Privacy Policy
RelyCare ("RelyCare", "we", "us", or "our") provides clinical documentation, progress tracking, parent communication, and clinic workflow software for speech therapy and related therapy practices. This Privacy Policy explains how we collect, use, protect, share, retain, and export information processed through RelyCare.
This Policy is written for clinic owners, clinicians, administrators, and other authorised users. It is not a HIPAA Notice of Privacy Practices for patients. Clinics remain responsible for their own patient notices, consents, professional record-keeping obligations, and legal instructions to RelyCare.
HIPAA-regulated clinics
If your clinic is subject to HIPAA, do not submit protected health information to RelyCare until a Business Associate Agreement ("BAA") is signed. When a BAA is in place, RelyCare processes protected health information only as permitted by that BAA, this Policy, the service terms, and applicable law. If there is a conflict between this Policy and a signed BAA, the BAA controls for HIPAA-regulated data.
1. Who We Are and Our Role
RelyCare is operated by Adham Yasser, trading as RelyCare. You can contact us at adham@relycare.app.
For clinic-submitted patient, caregiver, session, and clinical documentation data, the clinic is the controller, responsible party, covered entity, or equivalent legal role under applicable law. RelyCare acts as a processor, operator, service provider, or business associate, depending on the legal framework and whether the required agreement is in place. For account, billing, security, and product administration data, RelyCare may act as an independent controller.
2. Information We Collect and Process
2.1 Account, Team, and Clinic Data
- Names, email addresses, roles, clinic membership, authentication identifiers, and user preferences.
- Clinic name, slug, location/timezone, subscription status, services, pricing, configuration, and onboarding information.
- Team invitations, access changes, and related audit events.
2.2 Patient, Caregiver, and Clinical Data
- Patient profile information, guardian/caregiver contact details, diagnoses or therapy concerns if entered by the clinic, therapy goals, services, appointment/session records, attendance, homework, progress trajectories, and reports.
- Clinical SOAP notes, target-level metrics, evidence quotes, transcripts, AI trace metadata, clinician edits, session flags, and verification evidence used to support documentation.
- Parent/caregiver requests and WhatsApp-style communication records when the clinic enables parent communication workflows.
2.3 Audio and Transcription Data
- Uploaded voice notes may be stored temporarily in Supabase Storage while they are transcribed, then removed after successful transcription or session finalization.
- Uploaded session audio, recorded session chunks, and merged final recordings may be stored temporarily in private AWS S3 while the transcript-backed clinical note is generated and reviewed.
- When a clinician finalizes the session, RelyCare deletes the raw audio objects and clears stored media pointers. S3 lifecycle rules remain a backstop for temporary processing objects.
- Transcripts, derived clinical notes, target metrics, and audit evidence may be retained as part of the clinic record unless deleted under your clinic's account lifecycle or an approved deletion request.
2.4 Technical, Security, and Usage Data
- IP address, device/browser information, user agent, authentication events, audit logs, feature usage, application errors, and diagnostic logs.
- AI usage metadata such as model name, token counts, pipeline stage, cost metadata, and processing status.
3. How We Use Information
- Provide, secure, maintain, and improve the RelyCare service.
- Generate transcript-backed SOAP notes, progress data, parent summaries, homework, reports, and clinical evidence artifacts.
- Support clinic administration, scheduling, team access, settings, billing, and support requests.
- Operate parent communication and request workflows where enabled by the clinic.
- Maintain audit logs, investigate security events, prevent abuse, and comply with legal obligations.
- Produce owner-requested data exports and support account deletion or retention workflows.
We do not sell patient data. We do not use identifiable patient data for advertising. We do not intentionally use identifiable patient data to train foundation models. If de-identified or aggregated data is used to improve RelyCare, it is handled so it is not intended to identify a patient, caregiver, clinician, or clinic.
4. Legal Bases and Customer Instructions
Depending on the jurisdiction and data type, we process data to perform our contract with the clinic, follow clinic instructions, maintain security, comply with law, support legitimate product operations, and, where required, rely on consents or authorisations obtained by the clinic.
Clinics are responsible for obtaining appropriate patient, parent, or caregiver consents and notices before entering clinical data, session audio, or parent communication data into RelyCare. Clinics are also responsible for determining whether HIPAA, POPIA, GDPR, state privacy law, professional record-keeping rules, school/education privacy rules, or payer requirements apply to their use of RelyCare.
5. Subprocessors and Third-Party Services
We use trusted infrastructure and service providers to operate RelyCare. Categories include:
- Database and application infrastructure: Supabase and Vercel.
