Privacy Policy

Effective Date: 01/01/2025

Last Updated: 06/05/2025

BlackBag ("Company," "we," "our," or "us") is committed to respecting and protecting the privacy and security of all users ("you," "your," or "User") who access or utilize our software, mobile applications, websites, and services (collectively, the "Platform"). This Privacy Policy outlines how information is collected, processed, stored, disclosed, and safeguarded when engaging with the Platform, in accordance with applicable laws and regulations, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and other relevant privacy frameworks.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by the terms set forth in this Privacy Policy.

1. Information We Collect

We may collect and process various categories of information, which may include, but is not limited to, the following:

a. Personal Identifiable Information (PII)

This includes any data that can reasonably be used to identify you, such as:

  • Full name
  • Email address
  • Telephone number
  • Job title and professional affiliation
  • Organization or clinic name
  • Billing and mailing address
  • Payment method and transaction details (processed securely by third-party providers)

b. Practice Information

Includes operational details about your medical practice, which may include:

  • Practice size and specialty areas
  • Number of providers and staff
  • Preferred service configurations and workflow customizations
  • Submitted data necessary for platform optimization

c. Protected Health Information (PHI)

When utilizing BlackBag to store, transmit, or manage patient-related data, information that constitutes PHI under HIPAA may be collected, such as:

  • Patient names, identifiers, and contact information
  • Clinical documentation and encounter notes
  • Medical histories, prescriptions, and diagnostic results
  • Communication records between patients and providers

d. Technical and Usage Data

We may automatically collect data regarding your interactions with the Platform, such as:

  • Internet Protocol (IP) address
  • Browser type and version
  • Device identifiers
  • Date/time stamps of access
  • Pages viewed and features used
  • Session duration and clickstream data

2. Use of Information

Information collected through the Platform may be used for purposes including, but not limited to:

  • Creating and managing user accounts and provider profiles
  • Delivering core software functionality and associated services
  • Providing technical support, maintenance, and customer service
  • Enhancing platform performance, usability, and reliability
  • Sending communications related to account activity, system updates, or new features
  • Processing billing transactions and issuing invoices
  • Facilitating legal and regulatory compliance, including HIPAA, GDPR, and other applicable laws

3. Data Security and Protection

BlackBag employs a multi-layered approach to data security, including administrative, technical, and physical safeguards designed to protect your information from unauthorized access, loss, misuse, or alteration. Security practices include:

  • Encryption: All data is encrypted in transit (using TLS 1.2 or higher) and at rest using industry-standard protocols
  • Access Controls: Role-based access restrictions and authentication protocols are enforced
  • Audit Logging: Comprehensive activity logs are maintained to monitor access, detect anomalies, and investigate potential breaches
  • Secure Infrastructure: Hosted in HIPAA-compliant, SOC 2 Type II-certified cloud environments with disaster recovery protocols in place

Despite these measures, no system can guarantee absolute security. Users are encouraged to implement strong password practices and safeguard access credentials.

4. Disclosure and Sharing of Information

BlackBag does not sell, rent, or lease personal or protected information to third parties. Disclosure may occur under the following limited circumstances:

  • Service Providers: Third-party vendors engaged for cloud hosting, data analytics, customer support, payment processing, or similar functions may have access to data under strict contractual obligations, including Business Associate Agreements (BAAs) where required
  • Legal Compliance: Information may be disclosed in response to lawful requests by public authorities, including court orders, subpoenas, or regulatory obligations
  • User-Directed Actions: Information may be disclosed to third-party systems or integrations only with explicit user authorization or consent

5. Data Subject Rights and User Choices

Subject to applicable law, users have the right to:

  • Access personal and account-related data
  • Rectify inaccuracies or incomplete information
  • Request Deletion of data or account termination (where legally permissible)
  • Object to or restrict certain types of processing
  • Export or receive a copy of their data in a structured, machine-readable format
  • File a Complaint with a data protection authority or regulatory body

To initiate any such request, contact: support@myblackbag.com

6. HIPAA and Regulatory Compliance

BlackBag is engineered to support HIPAA-compliant workflows and the secure handling of PHI. A Business Associate Agreement (BAA) is available to covered entities and healthcare providers upon request. Compliance obligations may extend to other jurisdictions, including GDPR for users operating in the EU.

7. Data Retention

User data is retained only as long as necessary to fulfill the intended purpose or to comply with legal, regulatory, or contractual obligations. Upon account termination or user request, data will be securely deleted or anonymized, subject to applicable retention periods defined by law or professional ethics standards.

8. Children’s Privacy

The Platform is not intended for use by individuals under the age of 18. BlackBag does not knowingly collect or process data from children. If it is discovered that such information has been inadvertently collected, it will be deleted promptly.

9. Modifications to this Privacy Policy

This Privacy Policy may be revised periodically. Any material changes will be communicated to users through the Platform or via email. Continued use of the Platform after the revised policy becomes effective constitutes acceptance of the updated terms. The “Effective Date” at the top of this document will reflect the most recent version.

10. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or BlackBag’s data practices, contact:

BlackBag – Privacy Team

Email: legal@myblackbag.com

Website: www.myblackbag.com