Privacy Policy

1. Who we are

HippoHandover (“we”, “us”) is a clinical workspace operated by Hippo for surgical residents and hospital teams. This Privacy Policy explains what information we collect, how we use it, and how we protect it. It is written to align with PHIA (Manitoba), PIPEDA (Canada), and equivalent professional confidentiality obligations.

2. Categories of data we process

• Account data: name, email, hashed password (bcrypt), role, institution, service membership, audit log identifiers, push-notification subscription endpoints.
• Clinical data: coded patient names, locations, attending, diagnoses, plan, pending tasks, watcher notes, and overnight events that you and your team enter to coordinate care.
• Operational telemetry: server logs limited to timestamps, status codes, paths, and rate-limit decisions. We do not log request bodies or PHI.
• Policy attestations: a record of which policy version you accepted, when, and the context (signup or sign-in). This is held to demonstrate informed consent and is non-PII.

3. Where data lives

Account and clinical records are stored in a managed PostgreSQL database (Supabase) with TLS in transit and provider-managed encryption at rest. Application servers run on Vercel. Optional AI features (handover drafts, list extraction) are processed on-device for OCR; remote LLM calls only occur when an institution has explicitly configured an approved provider and only carry the structured patient context already on the user's authorised list.

4. Lawful basis & clinical use

You may use HippoHandover only for legitimate clinical care of patients you are authorised to access. Membership in a service is gated by leader approval. Access is audit-logged.

5. Retention

Audit logs are retained for at least seven (7) years to satisfy professional record obligations. Patient records are retained as long as the responsible team requires them for active care plus institutional retention policy. Account records persist until you request closure. Push subscriptions are deleted immediately on unsubscribe or 410-Gone from the push provider.

6. Your rights

You may request access to your account data, correction of inaccuracies, deletion of your account, or a copy of your policy-attestation history. Patient data is governed by your institution's health-records custodian, not by us; please contact the institutional privacy office for patient-data requests.

7. Sharing

We do not sell data, do not embed advertising trackers, and do not share patient data with third parties for marketing. Service sub-processors are listed in our Data Processing Notes and are bound by data-processing agreements where applicable.

8. Security controls

We hash passwords with bcrypt (cost 12), rate-limit authentication endpoints, scope every patient query to the user's service membership, set HSTS / X-Frame-Options / Referrer-Policy / Permissions-Policy headers, reject PHI from URLs/page titles/notifications/analytics, and audit-log every patient view and write. Full controls list: see the Compliance Statement.

9. International transfers

Database hosting is regional; the deployment is configured for Canada Central. Vendor sub-processors may operate in other regions strictly to deliver platform features (e.g. CDN edge nodes). Patient row data is never sent to non-approved AI providers.

10. Contact

Privacy questions: privacy@hippomedicine.com. For institutional data requests, please contact your institution's privacy officer first; we will cooperate as required.

This document is informational and does not replace your institution's privacy policy or your professional obligations.