Privacy Policy

Last Updated: April 1, 2026

EasyDocForms ("we", "our", or "us") is committed to protecting your privacy and the privacy of your patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use easydocforms.com, hosted patient intake forms, the EasyDocForms web application, related support services, and the EasyDocForms Practitioner App for iOS (collectively, the "Services").

When a healthcare practice, clinic, or other organization uses EasyDocForms to collect or manage patient information, we generally process that information on the organization's behalf. If you are a patient and have questions about a form, record, or privacy request related to a provider using EasyDocForms, please contact that provider first.

As of April 1, 2026, EasyDocForms primarily supports customer organizations in the United States and selected customer organizations in New Zealand and Singapore. Our core application infrastructure is operated from the United States.

1. Information We Collect

We collect information you provide directly to us, information generated while you use the Services, and limited technical data needed to operate and secure the platform, including:

• Account and Organization Information: Name, email address, practice or organization name, role, onboarding details, and related account settings.
• Practitioner App Authentication Data: Sign-in provider, practitioner email address, organization-linked access status, authentication identifiers, and related session data used to sign authorized practitioners in to the EasyDocForms Practitioner App.
• Patient and Clinical Data: Information submitted through intake forms, schedules, documents, notes, messages, questionnaires, and related workflows, including Protected Health Information (PHI) as defined by HIPAA where applicable.
• Billing and Transaction Information: Subscription, invoicing, and payment-related records needed to manage paid accounts. Payment card details are generally processed by our payment processor and are not stored in full by EasyDocForms.
• Support and Communications: Information you provide when contacting support, requesting a demo, responding to operational messages, or working with us on implementation or security questions.
• Usage, Device, and Security Data: Technical information such as IP address, request metadata, timestamps, logs, browser type, app or device environment, and related security or diagnostic events needed to operate, secure, and troubleshoot the Services.
• Temporary Mobile Session State: The Practitioner App may hold limited authentication/session state in app memory during active use. It is not designed to keep practitioner sessions persistently stored between launches.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, secure, and improve the Services.
• Authenticate users, provision organization-managed practitioner access, and enforce account permissions.
• Process intake, documentation, scheduling, and related workflow data, including secure AI-assisted processing where enabled.
• Process subscriptions, invoices, receipts, and related billing operations.
• Send technical notices, security alerts, support messages, and service-related communications.
• Detect, investigate, and prevent fraud, abuse, unauthorized access, and service misuse.
• Comply with legal obligations and enforce our agreements.

3. Sharing of Information

We do not sell personal information. We do not use patient or practitioner data for targeted advertising, data brokerage, or cross-context behavioral tracking. We share information only as needed to operate the Services, at a customer's direction, or as required by law.

• Google Cloud Platform and Related Google Cloud Services: We use Google Cloud infrastructure and services, including Firebase Authentication and Google Cloud-hosted processing services such as Vertex AI and related Google Cloud tools where enabled, to host, authenticate, store, secure, and process data.
• Apple and Google Identity Services: If a practitioner chooses Sign in with Apple or Google sign-in, Apple or Google will process the information necessary to complete that authentication flow under their own terms and privacy policies.
• Stripe: We use Stripe for subscription billing, payment processing, and related billing-portal workflows.
• Customer-Authorized Delivery and Integration Providers: We may use email, SMS, scheduling, payment, or other integration providers when enabled by EasyDocForms or the customer organization to deliver operational messages or connect authorized systems.
• Professional Advisors and Legal Requirements: We may disclose information to auditors, attorneys, regulators, law enforcement, or other third parties when reasonably necessary to comply with law, protect safety, investigate fraud, or enforce our agreements.

Where service providers process data for us, they do so under contractual confidentiality and security obligations and, where applicable, HIPAA-related commitments. No mobile information will be shared with third parties or affiliates for their own marketing or promotional purposes. Text messaging opt-in data and consent will not be sold or shared for third-party marketing.

4. Cookies, Local Storage, and Tracking Technologies

We do not use advertising cookies or cross-site tracking technologies for marketing purposes. We use only the limited storage technologies needed to operate and secure the Services, such as:

• Authentication and Session Management: To keep authorized users signed in and protect secure workflows.
• Security Controls: To support CSRF protections, fraud prevention, and similar security features.
• Temporary Mobile Session State: To maintain an authenticated session during active app use without persistently storing practitioner sessions between launches.

Because we do not use non-essential marketing cookies for the Services covered by this policy, we do not currently use a cookie banner for advertising consent. The Practitioner App does not include third-party advertising SDKs and we do not track users across third-party apps or websites for advertising purposes.

5. Artificial Intelligence and Automated Processing

We may use enterprise Google Cloud AI services, including Vertex AI and related Google Cloud processing tools, to assist with secure document processing, structured extraction, and documentation workflows when enabled by a customer.

