Privacy Policy

This Privacy Policy explains how [LEGAL ENTITY NAME] (“LittleClouds,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with our website, marketing materials, and the LittleClouds practice management platform (together, the “Services”). By using the Services, you agree to this Privacy Policy.

1. Scope & roles

This policy covers three distinct relationships. Your rights and our obligations depend on which one applies to you.

• Website visitors and prospective Providers. When you browse our marketing site, fill out a contact form, or sign up for a trial, we act as a data controller for the personal information you give us.
• Providers with LittleClouds accounts. When a Provider uses the platform to run their practice, we act as a data controller for their own account and billing information, and as a data processor (and HIPAA Business Associate) for PHI they store in the platform about the families they serve.
• Families and patients of a Provider. If you interact with LittleClouds because your Provider uses it, the Provider controls what happens to your information. LittleClouds stores and secures that information on their behalf under a Business Associate Agreement. For access requests, corrections, or complaints about your own record, please contact your Provider first.

2. Information we collect

2.1 Information you provide

• Account information. Name, email address, phone number, business name, professional credentials (e.g., IBCLC, NPI), password, and profile details.
• Billing information. Billing address and tax details. Payment card numbers are collected and processed by our payment processor (Stripe) and are not stored on our servers.
• Support and communications. Messages you send us, content of support tickets, and survey responses.
• Practice content. Information Providers enter into the platform, which may include PHI. See Section 6.

2.2 Information we collect automatically

• Device and log data. IP address, browser type, operating system, device identifiers, referring URL, time stamps, and pages viewed.
• Usage data. Actions you take inside the Services, approximate feature usage, and performance telemetry.
• Cookies and similar technologies. See Section 13.

2.3 Information from third parties

We receive limited information from service providers that help us run the Services (for example, authentication events from our identity provider, payment status from Stripe, and deliverability data from email providers).

3. How we use information

• To provide, operate, maintain, and improve the Services.
• To authenticate users, prevent fraud and abuse, and keep the Services secure.
• To process payments and administer accounts.
• To respond to your requests, provide customer support, and send service-related communications (for example, security alerts, billing notices, and material changes to these terms).
• To comply with applicable law, respond to lawful requests, and enforce our agreements.
• With your consent, to send product updates, educational content, and marketing emails. You can unsubscribe at any time using the link in any marketing message.
• In aggregated or de-identified form (not reasonably linkable to any individual) to understand usage, improve the product, and publish general research or benchmarks.

We do not sell personal information. We do not share personal information with third parties for their own independent marketing. We do not use PHI to train generalized artificial intelligence models or for advertising.

4. How we share information

We share information only in the limited ways below.

• With subprocessors. Vetted service providers that help us deliver the Services (hosting, database, authentication, payments, email delivery, error monitoring). Each subprocessor is bound by contract to protect your information and, where they handle PHI, to sign a Business Associate Agreement with us. See Section 5.
• With the Provider (for families and patients). Information in a Provider's practice account is accessible to that Provider and any staff members they authorize. LittleClouds does not share your record with other Providers or families.
• For legal reasons. To comply with a valid legal process, respond to lawful requests, protect our rights and property, enforce our agreements, or respond to emergencies involving risk to life or physical safety. We will attempt to notify affected users when we are legally permitted to do so.
• In a corporate transaction.If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to the receiving party's honoring this Privacy Policy or providing reasonable notice and the ability to opt out.
• With your consent. For any other sharing you direct or approve.

5. Subprocessors

We use a small number of carefully selected subprocessors. The current list, which we may update from time to time, is:

When we handle PHI, we only engage subprocessors that will sign a Business Associate Agreement with us. We publish material changes to this list in this policy and, for Provider accounts, with advance notice so Providers can object.

6. PHI handled on behalf of Providers

When a Provider stores information about a family or patient in LittleClouds, we handle that information as a HIPAA Business Associate. In practical terms:

• The Provider controls what is entered and who, on their team, may access it.
• LittleClouds staff access PHI only when strictly necessary to operate, troubleshoot, or secure the Services, or at the written direction of the Provider.
• We do not sell PHI. We do not disclose PHI to advertisers. We do not use PHI to train generalized artificial intelligence models.
• If a Provider authorizes an integration (for example, a third-party tool), information flows to that integration only at the Provider's direction, and the Provider is responsible for that integration's handling of PHI.
• Our specific obligations are set out in our Business Associate Agreement, which is accepted by Providers at account creation.

If you are a family member and wish to exercise HIPAA rights (such as access, amendment, or an accounting of disclosures), please contact your Provider. The Provider is the Covered Entity that owns your record and is responsible for responding. We will support the Provider in fulfilling those requests.

