimalGap from outside the US, your data will be transferred to and processed in the US. We implement appropriate safeguards for international transfers as required by applicable law.

11. Children's Privacy

OptimalGap is designed for healthcare practitioners (B2B). We do not knowingly collect information from children under 18. Patient-facing tools are intended for adult patients only.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify Practitioners of material changes via email at least 30 days before they take effect. Continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related inquiries:

• Email: privacy@optimalgap.com
• BAA Requests: privacy@optimalgap.com
• Data Deletion: privacy@optimalgap.com

We respond to all privacy inquiries within 5 business days.