Privacy Policy

Last updated: [DATE] — placeholder pending legal review.

1. What we collect

  • Account data — name, email, phone, and organization details you provide.
  • Client and care data — information doulas and clients choose to enter: due dates, birth preferences, appointments, messages, contraction timing, and labor status updates. This is sensitive information and we treat it that way.
  • Operational data — logs needed to run and secure the service.

2. What we do NOT do

  • We do not sell personal data, and we never sell health-related information.
  • We do not use advertising trackers or third-party ad networks anywhere in the product.
  • We do not use client or labor data to train advertising or profiling systems.

3. How we use data

Only to operate HiDoula: showing your data back to you and the people you share it with, sending notifications you ask for, billing, support, and keeping the service secure and reliable.

4. Sharing and processors

Data is shared only with the people you connect (your doula, your clients, invited support people) and with the infrastructure providers needed to run the service: Supabase (database and authentication), Stripe (payments — they never see care data), Vercel (hosting), and Resend (transactional email). [TODO: legal review — confirm final processor list and add DPA links.]

5. A note on HIPAA

HiDoula is built with health-information sensitivity in mind — encryption in transit and at rest, role-based access controls, and audit logging. However, HiDoula is not a covered entity, and we do not currently claim HIPAA compliance or sign Business Associate Agreements. Doulas are generally not covered entities under HIPAA, but you are responsible for your own professional and legal obligations. [TODO: legal review — HIPAA posture and BAA roadmap.]

6. Retention and deletion

You can archive or delete client records, and you can request full account deletion at [SUPPORT EMAIL]. We delete or anonymize data within [N] days of a verified request, except records we must keep for legal or billing reasons. [TODO: legal review — retention schedule.]

7. Your rights

Depending on where you live (e.g., GDPR, CCPA, state health-privacy laws such as Washington’s My Health My Data Act), you may have rights to access, correct, export, or delete your data. Contact [SUPPORT EMAIL] to exercise them. [TODO: legal review — jurisdiction-specific rights sections and consent flows.]

8. Changes and contact

We will notify you of material changes to this policy. Privacy questions: [SUPPORT EMAIL]. [TODO: add company legal name, address, and data protection contact.]