Privacy Policy

1 Scope & How To Read This

CoralEHR serves three distinct audiences. Different sections of this policy apply to each:

2 Marketing Website (coralehr.com)

Information You Provide

• • Mailing List: If you subscribe to our newsletter, we collect your email address and optionally your name.
• • Demo Requests: If you schedule a demo through our Calendly integration, that information is collected and processed by Calendly under their privacy policy.
• • Contact Submissions: If you email us or use a contact form, we receive the content and metadata of that message.

Automatic Collection

• • Analytics: Google Analytics and PostHog collect aggregate, pseudonymized usage data — pages viewed, time on page, device and browser, country-level location.
• • Section & Feature Engagement: Which sections of our pages you view and which interactive elements you click, to improve our content.
• • Tool & Assessment Usage: When you use our free tools (HIPAA Checklist, Ideal Client Profile, NPP Builder) or clinical assessments (PHQ-9, GAD-7, ASRS, CY-BOCS, Mini-Cog), we record that you started and completed them. We never see your inputs, answers, or results — all of that is processed in your browser and never leaves your device.
• • Local Storage: Browser local storage holds preferences (cookie consent, dismissed popups) and never leaves your device.

On the marketing website only, we do not collect Protected Health Information, payment information, government IDs, or precise location data. The sections that follow describe what we do collect inside the EHR App and Patient Portal.

3 EHR App for Clinicians

This section covers data we collect when a licensed healthcare professional uses the CoralEHR EHR App. PHI entered into the EHR App about patients is governed by our Business Associate Agreement with the practice — see the note at the top of this page.

3.1 Account & Authentication Data

• • Name, email, NPI (if provided), credentials, practice affiliation
• • AWS Cognito-managed credentials and MFA factors
• • Session tokens (encrypted, session-scoped, cleared on logout)

3.2 Usage & Audit Data

• • Login events, IP address, user agent
• • Access logs for PHI (which records were viewed, by whom, when) — required under 45 CFR § 164.312(b)
• • Feature usage telemetry (which pages clinicians visit; never the contents of clinical notes). This telemetry is forwarded to PostHog using a pseudonymous, one-way-hashed clinician identifier — no name, email, or other directly identifying information is sent. See §8 for PostHog's role as a subprocessor.

3.3 Billing & Payment Data

Subscription billing is processed by Stripe, Inc. Card data is collected and stored exclusively by Stripe under PCI-DSS — it never touches CoralEHR servers. We receive only a Stripe customer ID, a subscription status, and de-identified transaction metadata. No PHI is shared with Stripe.

3.4 Support & Communications

When you contact our support team, we collect the content and metadata of your message. If your message contains PHI, we handle it under the BAA terms and the safeguards described in §9.

3.5 Integrations

The EHR App optionally connects to third-party services on the clinician's behalf. Two of those integrations have dedicated sections because of how the data is regulated:

• • Google Calendar — see §5 for comprehensive disclosure of Google user data handling.
• • AI-Assisted Features (Anthropic) — see §6.

4 Patient Portal

The Patient Portal is software you use directly. We are the operator of that software. When you use the Patient Portal, this Privacy Policy applies to you. Your clinical record itself — diagnoses, notes, assessments — is also governed by your treating practice's Notice of Privacy Practices and by HIPAA. This section explains what data the Patient Portal software collects and how we handle it.

4.1 What We Collect

• • Account information you provide when you accept your practice's invitation (name, email, phone, date of birth, address)
• • Login credentials and authentication factors (managed by AWS Cognito)
• • Messages you send to your clinician through the portal
• • Documents you upload (consent forms, intake responses, photos of insurance cards, etc.)
• • Payment method tokens (held by Stripe, never by CoralEHR)
• • Portal usage logs (login times, pages visited, IP address, device type)

4.2 How We Use It

• • To operate the Patient Portal and surface your clinical record from your practice
• • To route messages and documents between you and your clinician
• • To process payments you make to your practice (via Stripe)
• • To maintain access logs required under HIPAA and other applicable laws
• • To respond to support requests you send us directly

4.3 What We Do Not Do

• • We do not sell your information.
• • We do not use Patient Portal data to train AI models for any other customer or purpose.
• • We do not target you with advertising or share data with ad networks.
• • We do not contact you for marketing purposes without your explicit consent.

5 Google API Services User Data

When a clinician connects their Google Calendar to the EHR App, CoralEHR accesses, uses, and stores certain Google user data. This section comprehensively discloses how that data is handled, in accordance with the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Limited Use Compliance

5.2 Scopes We Request

CoralEHR requests the Google OAuth scopes required to operate the calendar sync feature:

We do not request Gmail access, Drive access, Contacts access, or any other Google API scope. Although the calendar scope grants broad capabilities by design, CoralEHR's actual use of that access is strictly limited to the clinician-controlled appointment-sync purpose described above and to the Limited Use requirements in §5.1.

