Harpy.
Experience IntelligencePrivacy

Legal

Privacy Policy

This draft describes the categories of information Harpy collects, the service providers involved, and the boundaries around feedback links, AI, public listing data, and future PHI-capable workflows.

Draft updated June 30, 2026 · Not final until counsel-approved

Counsel review draft. This page is a practical starting point for legal review, not legal advice. Counsel should compare it against Harpy’s actual launch posture, contracts, vendors, and state-law obligations before it is treated as final.

1. Who we are

Provider CARE Consulting LLC, doing business as Harpy (“Harpy,” “we,” “us,” or “our”), provides patient-experience and practice intelligence tools for independent healthcare, dental, and allied-health practices.

This Privacy Policy describes how we collect, use, disclose, and protect information when people visit our websites, join our waitlist, create or use a Harpy account, contact us, connect a third-party service, or use a feedback link connected to a practice.

2. Scope and practice responsibility

This Policy covers information about practice owners, administrators, team members, website visitors, waitlist contacts, support contacts, and people who submit feedback through Harpy links. A practice may have its own privacy obligations to patients, staff, and visitors.

When Harpy processes information for a practice, the practice generally remains responsible for its relationship with the people whose information it asks Harpy to process. Harpy supports those obligations as described in our agreements, this Policy, and applicable law.

3. Information you provide directly

We collect information people provide directly to us, including account details, name, work email, role, practice name, practice address, phone number, website, waitlist submissions, support messages, legal or security inquiries, and administrative contact details.

If paid subscriptions, pilots, or invoices are enabled, we or our payment and billing providers may process billing contact details, tax information, payment method tokens, transaction records, and invoice history. Harpy does not need full payment-card numbers to provide the Service.

4. Website, device, and analytics information

When people visit Harpy websites or use the Service, we collect technical information such as IP address, device and browser type, pages viewed, referring pages, approximate location inferred from network data, timestamps, event data, diagnostics, and other information needed to understand whether the website or Service is working.

Harpy currently uses Google Analytics and Vercel Web Analytics on the marketing website. Google Analytics may use cookies, tags, or similar technologies and may collect information directly from a visitor’s browser according to Google’s own privacy terms. Vercel Web Analytics provides aggregate website-usage and performance signals.

5. Authentication and OAuth information

Harpy uses authentication providers to create accounts, manage sessions, and enforce practice-user roles. If a practice user signs in with Google or Microsoft, that provider may process the sign-in request, device information, account identifiers, profile information, email address, and consent screen interactions under its own terms and privacy notices.

Harpy may receive and store provider identifiers, email address, display name, avatar URL, organization membership, role information, OAuth scopes, authorization metadata, and tokens or token references needed to maintain a connected account. We use that information to authenticate the user, maintain the connection, secure access, and provide the requested integration.

6. Google Maps, Places, and Business Profile data

Harpy may use Google Maps Platform, Places, or Google Business Profile-related services to help a practice find or verify its business listing, understand public reputation signals, or connect an authorized business profile. Those workflows may involve Google receiving search queries, map or place interactions, IP address, device information, location-derived signals, and other information described in Google’s privacy terms.

Depending on the feature enabled and the practice’s permissions, Harpy may process public or connected business information such as place IDs, business names, addresses, phone numbers, websites, categories, hours, photos, ratings, review counts, public review text, reviewer display names, owner responses, account IDs, profile IDs, authorization status, and related platform metadata.

Public listing and review data can still be sensitive in context. Harpy treats it as practice and reputation data, not as permission to disclose protected health information or to use review content in a way that violates platform rules, professional duties, or applicable law.

7. Feedback-link data and data minimization

Harpy is designed to collect less data where less data is enough. The current Starter feedback flow does not ask patients for a name, email, phone number, login, appointment time, or free-text narrative. Feedback links use opaque tokens and structured selections rather than direct patient identifiers.

