Privacy Policy

Last Updated: 2026-06-27

BxConnect, LLC ("BxConnect," "we," "us") operates the BxConnect platform — our web application, mobile applications, and related services (the "Service"). This policy explains what information we process, why, who we share it with, and the rights available to you. Because BxConnect serves three very different audiences, which rules protect your data depends on how you use BxConnect — Section 1 tells you which sections apply to you.

1. Who this policy covers — and which rules apply to you

  • Clinic users (CLINIC organizations). Patient data your clinic records is protected health information (PHI) under HIPAA. BxConnect processes it as a Business Associate under the Business Associate Agreement your organization executed; that agreement and HIPAA govern, and they control over this policy if they conflict. Your clinic — not BxConnect — decides how patient data is used. Patients: direct privacy questions and rights requests (access, amendment, accounting of disclosures) to your provider; we support your provider in fulfilling them.
  • School users (SCHOOL organizations). Student data your school records consists of education records governed by FERPA, processed under the Student Data Privacy Agreement, with BxConnect acting as a "school official" under the school's direct control. We do not sell student data, use it for targeted advertising, or build student profiles beyond the contracted purpose. Parents and eligible students: direct inspection, review, and correction requests to the school; we support the school in fulfilling them.
  • Family/individual users (HOME organizations). The data you record is consumer health data — not HIPAA PHI — protected by this policy, by the separate Privacy & Health Data Consent you accepted, and by state consumer-health-privacy laws (e.g., Washington's My Health My Data Act). You exercise your rights directly with us (Section 7).
  • BxConnect staff (ADMIN organizations). Internal use, governed by BxConnect's internal policies and the Terms.

2. Data we collect

  1. Account and identity data — name, email address, role and permissions, and authentication records (credentials are held by our identity provider, Okta/Auth0; we never see your password).
  2. Organization data — organization name, type, contact details, and address.
  3. Health, behavioral, and educational data entered by users — patients'/students'/family members' behavioral observations, data points, sessions, goals, behaviors, ABC charts, incidents, and notes. This is the sensitive core of the Service; the rules of Section 1 govern it.
  4. Billing data — subscription and payment records processed by Stripe. Payment card details go directly to Stripe; we keep patient, student, and family health data out of Stripe by design.
  5. Technical and usage data — IP addresses, device/browser information, and security and audit logs.
  6. Agreement-acceptance evidence — the exact text and version of each legal agreement accepted, who accepted it, when, and from where (IP/user agent), retained at least six (6) years and surviving account deletion, as legal evidence of execution.

3. How we use data

We use data to: provide and operate the Service; enforce security, tenant isolation, and auditing; provide support; administer subscriptions and billing; meet legal obligations; and communicate service notices. We do not: sell health or student data; use it for advertising; or use identifiable health or student data to train artificial-intelligence models. We may use de-identified or aggregated data that does not identify any person or organization to analyze and improve the Service, subject to the stricter limits of the BAA and Student Data Privacy Agreement where they apply, and we do not attempt to re-identify it.

4. How data is shared

  1. Subprocessors. Amazon Web Services, Inc. (cloud hosting and storage) and Okta, Inc. (Auth0) (authentication) process data for us under contracts restricting their use of it; for clinic PHI, these subprocessors operate under business associate agreements. Stripe, Inc. processes payments — billing data only, never health data.
  2. At your organization's (or your) direction. Cross-organization access happens only through the Service's assigned-user model, controlled by the data-owning organization (or by you, for HOME accounts).
  3. Legal process. We disclose data when required by law (e.g., a valid subpoena or court order) and will notify the affected customer unless legally prohibited.
  4. Business transfers. In a merger, acquisition, or asset sale, data remains protected by this policy and the governing agreements; we will provide notice of any change in control.

We have no third-party advertising, ad-tech, or data-broker relationships, and we do not use third-party analytics on pages or screens that handle health or student data.

