CaseFloSign In

Privacy Policy

Last updated: January 12, 2026

Effective Date: January 12, 2026 Last Updated: January 12, 2026

2. Information We Collect

2.1 Information from Healthcare Organizations

When healthcare organizations use our Service to manage surgical cases, we process the following categories of patient information on their behalf:

Administrative Data:

  • Patient names and demographic information
  • Medical Record Numbers (MRN)
  • Dates of birth
  • Contact information
  • Insurance information
  • Appointment and surgery scheduling data

Clinical Data:

  • Diagnosis codes (ICD-10)
  • Procedure codes (CPT)
  • Procedure types and descriptions
  • Surgeon notes and case documentation
  • Case status and workflow information

This patient information constitutes Protected Health Information (PHI) under HIPAA, and we process it solely as a Business Associate pursuant to Business Associate Agreements with healthcare organizations.

2.2 Information from Users

When you create an account or use our Service, we collect:

Account Information:

  • Full name
  • Email address
  • Professional credentials and role
  • Hospital or program affiliation
  • Profile photograph (optional)

Authentication Data:

  • Encrypted password credentials
  • Biometric authentication enrollment status (Face ID/Touch ID)
    • Note: Actual biometric data (facial geometry, fingerprints) is stored only on your device and is never transmitted to or stored by CaseFlo

Device Information:

  • Device identifiers for push notifications
  • Device type and operating system version
  • App version

2.3 Information Collected Automatically

When you use our Service, we automatically collect:

Usage Data:

  • Features accessed and actions taken
  • Session duration and frequency
  • Navigation patterns within the app

Audit Trail Data (Required for HIPAA Compliance):

  • User identification for each action
  • Timestamp of each action
  • Type of action performed (view, create, edit, delete)
  • Records accessed or modified
  • IP address at time of access

Technical Data:

  • Error logs and crash reports
  • Performance metrics
  • Network connection type

3. How We Use Information

3.1 Service Delivery

We use information to:

  • Provide surgical case management functionality
  • Enable case tracking, task assignments, and workflow management
  • Deliver push notifications for task reminders, status changes, and updates
  • Facilitate communication between care team members
  • Store and organize case documentation
  • Provide AI-assisted medical code suggestions using clinical context text (see Section 5.5)

3.2 Compliance and Security

We use information to:

  • Maintain comprehensive audit logs as required by HIPAA
  • Detect and prevent unauthorized access or security incidents
  • Investigate potential violations of our Terms of Service
  • Respond to legal requirements and law enforcement requests
  • Fulfill our obligations under Business Associate Agreements

3.3 Service Improvement

We use de-identified and aggregated information to:

  • Analyze usage patterns to improve features
  • Identify and fix technical issues
  • Develop new functionality
  • Generate aggregate analytics for service optimization

3.4 Communications

We use contact information to:

  • Send service-related announcements
  • Provide customer support
  • Notify users of policy changes
  • Deliver security alerts

4. Legal Basis for Processing

4.1 Business Associate Agreement

Our primary legal basis for processing PHI is the Business Associate Agreement executed between CaseFlo and each healthcare organization (Covered Entity) using our Service. Under HIPAA, Business Associates may process PHI to perform functions on behalf of Covered Entities.

4.2 HIPAA Compliance

We process certain information to comply with our legal obligations under HIPAA, including:

  • Maintaining audit logs of PHI access (45 CFR § 164.312(b))
  • Implementing security safeguards (45 CFR § 164.312)
  • Responding to individual rights requests (45 CFR § 164.524, 164.526)

4.3 Legitimate Business Interests

We process user account information and usage data based on our legitimate interests in:

  • Providing and improving our Service
  • Ensuring security and preventing fraud
  • Communicating with users about the Service

4.4 User Consent

We rely on consent for:

  • Biometric authentication enrollment (optional feature)
  • Push notification delivery
  • Optional profile information

5. Information Sharing and Disclosure

5.1 Healthcare Organizations

We share PHI with the healthcare organization (Covered Entity) that owns the data, in accordance with the Business Associate Agreement. Healthcare organizations may access all patient data and audit logs related to their program.