• No Consumer AI APIs for PHI: We do not intentionally route PHI through consumer-facing AI services such as OpenAI or Anthropic.
• No General Model Training on Customer Data: Customer-submitted patient data is not used by EasyDocForms to train general-purpose models, and where we use Google Cloud enterprise AI services we configure them for customer-serving processing rather than public model training.
• Workflow Assistance Only: AI-assisted outputs are intended to support authorized workflows and should be reviewed by the healthcare organization before clinical reliance.

6. HIPAA and the Role of Healthcare Customers

When we process PHI on behalf of healthcare practices or other covered entities, we act as a service provider/business associate as applicable and will enter into a Business Associate Agreement (BAA) where required by law.

Healthcare organizations that use EasyDocForms remain responsible for their own Notice of Privacy Practices, consent flows, minimum-necessary decisions, retention policies, and responses to patient requests where required by law.

7. Data Security

We use administrative, technical, and physical safeguards designed to protect the data entrusted to us. These measures include:

• Encryption in Transit: Data is transmitted over HTTPS using modern TLS protections.
• Encryption at Rest: Data stored in our systems is protected using encryption at rest.
• Access Controls: We restrict access to authorized users and services and use role-based and authenticated access controls.
• Security Monitoring: We maintain logging, monitoring, and related safeguards designed to detect misuse and maintain service reliability.
• Minimal Mobile Session Persistence: Practitioner App sessions are designed for minimal local persistence and may require practitioners to sign in again after a full app relaunch.

No system can be guaranteed to be 100% secure, but we work to maintain safeguards appropriate to the sensitivity of the data we process.

8. Data Retention

We retain information for as long as needed to provide the Services, satisfy contractual obligations, maintain security, resolve disputes, and comply with applicable law.

• Account and Billing Records: Retained while the customer relationship is active and thereafter as needed for billing, accounting, support, security, and legal compliance.
• Patient and Clinical Data: Retained according to customer instructions, applicable contracts or BAAs, legal requirements, and normal backup/disaster-recovery cycles.
• Security and Authentication Records: Retained as needed for incident response, fraud prevention, audit, and compliance purposes.
• Deletion Timing: When deletion is approved and legally permitted, we delete or de-identify data within a commercially reasonable period, but backup copies may persist temporarily until overwritten in the normal course.

9. Your Choices, Access Requests, and Account Deletion

The Practitioner App is designed for organization-managed practitioner access. If you are a practitioner and want your mobile access disabled or your practitioner account data deleted, contact your organization administrator first or email [email protected]. Deleting a practitioner login does not automatically require deletion of patient records that the healthcare organization is legally or operationally required to retain.

If you are a healthcare organization customer and want to request export or deletion of organizational data, contact [email protected]. Requests are handled subject to applicable contracts, BAAs, legal obligations, and security requirements.

If you are a patient who submitted information to a provider through EasyDocForms, please contact that provider for access, correction, or deletion requests. We will work with the provider in accordance with our contractual and legal obligations.

10. International Access and Cross-Border Processing

EasyDocForms is operated from the United States. If you access or use the Services from New Zealand, Singapore, or another jurisdiction outside the United States, your information may be collected, transferred to, stored in, and processed in the United States and in other countries where our service providers operate on our behalf.

Where we rely on service providers to process data across borders, we require them to process data under contractual confidentiality, security, and data-protection obligations appropriate to the Services. We do not currently offer customer-selectable local data residency for New Zealand or Singapore deployments.

If your organization is subject to jurisdiction-specific requirements for cross-border transfers, health-data handling, or contractual terms, contact [email protected] before using the Services so we can determine whether EasyDocForms is a fit for your organization.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date above and post the updated version on this page. Material changes may also be communicated through other appropriate channels.

12. Contact Us

If you have questions about this Privacy Policy or want to submit a privacy-related request, contact us at [email protected] or visit /support/.

13. SMS/Text Messaging

When you or your patients opt in to receive SMS messages from EasyDocForms or from healthcare organizations using EasyDocForms, we collect mobile phone numbers and related consent records needed to deliver those messages.

Message Frequency: Message frequency varies based on appointment activity or workflow events. In many cases, recipients receive one or more messages tied to a specific intake form or appointment-related action.

Opt-Out: Recipients can opt out at any time by replying STOP to any message. Opt-out requests are processed as soon as reasonably practical.

Carrier Costs: Message and data rates may apply depending on the recipient's mobile carrier plan.

Data Sharing: Mobile phone numbers and text messaging opt-in data are not sold and are not shared for third-party marketing or promotional purposes. Messaging providers may process this data solely to deliver authorized operational messages on behalf of EasyDocForms or the healthcare organization using the platform.

For help with SMS messages, reply HELP to any message or contact [email protected].