Privacy Policy

How we handle your data.

Effective date: July 5, 2026

This policy explains how Atodoc LLC ("Atodoc", "we") collects, uses, protects, and shares information across three surfaces: this website, the dashboard that medical practices use to run their patient programs, and the Atodoc patient app that practices offer to their patients.

Our role with health information

Atodoc builds software for medical practices. The records we process through the platform — patient names, contact details, membership, rewards, and visit history — belong to the practice that treats you, and we process them on that practice's behalf as its service provider. We operate under a Business Associate Agreement (BAA) with every practice we work with, consistent with our obligations under HIPAA. If you are a patient, your practice is the steward of your health records; this policy describes how we handle data as its vendor, and your practice's own notice of privacy practices governs your care relationship.

What we collect

From patients using the app: your phone number or email address, used to verify it's you when you sign in (we send a one-time code each time you request one); your name and profile details if you or your practice add them; and the program records your practice keeps for you — memberships, rewards activity, check-ins, and visit history.

From practice staff: account details (name, work email, role) and the actions you take in the dashboard, which are logged for security and auditing.

From website visitors: whatever you submit through our contact and demo forms (name, email, practice name, message). We use essential cookies to keep signed-in sessions working. We do not run third-party advertising trackers on any of our surfaces.

Automatically: standard technical logs — device type, app version, IP address, timestamps, and error reports — used to keep the service working and secure.

How we use it

To provide the service: signing you in, showing your practice's programs, recording rewards and check-ins, and sending the one-time codes you request. To keep the platform secure: fraud prevention, rate limiting, audit trails. To support practices and patients when something goes wrong. And to meet legal obligations. We do not sell personal information, and we do not use patient data for advertising — ours or anyone else's.

SMS and mobile information

Phone numbers collected for sign-in codes are used solely to deliver those codes. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent are not shared with any third parties, except with service providers acting on our behalf solely to deliver the messages, or as required by law. See the SMS section of our terms for message frequency and opt-out instructions.

Who we share with

Your practice — that's the point of the platform. Beyond that, only the infrastructure providers we build on, each bound by contract to process data solely on our instructions: Supabase (database, authentication, and hosting), Twilio (SMS delivery), Vercel (web hosting), and Resend (transactional email). We may also disclose information if the law requires it, or as part of a merger or acquisition — in which case this policy continues to apply to data collected under it.

How we protect it

All traffic is encrypted in transit (TLS). Data is encrypted at rest, and particularly sensitive patient fields carry an additional layer of field-level encryption with per-practice keys. Each practice's data is segregated per-tenant and enforced at the database layer, access to health information is logged in an audit trail, and staff access follows least privilege. No system is perfectly secure, but if a breach affects your information we will notify your practice and, where required, you, within the timelines the law sets.

Retention and deletion

We keep your information while your account or your practice's relationship with us is active. Practice-owned patient records are retained or deleted per that practice's instructions and its own legal obligations for medical records. When a practice leaves Atodoc, it receives an export of its data and we delete our copies on a defined schedule. To correct or delete your contact information, ask your practice or contact us directly.

Your choices and rights

You can stop SMS at any time by replying STOP (email sign-in keeps working). You can request access to, correction of, or deletion of the information we hold about you — for practice-owned health records we will route the request to your practice, since those records are theirs to control; for everything else we handle it ourselves. Depending on where you live, state law may give you additional rights; contact us and we will honor what applies. We respond within one business day.

Children

Our website and app are not directed at children under 13, and we do not knowingly collect information from them outside of records a practice maintains for its own patients under its policies and applicable law.

Changes

If we change this policy in a way that matters, we will update the date above and give practices notice before the change takes effect. Continued use after that means the updated policy applies.

Contact

Atodoc LLC · Miami, FL
info@atodoc.com
(786) 384-5158