5.3 What Google User Data We Access

• • The list of the clinician's calendars (calendar IDs, names, time zones, and access roles), used so the clinician can select which calendars to sync
• • Events on the calendars the clinician has chosen to sync — start and end times, titles, locations, attendee email addresses, descriptions, recurrence rules, and free/busy status
• • The clinician's primary email address (from userinfo.email)
• • OAuth refresh and access tokens (held only to maintain the sync)

5.4 How We Use Google User Data

Google user data is used solely to operate the clinician-controlled calendar sync feature:

• • List the clinician's calendars so the clinician can select which calendars to sync (no calendars are synced by default)
• • Read events from the selected calendars and import them into CoralEHR as blocked availability so the clinician avoids double-booking
• • Create, update, and delete Google Calendar events that correspond to CoralEHR appointments or custom blocked-time entries, when the clinician has enabled write-back sync
• • When a CoralEHR appointment is rescheduled, canceled, or deleted, update or delete only the mapped Google event — never any unrelated events
• • Mark CoralEHR-managed Google events with a stable identifier so subsequent updates are reconciled correctly

5.5 How We Store Google User Data

• • All storage is in AWS infrastructure in the US-East-2 (Ohio) region, encrypted at rest with AES-256 and in transit with TLS 1.2+.
• • OAuth tokens are encrypted and stored in AWS Secrets Manager or DynamoDB with per-tenant encryption keys.
• • Calendar event metadata is cached only as needed to render the schedule and to reconcile changes. We do not retain a long-term mirror of the clinician's calendar.

5.6 How We Share Google User Data

We do not share Google user data with any third party other than the cloud infrastructure subprocessor (AWS) that operates the underlying storage and compute. Specifically:

• • We do not transfer Google user data to other apps or services.
• • We do not sell Google user data.
• • We do not use Google user data for advertising or to serve ads.
• • We do not use Google user data to train, develop, or improve generalized AI or machine learning models.
• • Humans do not read Google user data, except (a) with the user's affirmative agreement to debug a specific support issue, (b) where required by law, or (c) for security purposes, such as investigating abuse.

5.7 Retention & Deletion

• • When a clinician disconnects Google Calendar from inside the EHR App, we revoke our OAuth tokens with Google and delete cached Google user data within seven (7) days.
• • When a clinician's account is deactivated, all associated Google user data is deleted within thirty (30) days.
• • Backups containing residual Google user data follow standard rolling expiry and are not retained beyond ninety (90) days.

5.8 How To Disconnect

• • Inside the EHR App, go to Settings → Integrations → Google Calendar and click Disconnect.
• • You can also revoke CoralEHR's access at myaccount.google.com/permissions.
• • Either action triggers token revocation and deletion of cached Google user data on our side within the timeframes in §5.7.

6 AI-Assisted Features

CoralEHR offers optional AI-assisted features (such as note drafting, summarization, and clinical decision support). These features are disabled by default and are enabled only at the explicit direction of the practice.

6.1 Subprocessor

AI features are powered by Anthropic, PBC. Before any AI feature processes PHI for a given practice, we have an executed Business Associate Agreement with Anthropic for that workload, and the workload is configured with Zero Data Retention so that prompts and responses are not retained by Anthropic after the immediate request is fulfilled.

6.2 What We Send

• • Only the clinical context required for the requested feature is sent (for example, a session transcript or a note draft).
• • Where the feature permits, identifying details are minimized or replaced with stable identifiers before transmission.
• • Patient Portal content is not sent to AI subprocessors unless a clinician initiates a feature on their patient record and the practice has enabled it.

6.3 What We Do Not Do

• • We do not use your data to train Anthropic's or any other vendor's general-purpose models.
• • We do not aggregate PHI across practices for any model improvement.
• • We do not allow AI output to take clinical action automatically — a clinician reviews and approves every AI-generated artifact before it is incorporated into the record.

7 Cookies & Tracking

On the marketing website, we use cookies and similar technologies. When you first visit, you see a cookie consent banner where you can opt out of non-essential cookies. You can change your preferences at any time by clearing your browser's local storage and revisiting the site. The EHR App and Patient Portal use first-party, essential session cookies and do not use marketing cookies. The EHR App also sends de-identified feature usage telemetry to PostHog (see §3.2); this telemetry uses a pseudonymous, one-way-hashed identifier and contains no patient data or directly identifying clinician information.

Note: The clinical assessments on the marketing website process all data locally in your browser. We do not track or record your assessment responses or results.