We may collect the structured selections submitted through the feedback link, the token or link context needed to route the feedback to the correct practice, timestamps, device and browser diagnostics, abuse-prevention signals, and limited operational logs. We do not sell patient feedback, use it to build advertising profiles, or use it to decide who is invited to leave a public review.

8. Protected health information

Harpy does not currently ask for direct patient identifiers in the Starter feedback flow. Features that process protected health information (“PHI”) may be activated only under a plan and agreement that supports that use, including a Business Associate Agreement where required.

Unless your plan and agreement expressly permit PHI, you should not submit PHI to Harpy. If a Business Associate Agreement applies and conflicts with this Policy, the Business Associate Agreement controls for PHI.

9. AI processing

Harpy may use AI providers to support features such as classification, summarization, coaching, or drafting. Before a Zero Data Retention path is approved and enabled for sensitive workflows, Harpy limits AI inputs to non-PHI use cases and treats store=false as the required implementation standard for eligible OpenAI API calls where supported.

That setting is a no-store minimization control. It is not the same thing as contracted Zero Data Retention, and we do not describe it as one.

10. How we use information

We use information to provide, maintain, secure, and improve Harpy; create and administer accounts; authenticate users; configure practice settings; process billing; support users; send service, legal, and security notices; analyze aggregate usage; debug and prevent abuse; comply with law; and enforce agreements.

We may use aggregated or de-identified information to understand product quality, website performance, and practice-level trends, provided that this information does not identify a specific person or practice unless permitted by our agreement with that practice.

11. How we disclose information

We disclose information to service providers that help us operate Harpy, including hosting, database, authentication, analytics, payment, uptime monitoring, support, email, maps, business-profile, reputation, and AI infrastructure providers. These providers may process information only to provide services to Harpy or as otherwise permitted by law and contract.

We may also disclose information when required by law, to protect the security or integrity of the Service, to prevent fraud or abuse, in connection with a business transaction, or with your direction or consent. We do not sell personal information or share it for cross-context behavioral advertising.

12. Cookies, tags, and third-party choices

Harpy websites may use cookies, scripts, tags, local storage, or similar technologies for analytics, security, session management, preference storage, and performance measurement. You can control cookies through your browser settings, though disabling some technologies may affect website or Service functionality.

Google and Microsoft may offer their own account, advertising, and privacy controls. Those controls apply to the information they process as independent providers, including Google Analytics, Google Maps Platform, Google sign-in, Google Business Profile, and Microsoft sign-in interactions.

13. Retention

We retain information for as long as reasonably needed to provide and secure the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security and audit records, and support ordinary business operations. Where a separate agreement specifies retention or deletion obligations, that agreement controls for the covered information.

This Policy does not claim that event-level TTL deletion, rollups, dissolve behavior, durable co-occurrence matrices, or snapshot substitution are live controls unless those controls are separately implemented and evidenced.

14. Security

We use administrative, technical, and organizational safeguards designed to protect information, including access controls, encrypted transport, least-privilege patterns, vendor review, operational monitoring, and separation between practice-user identity, patient feedback links, and public listing data where appropriate.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We keep public security claims tied to implemented controls and available evidence.

15. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, or port personal information, or to object to or restrict certain processing. Practice users can contact us using the details below. Requests about patient information connected to a practice should generally be directed to that practice first.

Practice users can also use the relevant Google or Microsoft account controls to manage connected-account permissions, subject to Harpy’s ability to continue providing the requested integration.

16. Children’s privacy

Harpy is intended for use by practices and their workforce and is not directed to children. We do not knowingly collect personal information directly from children through the Service.

17. International visitors

Harpy is operated from the United States. If you access the Service from outside the United States, information may be processed in the United States or other locations where Harpy and its service providers operate.

18. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice as required by law and update the “last updated” date above.

19. Contact

Questions about this Policy or your information can be sent to legal@harpy.rocks.