Privacy Policy

Overview

ProviderAlly is a practice management platform operated by Attenti LLC (“ProviderAlly,” “we,” “us”) for behavioral-health clinics and the clinicians they employ. This Privacy Policy describes the information we collect, how we use it, how we protect it, and the choices you have. It applies to providerally.care, app.providerally.care, and any feature that links to this policy.

ProviderAlly is designed for use by HIPAA-covered entities. When a clinic uses ProviderAlly to handle Protected Health Information (PHI), Attenti LLC operates as a Business Associate of that clinic under a signed Business Associate Agreement (BAA). The clinic is the Covered Entity and remains the controller of its patients’ PHI; ProviderAlly processes PHI only under the BAA and only as instructed by the clinic.

Information we collect

Account information

When you or your clinic create an account, we collect your name, email address, role, and the clinic or organization name. If you sign in via a third-party identity provider (such as Google), we receive the basic profile fields that provider returns and the unique identifier we use to keep you signed in.

OAuth tokens we store on your behalf

• Lead Connector OAuth tokens— used to access the Lead Connector resources your clinic has authorized us to read or write (contacts, calendars, and similar) on the clinic’s behalf. Stored encrypted at rest.
• Google Calendar OAuth tokens— used solely to create and manage Google Meet links for telehealth sessions you schedule in ProviderAlly. Stored encrypted at rest. See “Google API Services User Data” below for the strict limits on this access.

Telehealth session metadata

For telehealth appointments, we store the appointment time, participants, the Google Meet conference link we created on the clinician’s calendar, and the success or failure of the link generation. We do not record, transcribe, store, or process the audio or video content of any telehealth session.

Audit logs

For every access to a clinical record, every administrative action, and every authentication event, we store a timestamped audit record. Audit logs are required by HIPAA and are retained on the schedule described under “Retention.”

Customer-imported PHI

When a clinic uses ProviderAlly to collect intake forms, store clinical notes, or run reports, the clinic uploads or generates PHI within the system. This may include patient names, contact information, demographic information, clinical notes, assessment responses, billing information, and similar records that the clinic is responsible for under HIPAA. We process PHI strictly as a Business Associate under the BAA executed with that clinic.

Operational telemetry

We collect server logs (IP address, request path, user agent, response status, timestamp) and application error reports for the purpose of operating, securing, and debugging the service. Operational telemetry is retained on a shorter schedule than audit logs and is not used for advertising.

How we use information

• To provide, secure, and improve the service.
• To authenticate you, authorize access to clinic resources, and honor the access controls your clinic configures.
• To produce the audit logs HIPAA requires of a Business Associate.
• To respond to your support requests and to communicate service-related notices (security alerts, scheduled maintenance, policy changes).
• To meet legal obligations and to enforce our Terms of Service.

We do not sell personal information. We do not share personal information with advertisers, ad networks, or data brokers. We do not use PHI to train machine-learning models, and we do not allow our subprocessors to do so on our behalf.

Google API Services User Data

ProviderAlly’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

We request the minimum Google Calendar scopes necessary to create, update, and delete the calendar events and Google Meet conference links that correspond to telehealth appointments scheduled in ProviderAlly. We do not request any Gmail, Drive, Contacts, or other non-Calendar Google scopes for this feature.

How we use Google user data

• We use Google Calendar API access only to create and manage the calendar events and Meet links associated with telehealth appointments scheduled in ProviderAlly.
• We do not read, store, or display events on the connected Google Calendar that ProviderAlly did not create.
• We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing feature, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data unless we have the user’s affirmative agreement for specific messages, the access is necessary for security purposes (such as investigating abuse), the access is necessary to comply with applicable law, or the data is aggregated and used for internal operations in accordance with applicable privacy laws.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine-learning models.

Disconnecting Google access

You may disconnect ProviderAlly’s access to your Google account at any time from inside the application or from your Google Account’s third-party connections page. When you disconnect, the OAuth refresh token we hold for your Google account is deleted from our systems.

Subprocessors

We rely on a small set of subprocessors to operate the service. All subprocessors that may handle PHI on our behalf are bound by an executed BAA.

• Google Cloud Platform— primary hosting, database, and storage. United States region. Bound by Google’s Cloud BAA.
• Lead Connector— we proxy requests to your clinic’s Lead Connector sub-account on the clinic’s behalf. The clinic is responsible for its direct relationship and BAA with Lead Connector.
• Stripe, Inc.— billing and payment processing. PCI-DSS Level 1 service provider. We do not store full card numbers; Stripe is the system of record for payment instruments.
• Sentry— application error monitoring, configured to scrub PHI from error payloads.

We do not send PHI to Anthropic, OpenAI, or any other third-party model provider. Where the product offers AI-assisted features, those features are gated and only run against PHI when the model provider is named on your BAA and the feature is explicitly enabled by your clinic.

Retention

• Account data is retained for the duration of the contract and for ninety (90) days after termination, after which it is deleted unless a longer retention period is required by law.
• Customer-imported PHI is retained for the duration of the contract and made available for export for thirty (30) days after termination, then deleted in accordance with the BAA and applicable state retention requirements.
• Audit logs are retained for seven (7) years consistent with HIPAA recordkeeping requirements.
• Operational telemetry (server logs, error reports) is retained for up to ninety (90) days.
• OAuth tokens (Google, Lead Connector) are deleted immediately when you disconnect the integration or close your account.

Security

• All traffic to ProviderAlly is encrypted in transit using TLS 1.2 or higher.
• Customer data and OAuth tokens are encrypted at rest using provider-managed envelope encryption (Cloud SQL, Cloud Storage, and KMS).
• Access to production systems is restricted on a least-privilege basis, requires multi-factor authentication, and is logged.
• We operate ProviderAlly under HIPAA Security Rule administrative, physical, and technical safeguards. A current BAA is available on signup.
• We maintain an incident response process and will notify affected customers of a security incident in accordance with the BAA and applicable law.

Your rights

Subject to applicable law, you may request to access, correct, export, or delete the personal information we hold about you. Where ProviderAlly processes PHI as a Business Associate, requests from patients should be directed to the Covered Entity (your clinic), which controls that data; we will support the clinic in fulfilling those requests.

To exercise rights with respect to your own account, email privacy@providerally.care. We will respond within the timelines required by the laws that apply to you.

Children

ProviderAlly is intended for use by licensed clinicians and the staff of behavioral-health clinics. We do not knowingly create accounts for individuals under the age of eighteen (18). Clinics that treat minor patients may store records about those patients in ProviderAlly under the clinic’s custodial responsibility and the BAA between the clinic and ProviderAlly; in that case the clinic, not the minor patient, is our customer.

International users

ProviderAlly is operated from the United States and processes data in the United States. If you access the service from outside the United States, you understand that your information will be transferred to and processed in the United States.

Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days’ advance notice by email to the address associated with your account and by updating the Effective date above. Continued use of ProviderAlly after the new policy takes effect constitutes acceptance of the change.

Contact

For privacy questions or requests, contact us at privacy@providerally.care.

Attenti LLC
PO Box 1069
Langhorne, PA 19047