1. Introduction
This Privacy Policy describes how TripFlow, Inc. ("we," "us," or "our") collects, uses, and discloses information through our SaaS platform and mobile application. We operate as a service provider to Non-Emergency Medical Transportation (NEMT) companies ("Customers") and as a Business Associate under HIPAA regulations.
2. Information We Collect
- Account Data: We collect names, email addresses, and phone numbers provided by your employer to create and manage your account.
- Location Data: We collect precise real-time and background geographic location data. This tracking is active only while the User is marked "On Duty" within the Application to verify NEMT trip compliance.
- Protected Health Information (PHI): We process passenger names and pickup/drop-off locations solely to facilitate medical transportation at the direction of our Customers.
- Device Information: We collect device IDs, IP addresses, and operating system versions to maintain security audit logs and troubleshoot technical issues.
3. How We Use Information
- Service Delivery: To facilitate routing, dispatching, and trip logging for NEMT providers.
- Compliance and Billing: To provide the "at-scene" and "drop-off" timestamps required by transportation brokers and healthcare payers.
- Platform Improvement: We may use de-identified, aggregated data to analyze and improve our routing algorithms and system performance.
- Security: To monitor for unauthorized access and maintain a HIPAA-compliant audit trail.
4. Data Sharing and Disclosure
- With Your Employer: All driver location and trip activity recorded during "On Duty" sessions is shared directly with the NEMT provider managing your account.
- Service Providers: We share data with trusted vendors who assist in our operations, specifically Amazon Web Services (AWS) for secure cloud hosting, Stripe for payment processing, and Telnyx for automated voice and SMS notifications.
- Brokers: Trip data is exchanged with third-party brokers (e.g., ModivCare, MTM, EcoLane, TransLink) via file import/export or API integration as authorized by your employer.
- No Sale of Data: We do not sell personal data or PHI to third parties for marketing or any other purposes.
5. Data Security
We implement industry-standard security measures to protect your information, including AES-256 encryption for data at rest and TLS encryption for data in transit. Access is restricted to authorized personnel based on the principle of least privilege.
6. Your Rights and Data Retention
- Purge Policy: We retain data for the duration of the Customer's subscription plus 30 days, after which all personal data and location logs are purged from our active systems.
- Deletion Requests: Users may request the deletion of their personal data by contacting support@tripflow.com. Note that HIPAA-regulated trip logs may be retained as required by law.
- State Privacy Rights: We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA) and the Minnesota Consumer Data Privacy Act (MCDPA). Residents may have specific rights regarding data portability, access, and deletion.
7. Miscellaneous Disclosures
- Children's Data: We do not knowingly collect or solicit personal information from individuals under the age of 18.
- Cookies: Our web platform uses essential cookies and tracking technologies solely to maintain user sessions and security.
- Breach Notification: In the event of a data breach involving PHI, we will notify affected Customers within 72 hours of discovery. TripFlow will coordinate with the Customer to ensure that affected individuals are notified in a reasonable timeframe as required by applicable state and federal laws.
8. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify users of material changes by posting the updated policy on our website and, where required, through the Application or via email.
