Privacy Policy

Last Updated: October 1, 2025

1. Introduction

Strand Automation Works ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our automation services, particularly in healthcare contexts where we handle Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

2. Information We Collect

2.1 Healthcare Information

When providing automation services to healthcare clients, we may process:

  • Protected Health Information (PHI) as necessary for service delivery
  • Patient demographic information
  • Medical records and clinical data
  • Insurance and billing information
  • Healthcare provider credentials and certifications

2.2 Technical Information

  • System logs and performance metrics
  • API access patterns and usage data
  • Authentication and authorization records
  • Network and device information

2.3 Business Information

  • Contact details for client representatives
  • Service agreements and contracts
  • Billing and payment information
  • Communication records

3. HIPAA Compliance

As a Business Associate under HIPAA, we:

  • Execute Business Associate Agreements (BAAs) with all covered entities
  • Implement administrative, physical, and technical safeguards to protect PHI
  • Limit use and disclosure of PHI to the minimum necessary
  • Report breaches of unsecured PHI as required by law
  • Ensure subcontractors comply with HIPAA requirements
  • Make PHI available for amendment and provide accountings of disclosures

4. How We Use Your Information

We use collected information for:

  • Service Delivery: Providing automation, integration, and workflow optimization services
  • Quality Improvement: Monitoring and improving service performance and reliability
  • Compliance: Meeting legal, regulatory, and contractual obligations
  • Security: Detecting, preventing, and responding to security incidents
  • Communication: Responding to inquiries and providing support
  • Analytics: Generating de-identified, aggregated analytics (no PHI)

5. Data Security

We implement industry-standard security measures including:

  • End-to-end encryption for data in transit (TLS 1.3)
  • AES-256 encryption for data at rest
  • Multi-factor authentication and role-based access controls
  • Regular security audits and penetration testing
  • Intrusion detection and prevention systems
  • Secure data centers with physical access controls
  • Regular staff security training and background checks
  • Incident response and disaster recovery plans

6. Data Sharing and Disclosure

We do not sell your information. We may share information only:

  • With Your Consent: When you explicitly authorize disclosure
  • Service Providers: With vetted subcontractors under BAAs (e.g., cloud hosting, security services)
  • Legal Requirements: When required by law, court order, or government regulation
  • Business Transfers: In connection with mergers or acquisitions (with continued privacy protections)
  • Emergency Situations: To prevent harm to health or safety

7. Data Retention

We retain information only as long as necessary for service delivery and legal compliance. Healthcare data retention periods comply with HIPAA requirements (typically 6 years from creation or last use). Upon contract termination, we securely delete or return all PHI as specified in our Business Associate Agreement.

8. Your Rights

Under HIPAA and applicable privacy laws, you have the right to:

  • Access your PHI and request copies
  • Request amendments to inaccurate information
  • Receive an accounting of PHI disclosures
  • Request restrictions on use and disclosure
  • Request confidential communications
  • File a complaint with us or the HHS Office for Civil Rights

To exercise these rights, contact your healthcare provider (the covered entity) or reach out to us directly using the contact information below.

9. International Data Transfers

Our services are primarily provided within the United States. If data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses and compliance with applicable data protection regulations.

10. Children's Privacy

Our services are not directed to individuals under 18. While we may process pediatric healthcare information as part of our services, we do not knowingly collect personal information directly from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice on our website. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Information

For privacy-related inquiries, requests, or complaints:

Strand Automation Works

Privacy Officer

Email: privacy@strandautomationworks.com

Phone: Available upon request

Mailing Address: Available upon request

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights regarding HIPAA compliance matters.

This Privacy Policy is designed to comply with HIPAA, HITECH Act, state privacy laws, and general data protection principles. It does not create contractual obligations beyond those specified in executed Business Associate Agreements and service contracts.