Privacy Policy

Effective date: April 21, 2026

Who we are

PHIGuard is operated by Ventora Labs, a Wyoming corporation, d/b/a PHIGuard. This Privacy Policy describes how PHIGuard collects, uses, and discloses information about visitors to the public marketing site and administrators or staff who use the PHIGuard product.

Questions about this policy can be sent to angel.campa@phiguard.app.

Scope

This policy applies to personal information PHIGuard processes for the public website and product administration. PHI processed by PHIGuard for a customer is governed by the customer's Business Associate Agreement and the applicable HIPAA rules, not by this policy alone.

Information we collect

Account and organization information

When a customer creates or manages a PHIGuard workspace, PHIGuard may collect organization name, customer legal entity name, administrator and user names, email addresses, titles, and account setup details needed to provide the service.

Billing and subscription information

PHIGuard processes subscription billing through Stripe. PHIGuard stores organization-level billing metadata and billing state needed to manage subscriptions, but does not store full payment card numbers.

Legal acceptance records

When an authorized organization administrator accepts the current Terms and BAA, PHIGuard stores the signer name, title, email, customer legal entity name, acceptance timestamp, and associated document snapshot and execution artifacts.

Product usage and security data

PHIGuard processes authentication events, audit events, and other operational metadata needed to secure the product, troubleshoot issues, and provide product functionality. Error monitoring data is sanitized before transmission to PHIGuard's monitoring vendor.

Marketing-site analytics

The public marketing site uses PostHog for analytics only after visitor consent. PHIGuard does not load PostHog on authenticated app routes. The marketing site does not use session replay or third-party advertising pixels inside the authenticated product.

Communications

If you email PHIGuard or submit a form, PHIGuard may retain the message and related metadata to respond, provide support, or maintain legal and operational records.

How we use information

• Provide, secure, and support the PHIGuard service.
• Process onboarding, legal acceptance, subscription management, and billing.
• Send transactional and administrative communications.
• Respond to support, legal, privacy, and security inquiries.
• Monitor reliability, investigate incidents, and improve the product.
• Comply with legal obligations and enforce PHIGuard's agreements.

PHI handling boundary

When a customer uses PHIGuard to create, receive, maintain, or transmit PHI, PHIGuard handles that information under the applicable BAA. PHIGuard does not use PHI for marketing. PHI must not be included in marketing emails, nurture emails, or public-site analytics.

Service providers and subprocessors

PHIGuard uses a limited set of third-party service providers to operate the marketing site and product. The current public list is available on the Subprocessors page.

As of this policy date, PHIGuard publicly discloses Cloudflare, Managed database provider, Sentry, Resend, Stripe, PostHog as relevant service providers or subprocessors depending on the data path and scope involved. Google Workspace and Microsoft 365 calendar sync connections operate in the customer's tenant boundary.

Data retention

PHIGuard retains information for as long as needed to provide the service, maintain required records, support customers, and comply with law. Audit evidence is designed for long-term retention, and audit records are retained for at least six years where required by PHIGuard's HIPAA documentation posture.

After account termination, PHIGuard follows its then-current export and deletion handling. Some backup, legal, security, and accounting records may be retained for a longer period where required or permitted.

Security practices

PHIGuard uses HTTPS, encryption at rest provided through managed infrastructure, append-only audit controls for audit events, scoped application access controls, and sanitized telemetry handling. A fuller public summary is available on the Security page.

Your choices and rights

Depending on your jurisdiction, you may have rights to request access to, correction of, or deletion of certain personal information. Privacy requests can be sent to angel.campa@phiguard.app.

Requests concerning PHI generally must be handled through the relevant covered entity or customer organization, subject to HIPAA and the BAA.

Changes to this policy

PHIGuard may update this Privacy Policy from time to time. Material updates will be reflected by changing the effective date on this page and, when appropriate, through additional notice.

Contact

Ventora Labs, a Wyoming corporation, d/b/a PHIGuard
30 N Gould St Ste N, Sheridan, WY 82801
angel.campa@phiguard.app