← Back to Home

Privacy Policy

Last Updated: February 20, 2025

This Privacy Policy explains how Tailwind, LLC ("we," "us," or "our") collects, uses, and protects your information when you use ShiftWhisper.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (for authentication and communication)
• Password (encrypted and stored by Firebase Authentication)
• Name (optional, for personalization)
• User ID (generated automatically by Firebase)

If you sign up via Google Sign-In, we receive your name, email, and profile picture from Google.

1.2 Patient Data (NOT Stored in Cloud)

Important: All patient data you enter — voice notes, transcriptions, patient identifiers (room numbers, initials), and handoff reports — is stored locally on your device only using browser localStorage.

Patient data is:

• Never stored on our servers except during temporary processing (see Section 2)
• Automatically deleted when you end your shift
• Not backed up to the cloud
• Not accessible to us or other users

1.3 Usage Data

We collect anonymized usage data to improve the Service:

• Device type and operating system
• Browser type and version
• IP address (for security and analytics)
• Pages visited and features used
• Error logs and crash reports

This data does not include patient information or clinical content.

1.4 Payment Information

Payment processing is handled by third-party payment processors (e.g., Stripe). We do not store your credit card numbers or payment details. We receive only:

• Payment confirmation status
• Subscription plan and billing cycle
• Last four digits of your card (for display purposes)

2. How We Use Your Information

2.1 Account Information

We use your account information to:

• Authenticate your identity and provide access to the Service
• Send important updates about your account or the Service
• Provide customer support
• Process payments and manage subscriptions
• Detect and prevent fraud or abuse

2.2 Patient Data Processing (Temporary)

When you use voice capture or generate handoff reports, your data is processed momentarily through HIPAA-compliant infrastructure:

• Voice Transcription: Audio recordings are sent to Google Cloud AI (Gemini Flash) for transcription. Audio is processed in real-time and not stored.
• Handoff Generation: Transcribed notes are sent to AWS Bedrock (Claude Sonnet) for AI-powered handoff generation. AWS Bedrock operates under a signed Business Associate Agreement (BAA) for HIPAA compliance. Data is processed and not stored.
• QR Handoff Transfer: When you generate a QR code to transfer a handoff to another nurse, the handoff data is temporarily stored in server RAM for a maximum of 5 minutes, then automatically deleted. Data is never written to disk.

All communication is encrypted using SSL/HTTPS.

2.3 Usage Data

We use anonymized usage data to:

• Monitor and improve Service performance
• Understand how users interact with the Service
• Identify and fix bugs
• Develop new features

3. Data Sharing and Disclosure

3.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3.2 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service:

• Firebase (Google): Authentication and user management
• Google Cloud AI: Voice transcription (Gemini Flash)
• AWS Bedrock: AI handoff generation (Claude Sonnet) — HIPAA BAA signed
• Payment processors (e.g., Stripe): Payment processing
• Hosting providers: Server infrastructure

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

3.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Subpoenas, court orders, or legal processes
• Requests from government authorities
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

3.4 Business Transfers

If Tailwind, LLC is acquired, merged, or sells assets, your information may be transferred to the new owner. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4. HIPAA Compliance

4.1 Our Commitment

ShiftWhisper is designed to support HIPAA-compliant workflows. We have implemented safeguards to protect patient data:

• No PHI storage: Patient data is never stored on our servers
• Encrypted transmission: All data is transmitted over SSL/HTTPS
• HIPAA-compliant partners: AWS Bedrock operates under a signed BAA
• Automatic deletion: All data auto-deletes after shift completion
• Access controls: Only you can access your patient data on your device

4.2 Your Responsibility

You are solely responsible for ensuring compliance with HIPAA and other privacy regulations. This includes:

• Not entering full patient names, MRNs, or other identifiable information
• Using room numbers and initials only (e.g., "Room 202, JM")
• Securing your device and account credentials
• Ensuring your organization has appropriate BAAs in place if required

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data is transmitted over SSL/HTTPS
• Encryption at rest: Account data is encrypted in Firebase
• Access controls: Restricted access to production systems
• Regular security audits: Ongoing monitoring and testing
• Automatic session timeouts: Sessions expire after inactivity

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

6. Data Retention

6.1 Patient Data

Patient data stored locally on your device is automatically deleted when you end your shift. You can also manually clear data at any time by ending your shift or clearing browser storage.

6.2 Account Data

We retain your account information (email, name, subscription details) for as long as your account is active. If you delete your account, we will delete your account data within 30 days, except where we are required to retain it for legal or regulatory purposes.

6.3 Usage Data

Anonymized usage data may be retained indefinitely for analytics and improvement purposes.

7. Your Rights

7.1 Access and Correction

You can access and update your account information at any time through your account settings.

7.2 Data Deletion

You can delete your account and all associated data by contacting us at privacy@shiftwhisper.com. Patient data is automatically deleted after every shift.

7.3 Opt-Out

You can opt out of non-essential emails by clicking "unsubscribe" in any email we send. You cannot opt out of essential account-related communications (e.g., password resets, billing notices).

7.4 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@shiftwhisper.com.

8. Cookies and Tracking

We use cookies and similar tracking technologies to:

• Keep you logged in
• Remember your preferences
• Analyze usage patterns (via Google Analytics or similar tools)

You can disable cookies in your browser settings, but some features of the Service may not function properly.

9. Children's Privacy

ShiftWhisper is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a child, we will delete it immediately.

10. International Users

ShiftWhisper is operated in the United States. If you access the Service from outside the U.S., your data may be transferred to and processed in the U.S., which may have different data protection laws than your country. By using the Service, you consent to this transfer.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service. The "Last Updated" date at the top of this page will reflect the most recent changes. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Tailwind, LLC
Email: privacy@shiftwhisper.com
Website: shiftwhisper.com

13. Summary