Privacy Policy

Effective Date: February 19, 2026

ePCR Solutions LLC ("we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our electronic patient care reporting application and related services (the "Service").

      HIPAA Compliance: ePCR Software is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Security Rule, and Breach Notification Rule. All protected health information (PHI) is encrypted, access-controlled, and audit-logged in accordance with HIPAA requirements.
    

1. Information We Collect

1.1 Account Information

When your organization creates accounts for users, we collect:

Full name and email address
Role assignment (admin, supervisor, responder)
Phone number and badge number (optional)
Authentication credentials (passwords are hashed and never stored in plain text)

1.2 Protected Health Information (PHI)

When documenting patient care incidents, the Service processes PHI including:

Patient name, date of birth, and sex
Patient address and emergency contact information
Chief complaint, medical history, allergies, and medications
Vital signs and clinical observations
Body diagram findings and photo attachments
Patient signatures
GPS location data captured during incidents

All PHI is encrypted using AES-256-GCM encryption both at rest (locally on the device and in our database) and in transit (via TLS 1.2+). Encryption keys are derived using PBKDF2 with 100,000 iterations.

1.3 Usage and Device Information

We automatically collect:

Device identifiers for enrolled devices
Browser type and version
Login timestamps and session activity
Sync status and metadata

1.4 Contact Form Submissions

When you submit our contact form, we collect the information you provide: name, email, organization, industry, team size, and message content.

2. How We Use Your Information

We use collected information to:

Provide the Service - Enable incident documentation, offline data storage, and cloud synchronization
Maintain security - Authenticate users, manage device enrollments, enforce access controls, and detect unauthorized access
HIPAA compliance - Maintain audit trails, enforce data retention policies, and support emergency access review
Improve the Service - Analyze aggregate usage patterns to improve performance and features
Communicate - Respond to inquiries, send service notifications, and provide technical support

3. Data Storage and Security

3.1 Local Storage

ePCR Software is an offline-first application. Data is stored locally on your device using encrypted IndexedDB storage. PHI fields are individually encrypted before being written to the local database.

3.2 Cloud Storage

When online, data is synchronized to our cloud infrastructure hosted on Supabase (built on PostgreSQL). Data remains encrypted during transit and at rest. Photo attachments are stored as encrypted blobs in private storage buckets with a 5MB per-file limit.

3.3 Security Measures

AES-256-GCM encryption for all PHI
PBKDF2 key derivation (100,000 iterations, SHA-256)
Role-based access control (RBAC)
Automatic session timeout with PIN lock
Account lockout after failed login attempts
Enforced password strength policies
Complete audit trail of all PHI access
Emergency break-glass access with mandatory supervisor review

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information or PHI. We may share information only in the following circumstances:

With your organization - Authorized users within your organization can access data according to their role permissions
Service providers - We use Supabase for cloud infrastructure. All service providers are bound by data processing agreements
Legal requirements - When required by law, subpoena, or other legal process
Safety - When necessary to protect the safety of individuals or the public

5. Data Retention

Your organization's administrator can configure data retention policies through the Service. Administrators can set auto-deletion periods for compliance with applicable regulations. When data is deleted, it is permanently removed from both local storage and cloud databases.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data (subject to legal retention requirements)
Receive a copy of your data in a portable format
Object to or restrict certain processing activities

For PHI-related requests, please contact your organization's administrator or our privacy team.

7. Cookies and Analytics

The ePCR Software application does not use tracking cookies. Our marketing website (epcrsoftware.com) uses Google Analytics (GA4) to understand visitor behavior.

7.1 What We Collect via Analytics

When you consent to analytics cookies, Google Analytics collects:

Pages visited and time spent on each page
Session duration and bounce rate
Device type, browser, and operating system
Approximate geographic location (country/region level)
Referral source (how you found our website)

This data is used in aggregate to improve our website and is not linked to any patient data or PHI.

7.2 Cookie Consent

Analytics cookies are only set after you explicitly accept them via the cookie consent banner displayed at the bottom of our website. If you reject cookies or do not make a choice, no analytics cookies are set and no tracking data is collected.

You can change your cookie preference at any time by clicking the "Cookie Settings" link in the website footer. You can also opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

7.3 Essential Storage

We use localStorage (not cookies) to remember your cookie consent preference and theme selection. These do not track you and are required for the website to function as expected.

8. Children's Privacy

ePCR Software is not directed at children under 13. We do not knowingly collect personal information from children. The Service may process PHI of minors as part of patient care documentation, which is handled in accordance with HIPAA regulations and at the direction of the treating organization.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via the Service or email. The "Effective Date" at the top of this page indicates the date of the most recent revision.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: