Privacy Policy

Last Updated: April 8, 2026

1. Scope & Definitions

This Privacy Policy describes how Willow Compliance ("Willow," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use our compliance management platform for Intellectual and Developmental Disability (IDD) care providers.

Protected Health Information (PHI) refers to individually identifiable health information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including consumer names, dates of birth, Medicaid IDs, diagnoses, service notes, and goal descriptions entered into the platform.

Covered Entity refers to healthcare providers, health plans, or healthcare clearinghouses subject to HIPAA. Business Associate refers to a person or entity that performs functions involving the use or disclosure of PHI on behalf of a Covered Entity.

2. Information We Collect

Account Information

Name, email address, organization name, and role when you create an account or are invited by an administrator.

Protected Health Information

Consumer profiles (names, dates of birth, Medicaid IDs, diagnoses), provider service notes, goal descriptions, progress notes, and related clinical documentation entered by authorized users.

Employment Information

Staff profiles including names, roles, certifications, hire dates, and optionally Social Security Numbers (encrypted at rest).

Payment Information

Billing details processed securely through Stripe. We do not store credit card numbers on our servers.

Usage Data

Log data including IP addresses, browser type, pages visited, and feature usage for service improvement and security monitoring.

3. How We Use Information

  • Provide, operate, and maintain the platform
  • Process and store clinical documentation on behalf of your organization
  • Generate AI-powered note suggestions and compliance reviews (PHI is sent to OpenAI for processing; see Section 5)
  • Send transactional notifications (e.g., certification expirations, authorization alerts)
  • Process payments and manage subscriptions
  • Monitor for security threats and unauthorized access
  • Maintain audit logs for HIPAA accounting of disclosures

4. How We Disclose Information

We do not sell, rent, or share your information or PHI with third parties for marketing purposes. We disclose information only as follows:

  • At your direction: When you export data or share information with authorized staff within your organization.
  • Service providers: To third-party processors who assist in operating our platform (see Section 5).
  • Legal requirements: When required by law, regulation, subpoena, or court order.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with equivalent privacy protections.

5. Third-Party Service Providers

We use the following processors to operate the platform. Each processes data only as necessary to provide their service:

  • Supabase — Database hosting, user authentication, and file storage. Data is encrypted at rest and in transit.
  • Stripe — Payment processing. Stripe is PCI DSS Level 1 certified. We do not store card details.
  • OpenAI — AI-powered note generation and compliance review features. PHI may be sent to OpenAI's API when you use AI features. OpenAI does not use API data for training.
  • SMTP2GO — Transactional email delivery for notifications and invitations.
  • Netlify — Application hosting and content delivery.

6. Data Security Measures

We implement technical and organizational safeguards designed to protect your information:

  • Encryption at rest: Column-level AES-256 encryption (pgcrypto) for sensitive PHI fields including Medicaid IDs, diagnoses, note content, goal text, and SSNs.
  • Encryption in transit: All data transmitted via TLS 1.2 or higher.
  • Access controls: Role-based access with Row Level Security (RLS) enforcing organization-level data isolation.
  • Multi-factor authentication: WebAuthn passkey support for additional account security.
  • Session management: Automatic session timeout after 15 minutes of inactivity, enforced across authenticated application workflows.
  • Audit logging: Access to PHI through application reveal, document retrieval, and export workflows is logged with user identity, timestamp, action type, and record identifiers.
  • Rate limiting: Sensitive API endpoints are rate-limited to prevent abuse.

7. Data Retention

  • Clinical records: Soft-deleted records are retained for 7 years from the date of deletion, after which they are permanently purged, consistent with healthcare record retention requirements.
  • Audit logs: PHI access logs and audit trails are retained for 7 years, then automatically purged.
  • Account data: Retained for the duration of your subscription. Upon termination, data is available for export for 30 days before deletion.

8. Your Rights Under HIPAA

If you are a consumer whose PHI is stored in the platform, you may have the following rights through your care provider:

  • Right of Access: Request a copy of your PHI held in the platform.
  • Right to Amend: Request corrections to inaccurate PHI.
  • Right to an Accounting of Disclosures: Request a record of when and to whom your PHI was disclosed.
  • Right to Restrict: Request restrictions on certain uses and disclosures of your PHI.

These rights are exercised through your care provider (the Covered Entity), who is responsible for fulfilling such requests. Willow provides data export and audit log tools to assist care providers in responding to these requests.

9. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected organizations (Covered Entities) without unreasonable delay and no later than 60 calendar days after discovery of the breach, consistent with the HITECH Act breach notification requirements. We will provide sufficient information for the Covered Entity to fulfill its own breach notification obligations to affected individuals and the U.S. Department of Health and Human Services.

10. Children's Privacy

Willow is designed for use by care provider organizations and their authorized staff. We do not knowingly collect information directly from individuals under 13. PHI of minors may be entered by authorized care providers in the course of service delivery.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notification at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Willow Compliance
Email: privacy@willowcompliance.com
For HIPAA-related inquiries, please reference "HIPAA Privacy Request" in your subject line.