Privacy Policy.

1. BAA requirement

AFC Home Automation processes Protected Health Information (PHI) on behalf of Adult Foster Care home operators. We sign a Business Associate Agreement with every paid customer before any PHI is written to that customer's tenant.

2. Data retention

We retain audit logs and PHI in accordance with the 6-year HIPAA retention rule. Tenant-level data deletion at customer request follows our published Data Retention Policy.

3. Encryption

PHI fields including SSN are encrypted at rest using AES-256-GCM with keys held in GCP KMS. Connections use TLS 1.2+. Backend database connections are mutual-TLS where supported.

4. Audit logging

Every read and write to PHI is recorded in an append-only audit log. Audit log entries cannot be modified or deleted by any application role.

5. Subprocessors

We use the following subprocessors, each under signed BAA where PHI is involved: Supabase (database + storage), GCP Cloud Run (backend), Vercel (frontend), Postmark (transactional email), Twilio (SMS portal-link notifications), DocuSeal (e-signature), Anthropic (RAG AI — field names only; no PHI transmitted), Sentry (error monitoring with PHI scrubbing), Stripe (payments — no PHI in payment metadata).

6. Cookies

The marketing site sets no tracking cookies. Vercel Analytics is cookieless. Authenticated dashboard sessions use session cookies (httpOnly, SameSite=Lax) for sign-in.

We also use Plausible Analytics (plausible.io), a privacy-respecting alternative that does not set cookies, does not track users across sites, and stores no personal data. See plausible.io/privacy for their full policy.

7. Contact

For questions about this policy email privacy@yourafchome.com.