Privacy & HIPAA

I acknowledge that I have received and reviewed the Diadara Notice of Privacy Practices describing how my protected health information may be used and disclosed, and my rights with respect to that information, including the right to access and request deletion of my records.

We treat every byte of your health information as protected health information (PHI). It is encrypted at rest and in transit, access is role-restricted, and every access is recorded in an immutable audit log. We never place PHI in URLs and never use your health information to advertise to you.

Your rights

You may access your records and request deletion at any time from your patient portal. Deletion is handled via soft delete followed by a scheduled purge, consistent with our retention obligations.

Subprocessors

The following service providers may process PHI on our behalf under Business Associate Agreements that we require before any real patient data is processed:

• Neon — PostgreSQL database (PHI at rest)
• OpenAI — Sage conversation + embeddings
• Vercel — Application hosting
• Resend — Transactional email
• Stripe — Payments (card data handled by Stripe; PHI minimized)
• Vercel Blob / AWS S3 — Encrypted document storage (COAs, consent PDFs)

This notice is a structural draft pending review by a licensed healthcare attorney. BAAs must be executed with every subprocessor before any real patient data is processed.