5.2 Service Providers (Sub-processors)

We engage service providers who process information on our behalf. These providers are bound by contractual obligations to maintain confidentiality and security of information.

Current Service Providers:

  • Supabase, Inc. — Database hosting, authentication services, and real-time functionality (US data centers)
  • OpenAI, Inc. — AI-assisted medical code suggestion and semantic search services (US data centers). See Section 5.5 for details on data shared with OpenAI.

We will update this list as we engage additional service providers. All service providers processing PHI are required to enter into Business Associate Agreements or equivalent data protection agreements.

5.3 Legal Requirements

We may disclose information when required by law, including:

  • In response to lawful requests by public authorities
  • To comply with a subpoena, court order, or legal process
  • To protect the rights, property, or safety of CaseFlo, our users, or others
  • In connection with a merger, acquisition, or sale of assets

5.5 AI-Assisted Code Suggestion Services

CaseFlo offers an optional AI-assisted medical code lookup feature to help clinicians identify appropriate CPT and ICD-10 codes for surgical cases. When you use this feature:

Data Shared with OpenAI:

  • Clinical context text you provide (e.g., diagnosis descriptions, procedure descriptions)
  • Normalized medical phrases for semantic search and code suggestion purposes

Data NOT Shared with OpenAI:

  • Patient names, dates of birth, or Medical Record Numbers (MRN)
  • Direct patient identifiers or demographic information
  • Insurance or billing information

OpenAI processes this data solely to generate code suggestions and is contractually prohibited from using it to train or improve its models. CaseFlo maintains a Business Associate Agreement with OpenAI covering this data processing. For more information about OpenAI's data handling practices, see OpenAI's Enterprise Privacy Policy.

Important: AI-generated code suggestions are informational only and must be verified by a qualified healthcare professional before use. CaseFlo does not guarantee the accuracy of AI-suggested codes.

5.6 Commitments We Make

We Do Not:

  • Sell personal information or PHI to third parties
  • Use PHI for marketing purposes
  • Share PHI with third parties for their own purposes
  • Use PHI to create de-identified data sets for sale
  • Engage in targeted advertising based on health information

6. Data Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect information in accordance with HIPAA Security Rule requirements (45 CFR Part 164, Subpart C).

6.1 Encryption

  • Data at Rest: All data is encrypted using AES-256 encryption
  • Data in Transit: All data transmission uses TLS 1.3 encryption
  • Database Encryption: Database-level encryption for all stored information

6.2 Access Controls

  • Unique User Identification: Each user has unique credentials
  • Role-Based Access: Access permissions based on user role and organizational affiliation
  • Multi-Factor Authentication: Biometric authentication (Face ID/Touch ID) available
  • Automatic Session Termination: Sessions timeout after 15 minutes of inactivity

6.3 Audit Controls

  • Comprehensive Logging: All PHI access and modifications are logged
  • Tamper-Evident Logs: Audit logs are protected against modification
  • Retention: Audit logs retained for minimum 6 years per HIPAA requirements

6.4 Mobile Security

  • Secure Storage: Authentication tokens stored in device Keychain with strongest protection level (accessible only when device is unlocked)
  • Local Biometric Storage: Biometric data never leaves your device
  • App Transport Security: Only secure HTTPS connections permitted

6.5 Infrastructure Security

  • Secure Cloud Hosting: Data hosted in SOC 2 Type II certified infrastructure
  • Network Security: Firewalls, intrusion detection, and monitoring
  • Regular Security Assessments: Periodic vulnerability assessments and penetration testing

7. Data Retention

7.1 PHI Retention

PHI is retained in accordance with:

  • Healthcare organization's retention policies
  • Applicable state and federal law
  • Minimum 6-year retention period per HIPAA requirements (45 CFR § 164.530(j))

Upon termination of a Business Associate Agreement, we will return or destroy PHI as directed by the healthcare organization, unless retention is required by law.

7.2 Audit Log Retention

Audit logs documenting PHI access are retained for a minimum of 6 years from the date of creation, as required by HIPAA.

