Privacy Policy

1. Who we are

SecliaConnect is a white-label telehealth software-as-a-service platform operated by 7Z Web Developers LLC, a Texas limited liability company (“SecliaConnect,” “we,” or “us”).

With respect to patient health information, we act as a Business Associateto the clinics that subscribe to our platform (each, a “Clinic”). The Clinic is the Covered Entity under HIPAA and is responsible for the direct relationship with its patients. Patients visiting a Clinic’s branded subdomain (for example, yourclinic.secliaconnect.com) should direct privacy questions, rights requests, and complaints to that Clinic in the first instance. We support the Clinic in fulfilling those requests.

2. Information we process

From the Clinic and its Authorized Users

• Account and billing information: clinic name, address, phone number, billing contact, subdomain, payment method details (payment card numbers are tokenized by Stripe and not stored on our infrastructure).
• Authorized User profile: full name, email address, role (provider, administrator, support), MFA secret, session tokens, audit-log attribution.
• Clinic-configured content: service catalog, pricing, availability schedules, brand assets (logo, color), welcome copy.

From patients, on behalf of the Clinic (PHI)

• Identity and contact: full name, email, phone, date of birth.
• Appointment records: service selected, provider, scheduled time, status (booked, cancelled, completed), cancellation tokens.
• Free-text visit notes submitted by the patient at booking (“What brings you in today?”).
• Clinical notes recorded by the provider during or after the visit (SOAP notes, once that feature is live).
• Self-pay transaction records (amount, timestamp, Stripe charge ID — card data itself is not stored by us).

We process PHI only as a Business Associate and strictly pursuant to the BAA between us and the Clinic. We do not sell PHI. We do not use PHI to train machine-learning models. We do not use PHI for marketing.

From visitors to our marketing site

• Standard server logs: IP address (truncated for rate-limit bucketing), user-agent, timestamp, requested URL.
• First-party analytics (aggregate, no cross-site tracking): page views, session duration, referrer. We do not deploy third-party ad-tech pixels on authenticated surfaces.

3. How we use information

• Operate the Service — authenticate users, schedule appointments, send confirmation emails, process payments.
• Support & incident response — investigate bugs, respond to Clinic support tickets, maintain availability.
• Billing & accounting — issue invoices, reconcile Stripe transactions, fulfill tax obligations.
• Product improvement — analyze aggregated, de-identified usage data to improve the Service. We do not use identifiable Clinic data or PHI for this purpose without the Clinic’s prior written authorization.
• Security & fraud prevention — audit logs, rate limiting, anomaly detection on authentication and booking endpoints.
• Compliance — respond to lawful legal process, preserve records when required by subpoena, audit trail preservation for HIPAA obligations.

4. Subprocessors

We rely on the following subprocessors to deliver the Service. Each subprocessor that touches PHI operates under a signed Business Associate Agreement with SecliaConnect.

A current subprocessor list is maintained in our operational controls document and available to Clinics on request.

5. Security measures

• Encryption. All Customer Data and PHI is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 at the storage layer.
• Tenant isolation. Every tenant-owned row in our database carries an organizationId column, and all application-layer queries are required to filter by that column through middleware enforcement. Cross-tenant access is structurally impossible.
• Access controls. Production database access is limited to a small on-call rotation of SecliaConnect engineers and is gated by single sign-on with hardware-key MFA. All access is logged.
• Audit logging. Every sensitive write — appointment create/cancel, patient record edit, consent capture, payment event — emits an immutable audit-log entry with the actor, tenant, resource, and timestamp. Audit logs are retained for at least 6 years consistent with HIPAA requirements.
• No PHI in application logs. Application logs are scrubbed of patient identifiers; audit logs record the fact of an event without embedding PHI in the log line.
• Vulnerability management. Dependencies are scanned weekly; critical patches are deployed within 7 days. A third-party penetration test is performed annually on the production surface.

6. Data retention & deletion

Customer Data (including PHI) is retained for the duration of the Clinic’s active subscription plus a 30-day grace period after cancellation, during which the Clinic may export a complete JSON bundle of its data. After the grace period, production copies of Customer Data are deleted within 30 days. Encrypted backups containing Customer Data are purged on a rolling 90-day schedule. Audit logs are retained for at least 6 years pursuant to HIPAA. A Clinic may request earlier deletion of non-audit data at any time, subject to the BAA and any legal hold.

7. Patient rights

Patients direct their rights requests (access, amendment, accounting of disclosures, restrictions, deletion) to the Clinic with which they booked. We act as a Business Associate supporting the Clinic’s fulfillment of those requests under HIPAA. Clinics access rights-fulfillment tooling through the SecliaConnect admin dashboard.

8. Cookies & similar technologies

On marketing surfaces we use first-party session cookies and a minimal first-party analytics cookie. On authenticated surfaces (clinic admin, provider, patient) we use only strictly-necessary session and CSRF cookies required to operate the Service. We do not deploy third-party advertising or cross-site tracking cookies on any surface.

9. Children

The Service is not directed at children under 13, nor do we knowingly collect PHI about children without their parent or guardian’s direction — Clinics that serve pediatric patients do so within their own HIPAA-compliant intake workflow, and the parent or legal guardian is responsible for booking and consenting on the child’s behalf.

10. International transfers

The Service is operated entirely within the United States. We do not currently transfer Customer Data or PHI outside of the United States. If that changes, we will update this Policy and notify Clinics in advance.

11. Breach notification

In the event of a breach or suspected breach of unsecured PHI, we will notify the affected Clinic without unreasonable delay and no later than 60 days after discovery, in accordance with 45 C.F.R. \u00a7 164.410 and the BAA. Notifications will include the facts of the incident, the identifiers affected, the mitigation steps taken, and recommendations for the Clinic’s patient-facing notifications.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted to this URL with a new Effective Date, and Clinics with an active subscription will receive email notification at least 30 days before the change takes effect. Continued use of the Service after the Effective Date constitutes acceptance of the updated Policy.

13. Contact

Questions about this Policy: privacy@secliaconnect.com. General questions: hello@secliaconnect.com.

Mailing address: 7Z Web Developers LLC, Waller, TX.