5. Data retention & deletion

  1. Active accounts. We retain data while the account or organization is active. If a subscription is canceled without a deletion request, the account and data are retained so you can reactivate by resubscribing; to remove your data, use the account-deletion process below.
  2. Requesting deletion. You can delete individual records in the app at any time. To delete your whole account, either (a) in the web app, go to Settings → Delete account, or (b) use our account-deletion page or email support@bxconnect.net from the email registered to your account (do not include patient information in the email).
  3. What happens when you request deletion. Your account access ends immediately and you are signed out everywhere. A 30-day grace period follows, during which the deletion can still be canceled — contact support from your registered email before the cancellation deadline (5 days before the scheduled deletion date), quoting the request ID shown when you submitted it. After the grace period, your data is deleted from production systems (typically within one day), and backup copies are removed from our backup systems within 7 days after that.
  4. What is deleted, and what is retained.
    • Personal and HOME accounts: the account, all patients, and all data are permanently deleted.
    • Clinic and school accounts: your login, contact details, and profile are deleted; clinical or education records you authored — including your name as their author — are retained by your organization as part of its records, as healthcare and education record-keeping require. Return/destruction of clinic PHI and school student data otherwise follows the BAA and Student Data Privacy Agreement respectively.
    • Always retained: routine encrypted backups (which expire in the ordinary course); records we are legally required to keep; and agreement-acceptance evidence (Section 2.6), kept at least six (6) years.
  5. Organization data export. Export is available before termination and for thirty (30) days after, after which data is deleted in the ordinary course.

6. Security

Safeguards include: encryption of data in transit (TLS) and at rest, with column-level encryption of designated sensitive fields; tenant isolation enforced by PostgreSQL row-level security; authentication through a dedicated identity provider; tiered, role- and permission-based access controls (including per-patient assignment); audit logging; and least-privilege internal access. No system is perfectly secure; we describe our safeguards, and we do not promise that breach is impossible. If a breach occurs, we will notify affected parties as required by applicable law — HIPAA's Breach Notification Rule (through the affected clinic) for PHI, state law and contract for student data, and state law plus the FTC Health Breach Notification Rule for consumer (HOME) health data.

7. Your rights

  • Clinic patients: exercise HIPAA rights (access §164.524, amendment §164.526, accounting of disclosures §164.528) through your provider; we support your provider under the BAA.
  • School parents/eligible students: exercise FERPA inspection, review, and correction rights through your school; we support the school under the Student Data Privacy Agreement, including its disclosure-log and export commitments.
  • HOME users: you may access, export, correct, and delete your data, and withdraw consent, directly with us — in the app or via support@bxconnect.net — as described in the Privacy & Health Data Consent. We respond within the time your state's law requires (and in any case within 45 days), we do not discriminate against you for exercising rights, and you may appeal a denial by replying to our response.

8. Children's privacy

BxConnect accounts are held by adults (18+). We do not knowingly collect information directly from children. Information about children is entered and controlled by the responsible adults: by clinics (under HIPAA and parental/guardian consent obtained by the provider), by schools (which may consent on parents' behalf for the educational context under COPPA's school-consent framework), and by parents/guardians themselves for HOME accounts (whose consent under the Privacy & Health Data Consent is the verifiable parental consent where COPPA applies).

9. State-specific notices

  • Washington (My Health My Data Act): HOME-user health data is "consumer health data"; our collection and sharing practices, your rights, and how to exercise them are described in Sections 2–7 and the Privacy & Health Data Consent. We do not sell consumer health data and do not process it for advertising; we will not collect or share it for purposes beyond those consented to without a new, separate consent.
  • California: we do not "sell" or "share" (for cross-context behavioral advertising) personal information as the CCPA/CPRA defines those terms. California users may exercise access, correction, deletion, and portability rights per Section 7. Student data is additionally protected by SOPIPA: no targeted advertising, no profiling beyond the educational purpose, no sale.
  • New York (Education Law §2-d): for New York schools, the rider mechanics of the Student Data Privacy Agreement supply the required Parents' Bill of Rights and Data Privacy & Security Plan supplements before onboarding.
  • Other states: where another state grants you privacy rights in health or student data, we honor them per Section 7's mechanics.

10. Changes to this policy

This policy is versioned and published through BxConnect's agreement-document system; each version is immutable and the full history is retained. For material changes we provide email and in-app notice before the new version takes effect. Because this policy is a notice, changes to it do not trigger the acceptance gate — but material changes to the agreements that incorporate it (Terms, consent, BAA, SDPA) do require re-acceptance through the gate.

11. Contact

BxConnect, LLCsupport@bxconnect.net. We respond to privacy inquiries within ten (10) business days.