7. Security practices

We take a layered approach to security. We are transparent about what we do and where we are still maturing.

What we do today

• Encryption in transit. All traffic to and from the Services is encrypted using TLS (HTTPS).
• Encryption at rest. Production databases and file storage are encrypted at rest by our infrastructure providers.
• Access isolation.Row-level security policies enforce that each Provider only sees their own practice's records, and each family only sees their own records.
• Audit logging. Access to records is recorded in an immutable audit log.
• Authentication. Passwords are hashed and managed by our identity provider. Sessions use modern token-based authentication.
• Subprocessor posture. Our hosting, database, and payment subprocessors maintain their own industry certifications (for example, SOC 2) and will sign a Business Associate Agreement with us where PHI is involved.
• Least privilege. Employee and contractor access to production data is limited to the minimum necessary and is revoked promptly at offboarding.

What we do not claim

LittleClouds is an early-stage product. We do not currently hold SOC 2, HITRUST, or ISO 27001 certifications in our own name, and we do not claim to. HIPAA itself has no official certification body; any vendor that calls itself “HIPAA certified” is overstating. Instead, we design and operate the Services to align with the HIPAA Security and Privacy Rules, and we publish our roadmap honestly. If a formal certification is a hard requirement for your practice, please contact us before signing up.

No security program can be perfect, and no service can promise absolute security. In the event of a security incident affecting your information, we will notify affected Providers and, where required, regulators, in accordance with applicable law and our Business Associate Agreement.

8. Retention and deletion

• Practice records and PHI.We retain practice records for as long as the Provider's account is active. On termination, we will, as directed by the Provider and in accordance with our Business Associate Agreement, return or destroy PHI within a reasonable period. Providers may be independently required by state law to retain records for specified minimum periods (often 6–10 years for adult records, longer for minors); the Provider is responsible for that retention.
• Account and billing records. Retained for as long as needed to provide the Services and for a reasonable period afterward to meet tax, accounting, and legal obligations.
• Support communications. Retained for up to 24 months to improve support quality, unless law requires longer.
• Server logs. Security and performance logs are retained for up to 12 months.
• Backups. Backups are rotated on a regular schedule; deleted data may remain in encrypted backups for a limited period before being overwritten.

9. Your rights and choices

Depending on your relationship with LittleClouds and where you live, you may have some or all of the following rights:

• Access, correct, or delete personal information we hold about you as a controller.
• Port a copy of your account information in a portable format.
• Object to or restrict certain processing, including direct marketing.
• Withdraw consent where processing relies on consent.
• Appeal a denial of a rights request.
• Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@littleclouds.app. We may need to verify your identity before acting on a request. For requests concerning PHI that a Provider controls, please contact your Provider.

10. Children's information

The marketing website is not directed to children under 13, and we do not knowingly collect personal information from children on the marketing site. The LittleClouds platform is used by Providers to document pediatric care, which by its nature involves information about infants and children. That information is provided by the parent or guardian to the Provider, and the Provider is responsible for obtaining any consents required by law. Where the Children's Online Privacy Protection Act (“COPPA”) applies, we rely on the Provider's and parent's consent.

11. US state privacy rights

Residents of California, Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have additional rights (such as the right to opt out of “sale” or “sharing” for targeted advertising, and the right to appeal). LittleClouds does not sell personal information and does not share personal information for cross-context behavioral advertising. Information processed on behalf of a Provider as a HIPAA Business Associate is generally exempt from these state privacy laws. To submit a state-law rights request, email privacy@littleclouds.app.

12. International users

LittleClouds is operated from, and information is stored in, the United States. If you access the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States. We have not designed the Services for users in the European Economic Area, the United Kingdom, or Switzerland, and we do not currently offer Services to Providers regulated under those regimes. If you believe you have received Services from us in those regions, please contact us.

13. Cookies and similar technologies

We use a small number of cookies and similar technologies to keep the site functioning (for example, to remember that you are logged in), to measure basic traffic to our marketing pages, and to understand how Providers use the platform so we can improve it. We do not use cookies for cross-site advertising.

You can control cookies through your browser settings. Blocking strictly necessary cookies may prevent parts of the Services from working.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Providers by email or through the Services and update the “Last updated” date above. Continued use of the Services after a change means you accept the updated policy.

15. Contact us

If you have questions about this Privacy Policy, contact:

[LEGAL ENTITY NAME]
Attn: Privacy
[BUSINESS ADDRESS]
Email: privacy@littleclouds.app