8 Data Sharing & Subprocessors

We do not sell, rent, or trade personal information. We share information only with subprocessors who help us operate the service, and only as required to deliver it. The canonical, version-controlled subprocessor list lives in our Business Associate Agreement §3.7. A summary as of the date of this policy:

We may also disclose information:

• • When required by law, court order, or government regulation
• • To enforce our agreements or protect rights, safety, and property
• • In connection with a merger, acquisition, or sale of assets, subject to continuation of the protections in this policy

9 Security & Retention

9.1 Security Safeguards

• • AES-256 encryption at rest, TLS 1.2+ in transit
• • AWS Cognito-managed authentication with mandatory multi-factor authentication for clinician accounts
• • Role-based access control and per-tenant data isolation
• • Audit logging of ePHI access per 45 CFR § 164.312(b)
• • HIPAA-eligible AWS services with an active AWS BAA

9.2 Retention

• • Marketing mailing list: Retained until you unsubscribe or request deletion.
• • Website analytics: Retained per Google Analytics defaults (typically 14 months).
• • EHR clinician account data: Retained for the duration of the subscription and for a limited wind-down period after termination, per the BAA.
• • Audit logs: Retained for at least six (6) years from the date of creation or last effective date, per HIPAA.
• • Google Calendar data: See §5.7.
• • Patient Portal account data: Retained while the practice maintains your account; deleted on practice instruction.
• • Clinical assessment responses (marketing website): Not collected; nothing to retain.

10 Your Rights

The rights below apply to information CoralEHR holds directly. For Protected Health Information held in the EHR on behalf of a practice, exercise rights through your treating practice (which is the HIPAA Covered Entity), and we will support the practice's response.

• • Access: Request a copy of the personal information we hold about you.
• • Correction: Request that inaccurate or outdated information be corrected.
• • Deletion: Request that we delete your information, subject to legal and HIPAA retention obligations.
• • Portability: Receive a copy of your information in a portable, commonly used format.
• • Unsubscribe: Click the unsubscribe link in any marketing email.
• • Withdraw Consent: Where processing is based on consent (such as opt-in AI features or analytics cookies), withdraw it at any time.
• • Complaint: Lodge a complaint with the U.S. Department of Health and Human Services Office for Civil Rights or your state attorney general.

To exercise any of these rights, email support@coralehr.com. We respond within thirty (30) days, or sooner where required by applicable law.

11 California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") gives you the following rights:

• • Right to Know what personal information we collect, use, disclose, and sell or share.
• • Right to Delete personal information we hold, subject to permitted exceptions.
• • Right to Correct inaccurate personal information.
• • Right to Opt Out of Sale or Sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising.
• • Right to Limit Use of Sensitive Personal Information. Health information is sensitive personal information; we use it only for the purposes described in this policy and not for advertising or profiling.
• • Right to Non-Discrimination for exercising any of these rights.

Categories of personal information collected in the last 12 months: identifiers (name, email, login), commercial information (subscription status), internet activity (usage logs, IP address), professional information (credentials, practice affiliation), and inferences drawn from product usage. For the EHR App and Patient Portal, we also handle sensitive personal information as defined under CPRA (health and account credentials).

To exercise these rights, email support@coralehr.com. We verify the request before responding and do not require you to create an account to submit one.

12 Washington My Health My Data Act

Washington State's My Health My Data Act ("MHMDA") applies to "consumer health data" of Washington residents, even when collected by entities outside Washington. Where MHMDA applies to your data and is not preempted by HIPAA, you have the following rights:

• • Right to Confirm whether we collect, share, or sell your consumer health data and to access that data.
• • Right to Withdraw Consent for collection and sharing of consumer health data.
• • Right to Deletion of consumer health data we hold.
• • Right to Appeal a denial of any of the above requests.

We do not sell consumer health data. "Selling" under MHMDA means the exchange of consumer health data for monetary or other valuable consideration. We do not engage in such exchanges.

Geofencing prohibition. CoralEHR does not implement a geofence around any in-person healthcare facility for the purpose of identifying, tracking, or sending advertisements to consumers based on their consumer health data.

HIPAA interaction. Most data in the EHR App and Patient Portal that relates to a clinical encounter is Protected Health Information governed by HIPAA. MHMDA exempts HIPAA-covered information from its consumer-health-data definition. Consumer health data not covered by HIPAA (for example, marketing-website wellness-related interactions, if applicable) is treated under MHMDA.

To exercise MHMDA rights, email support@coralehr.com with "MHMDA request" in the subject line. We respond within forty-five (45) days.

13 Children's Privacy

• • Marketing website: Not directed to children under 13. We do not knowingly collect information from children under 13 on the marketing website.
• • Patient Portal: Minor patients may have a record at a practice. Access for minors is managed through the practice's consent and authorization workflow under HIPAA and applicable state law; a parent or guardian typically holds the portal credentials for a minor under 13.
• • If you believe a child has provided information to us improperly, contact support@coralehr.com and we will delete it.

14 Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Version" and "Last updated" date at the top, and for material changes we will notify clinicians by email and prompt re-acknowledgment on next login. Continued use of the EHR App, Patient Portal, or marketing website after a change becomes effective constitutes acceptance.