Privacy policy

1. Who we are and scope

Brievi (“Brievi”, “we”, “us”, or “our”) is a software-as-a-service platform that helps clinics create, send, and manage visit summary reports for their patients.

This Privacy Policy explains how we process personal information when clinics use Brievi. It is written to be conservative and protective for a new product, but it is not legal advice. Clinics are responsible for making sure their use of Brievi complies with all laws that apply to them.

2. Our role: processor / service provider

For most data processed by Brievi, the clinic (or other healthcare provider) is the data controller / covered entity, and Brievi acts as a service provider / processor / business associate.

This means:

• The clinic decides what patient information to enter into Brievi.

• We process that information only on the clinic’s instructions and for the purposes described in this Policy and in our agreement with the clinic.

Patients with questions about how their information is used should first contact their clinic.

3. Information we collect

We process the following categories of information on behalf of clinics:

a. Patient report data Clinics may enter and store information about their patients, including:

• Patient name

• Contact information (such as email address and mobile number)

• Visit date and appointment details

• Diagnosis, clinical findings, treatments, and home-care instructions

• Other notes the clinic chooses to include in a report

This information may be “Protected Health Information” (“PHI”) under HIPAA.

b. Clinic and user account data

To set up and manage clinic accounts, we may collect:

• Clinic name and contact details

• Staff names and work email addresses

• Login credentials and security settings (for example, PINs and roles)

c. Technical and usage data

To operate and secure the platform, we may automatically collect:

• Log data such as IP address, browser type, and access times

• Device information

• Usage information about how the application is accessed (for example, which screens are viewed)

We use this information only to provide, secure, and improve the service.

4. How we use information

We use the information described above only for the following purposes:

1) To provide the service

• Generating visit reports based on clinic input

• Delivering reports to patients via secure links, email, or SMS

• Maintaining clinic configurations and templates

2) To operate, maintain, and improve Brievi

• Monitoring performance and fixing bugs

• Developing new features and usability improvements

3) To protect the service and users

• Detecting and preventing abuse, spam, or security incidents

• Enforcing our Terms of Service

4) To comply with law

• Responding to lawful requests from authorities

• Meeting audit, accounting, and regulatory requirements

We do not sell personal information or use patient data for advertising.

5. Data storage and retention

• Patient report data is stored in Amazon Web Services (AWS) in the United States.

• Data at rest is encrypted using server-side encryption and is accessed only over HTTPS.

Retention schedule:

• Visit reports and related PHI are generally kept for 90 days from the date of creation, after which they are automatically deleted or irreversibly anonymized, unless a clinic requests a different retention period in writing and applicable law allows it.

• System logs and backup copies may be kept for a longer period for security and audit purposes, but are subject to access controls and automatic lifecycle policies.

Clinics are responsible for exporting any reports they need to retain for their own medical records before the retention period ends.

6. Data sharing and third parties

We do not share patient data with third parties for their own marketing or independent use. We may share information only in the following limited situations:

1) Email and SMS providers

We use trusted third-party providers (for example, email delivery and SMS gateways) solely to send report notifications and related messages on behalf of clinics.

2) Infrastructure service providers

We use cloud hosting, monitoring, and logging providers (such as AWS) to operate the service. These providers are contractually restricted from using personal information for their own purposes.

3) Legal and safety reasons

We may disclose information if we believe in good faith that it is necessary to comply with the law, respond to legal process, or protect the rights, property, or safety of Brievi, our users, or others.

Whenever possible, we share only the minimum amount of information needed for these purposes.

7. HIPAA and health information

Brievi is designed to support HIPAA-aligned handling of PHI when used by covered entities and their business associates in the United States. We implement administrative, technical, and physical safeguards intended to meet the core requirements of HIPAA’s Privacy and Security Rules, including:

• Encryption in transit and at rest

• Access controls and authentication

• Audit logging and data minimization

However:

• Brievi is not a medical provider and does not give medical advice.

• This Privacy Policy is not a Business Associate Agreement (“BAA”). If a BAA is required, clinics should contact us at ops@brievi.com so we can discuss appropriate terms before using Brievi with PHI.

• Clinics remain responsible for configuring and using Brievi in a HIPAA-compliant manner and for meeting all legal and professional obligations to their patients.

8. Patient rights and choices

Because we process PHI on behalf of clinics, most patient rights are exercised through the clinic, not directly with Brievi.

Patients may have rights under HIPAA or other laws to:

• Access or receive a copy of their report

• Request corrections to inaccurate information

• Request deletion or restriction of certain data, where permitted by law

If you are a patient and wish to exercise these rights, please contact your clinic directly. If you contact Brievi, we may:

• Ask you to contact your clinic, or

• Forward your request to the clinic and assist them in responding, consistent with our role as a processor or business associate.

9. Cookies and similar technologies

Brievi uses a limited number of cookies and similar technologies, primarily to keep users securely logged in and to protect the platform.

• Session cookies – used to maintain authenticated sessions for clinic staff and to protect against unauthorized access.

• Security cookies – used to detect and prevent abuse or unusual activity.

We do not use third-party advertising cookies or cross-site tracking pixels on the Brievi application.

Clinics and users can usually control cookies in their browser settings, but disabling required cookies may prevent normal use of the service.

10. Data security

We use reasonable administrative, technical, and physical safeguards to protect personal information, including:

• HTTPS/TLS for all network traffic

• Encryption of data at rest

• Access controls, authentication, and role-based permissions

• Audit logs and rate limiting to detect suspicious activity

• Regular backups and disaster-recovery procedures

No system can be guaranteed 100% secure, but we work to keep Brievi aligned with current industry practices and to respond promptly to any incident. Clinics agree to keep their login credentials and PINs confidential and to notify us immediately of any suspected unauthorized access.

11. Children’s privacy

Brievi processes information about children only as instructed by clinics as part of providing visit reports. We do not offer services directly to children and we do not knowingly allow children to create their own accounts on Brievi.

If you believe a child has provided information directly to Brievi without clinic involvement, please contact us at ops@brievi.com so we can investigate and take appropriate action.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as our service or legal requirements change. When we do, we will update the “Last updated” date at the top of the page.

If we make material changes, we will take reasonable steps to notify clinics (for example, by email or in-app notice). Continued use of Brievi after an update means you agree to the revised Policy.

13. Contact us

If you have any questions about this Privacy Policy, our data practices, or how we handle PHI, you can contact us at:

Email: ops@brievi.com

We will do our best to respond promptly and work with clinics to address privacy and security concerns.