- Temporary audio processing infrastructure: AWS services including S3/SQS/compute used by the audio pipeline.
- AI processing: Google Gemini models for transcription, clinical note generation, verification, and related AI workflows.
- Analytics and product telemetry: PostHog. We configure analytics to avoid intentional capture of patient/session clinical content.
- Error monitoring: Sentry, with application-level scrubbing intended to avoid clinical content in error logs.
- Communication: WhatsApp gateway infrastructure, Meta/WhatsApp delivery systems where applicable, and Resend for email.
- Calendar and integrations: Google Calendar only when an authorised clinic user connects it.
- Billing: third-party billing/payment providers. RelyCare does not store full payment card details.
We require service providers to process data only for the services they provide to RelyCare and to maintain appropriate safeguards. For HIPAA-regulated customers, required business associate/subcontractor terms must be in place before PHI is processed.
6. Security Measures
RelyCare uses administrative, technical, and organisational safeguards designed to protect clinical information, including:
- Role-based access controls for clinic owners, admins, clinicians, and team members.
- Per-clinic data isolation and server-side ownership checks for sensitive actions.
- Encryption in transit using HTTPS/TLS.
- Encryption at rest through infrastructure providers, plus application-level encryption for retained clinical SOAP notes, evidence artifacts, and AI traces.
- Owner-only compliance exports and audit logging for key clinic actions.
- Temporary audio processing workflows with raw audio deletion after session finalization.
- Security logging, error monitoring, and incident response procedures.
No system is perfectly secure. Clinics must also maintain appropriate local safeguards, user access reviews, staff training, consent processes, device security, and professional record retention procedures.
7. HIPAA, POPIA, and Health Privacy
HIPAA may apply when RelyCare is used by a HIPAA covered entity and RelyCare creates, receives, maintains, or transmits PHI on that customer's behalf. In that case, RelyCare must be treated as a business associate and a signed BAA is required before PHI is submitted.
POPIA may apply to South African clinics and patients. Clinics remain responsible for their role as responsible party, including lawful processing conditions, information officer duties where applicable, patient/caregiver notices, security safeguards, operator agreements, and data subject request handling.
Health professional record-keeping rules may require clinics to retain accurate clinical records for specified periods. RelyCare helps create and export records but does not replace the clinic's responsibility to maintain legally sufficient records.
8. Data Retention, Export, and Deletion
- Clinic records remain available while the subscription or authorised access is active, unless deleted by the clinic or under an approved deletion workflow.
- Raw session audio is a temporary processing artifact and is deleted when the clinician finalizes the session. Transcripts, SOAP notes, target metrics, evidence, reports, and audit logs remain as part of the clinic record.
- Cancelled clinic accounts may be retained for a limited post-cancellation period to allow export, account recovery, legal compliance, or dispute handling, after which deletion workflows may remove associated records.
- Owner users can request a machine-readable JSON archive from the Compliance Center. The archive action is logged in the audit trail.
- Billing, audit, security, and legal records may be retained longer where required for accounting, compliance, fraud prevention, dispute resolution, or legal obligations.
9. Privacy Rights and Requests
Depending on applicable law, individuals may have rights to access, correction, deletion, portability, objection, restriction, withdrawal of consent, or complaint. Because clinics control patient records in RelyCare, patient or caregiver requests should normally be directed to the clinic first.
Clinic users can contact us at adham@relycare.app for account, export, deletion, or security requests. We may need to verify identity and authority before acting on a request.
10. Cookies, Analytics, and Tracking
RelyCare uses essential cookies for authentication and security. We use product analytics to understand usage and improve the platform. We do not use advertising cookies inside the clinical application, and analytics should not be used to intentionally collect patient clinical content.
HIPAA-regulated customers should not use tracking technologies in ways that disclose PHI to vendors without a valid permission and required agreement.
11. International Transfers
RelyCare is operated internationally and uses infrastructure and service providers that may process data in multiple jurisdictions. Where required, we rely on appropriate contractual and organisational safeguards for cross-border processing. Clinics are responsible for assessing whether their jurisdiction requires additional patient notices, contractual terms, or transfer safeguards.
12. Changes to This Policy
We may update this Privacy Policy as the product, law, or subprocessors change. Material updates will be communicated to registered clinic users where practical. The latest version will remain available on this page.
13. Contact
RelyCare Privacy Contact
Adham Yasser, trading as RelyCare
Email: adham@relycare.app
Website: relycare.app
South African users may also contact or complain to the Information Regulator of South Africa. HIPAA-regulated customers should follow their internal HIPAA/privacy process and signed BAA terms for PHI-related incidents or requests.