7.3 User Account Data

User account data is retained while the account is active. Upon account termination:

  • User credentials are immediately deactivated
  • Personal profile information is deleted within 30 days
  • User activity within audit logs is retained per HIPAA requirements

7.4 De-identified Data

De-identified data used for analytics may be retained indefinitely, as it does not constitute PHI or personal information.

8. Your Rights

8.1 HIPAA Rights (For PHI)

If you are a patient whose information is processed through our Service, you have rights under HIPAA, including:

  • Right to Access: Request copies of your PHI
  • Right to Amendment: Request correction of inaccurate PHI
  • Right to Accounting of Disclosures: Request a list of certain disclosures of your PHI
  • Right to Request Restrictions: Request limitations on certain uses and disclosures
  • Right to Confidential Communications: Request communications through alternative means

Important: These rights must be exercised through the healthcare organization (Covered Entity) that maintains your records. CaseFlo, as a Business Associate, will assist healthcare organizations in responding to these requests.

8.2 User Rights (For Account Information)

As a user of our Service, you may:

  • Access: Request access to your account information
  • Correction: Update or correct your profile information
  • Deletion: Request deletion of your account (subject to audit log retention requirements)
  • Data Portability: Request export of your account data

To exercise these rights, contact us at support@caseflo.tech.

8.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about data collection practices
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Note: CCPA/CPRA exemptions may apply to certain information processed under HIPAA.

To exercise California privacy rights, contact us at support@caseflo.tech or submit a request through our Service.

9. Children's Privacy

CaseFlo is designed for use by healthcare professionals and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18.

Patient records processed through our Service may include information about minor patients. This information is managed by healthcare organizations in accordance with HIPAA, state law, and organizational policies regarding minor patients' health information.

10. Third-Party Links and Services

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

Future integrations with Electronic Health Record (EHR) systems or other healthcare applications will be governed by separate data sharing agreements and disclosed to healthcare organizations prior to implementation.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

For Material Changes:

  • We will notify users via email or prominent notice within the Service
  • We will notify healthcare organizations per the terms of our Business Associate Agreements
  • We will update the "Last Updated" date at the top of this policy

Continued Use: Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Review Recommendations: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Inquiries: Email: support@caseflo.tech

General Support: Email: support@caseflo.tech

Mailing Address: CaseFlo LLC Minneapolis, MN

HIPAA-Related Requests: If your request relates to PHI, please contact your healthcare organization directly. Healthcare organizations may contact us at support@caseflo.tech for assistance with HIPAA-related requests.

Response Time: We will respond to privacy inquiries within 30 days. Requests related to HIPAA rights will be handled in accordance with HIPAA's required timeframes.

13. State-Specific Disclosures

13.1 California

Categories of Personal Information Collected:

  • Identifiers (name, email, device identifiers)
  • Professional information (credentials, role, affiliation)
  • Internet activity (usage data, session information)
  • Geolocation (IP-based location only)

Business Purpose for Collection:

  • Providing the Service
  • Security and fraud prevention
  • Service improvement
  • Legal compliance

Sale of Personal Information: We do not sell personal information as defined under CCPA/CPRA.

Sensitive Personal Information: We process health information as a Business Associate under HIPAA, which is exempt from certain CCPA/CPRA requirements.

13.2 Other States

We comply with applicable state privacy laws, including:

  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)

Healthcare data processed under HIPAA may be exempt from certain state privacy law requirements.

13.3 Illinois (BIPA)

Our biometric authentication feature (Face ID/Touch ID) uses Apple's biometric authentication framework. CaseFlo does not collect, store, or process biometric identifiers or biometric information. All biometric data is processed locally on your device by Apple's Secure Enclave and is never transmitted to CaseFlo.

14. Additional Information

14.1 International Users

CaseFlo is designed for use within the United States. All data is processed and stored in the United States. If you access the Service from outside the United States, you consent to the transfer of your information to the United States.

14.2 Do Not Track

Our Service does not currently respond to "Do Not Track" browser signals because there is no consistent industry standard for compliance.

14.3 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

This Privacy Policy is effective as of the date listed above and supersedes all prior privacy policies.

CaseFlo LLC