🐻WellCubBack to Dashboard →

Last updated: April 9, 2026 · Effective: April 9, 2026

Privacy Policy

WellCub (“we,” “us,” or “our”) operates a secure pediatric patient portal designed with healthcare data protection in mind. This document describes our privacy practices and how we handle your information.

🚨 Not an Emergency Service

WellCub is not a substitute for emergency care. For medical emergencies, call 911 immediately.

1. Information We Collect

Account & Identity Information

  • Full name, email address, phone number, preferred language
  • Account credentials (passwords are hashed — we never store plaintext passwords)
  • Consent records with timestamps (required by HIPAA)

Protected Health Information (PHI) — 45 CFR § 160.103

PHI is any information that can identify an individual and relates to their health condition, care, or payment:

  • Child health data: Date of birth, gender, blood type, allergies, height, weight, head circumference, BMI, diagnoses, medications, treatment notes, vaccine records, growth measurements
  • Appointment data: Visit type, provider, date/time, chief complaint, parent notes
  • Messages: Content of secure messages between parents and care team
  • Check-in records: Arrival time, copay status, insurance verification
  • Between-visit check-ins: Post-visit symptom scores and follow-up responses

Technical & Operational Data

  • IP address, browser type, and session data — used solely for security and HIPAA audit logging
  • Audit logs of every PHI access event (required by the HIPAA Security Rule, 45 CFR § 164.312)

We do not use cookies for advertising or tracking. See our Cookie Policy for details.

2. How We Use Your Information

We use your information exclusively for the following purposes (Treatment, Payment, and Healthcare Operations as defined in 45 CFR § 164.501):

  • Treatment: Scheduling appointments, enabling provider-parent communication, displaying health records and vaccine history
  • Healthcare Operations: Appointment reminders, 48-hour check-in follow-ups, audit logging, platform reliability and security
  • Legal Compliance: Maintaining records as required by HIPAA, HITECH, and Florida law

We do not use PHI for advertising, AI model training, sale to data brokers, or any purpose beyond direct care coordination.

3. Who Has Access to Your Data

Within the Practice

  • Treating providers (physicians, nurses): full access to their patients' records
  • Administrative staff (reception, billing): access to scheduling and check-in data; limited access to clinical notes as needed for care coordination
  • Access is role-based and enforced at the database level (Row-Level Security)

Subprocessors

The application is currently operating in a beta / pilot phase. The landing page displays a beta banner instructing users not to enter real patient health information during this period. The following third-party services support the app:

  • Supabase, Inc. — Database storage and authentication. A HIPAA Business Associate Agreement will be required with Supabase (Pro plan or higher) before the app processes real PHI.
  • Vercel, Inc. — Application hosting and edge compute. A BAA will be required before the app processes real PHI.
  • Resend, Inc. — Transactional email for appointment confirmations and reminders. A BAA with Resend is required before sending any message containing PHI.
  • Twilio Inc. — SMS notifications (optional; providers may enable/disable). Twilio offers HIPAA-eligible messaging on their Programmable Messaging API with an executed BAA. Notification copy in the app deliberately excludes all PHI — texts read as "You have a new message, open the app to view."

No live data will be sent to any of these processors until the corresponding BAA is executed. Until then, the app is intended for internal testing only.

Required by Law

  • Court orders, subpoenas, or lawfully authorized law enforcement requests
  • Mandatory public health reporting (e.g., communicable disease notification to Florida DOH)
  • Mandatory child abuse reporting to Florida DCF under F.S. § 39.201
  • Imminent threat to health or safety (45 CFR § 164.512(j))

We never sell PHI. We never share PHI with advertisers or data brokers.

4. How We Protect Your Information

Technical Safeguards (45 CFR § 164.312)

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Row-Level Security (RLS) on all database tables — each user can only access their own data
  • Automatic session timeout after 15 minutes of inactivity (HIPAA Addressable Safeguard)
  • Comprehensive audit logging of every PHI read, write, update, and delete event
  • Unique user identification — no shared accounts permitted
  • Multi-factor authentication available for provider and admin accounts

Administrative Safeguards (45 CFR § 164.308)

  • Designated Privacy & Security Officer responsible for HIPAA compliance
  • Role-based access controls — staff see only what their role requires
  • Workforce training on HIPAA requirements
  • Regular risk analysis and risk management per 45 CFR § 164.308(a)(1)

Physical Safeguards (45 CFR § 164.310)

  • All data stored in SOC 2 Type II certified data centers (via Supabase/AWS)
  • No PHI stored on local devices — all data is server-side

5. Your Rights Under HIPAA (45 CFR §§ 164.522–164.528)

As a parent or guardian of a minor patient, you have the following rights:

Right to Access (45 CFR § 164.524)

Request a copy of your child's health records within 30 days. We may charge a reasonable cost-based fee for copies. Contact: hello@wellcub.com

Right to Amend (45 CFR § 164.526)

Request corrections to inaccurate or incomplete records. We will respond within 60 days. We may deny requests if the record is accurate, complete, or not created by us.

Right to an Accounting of Disclosures (45 CFR § 164.528)

Request a list of disclosures of your child's PHI made in the past 6 years, excluding disclosures for treatment, payment, and healthcare operations. Contact: hello@wellcub.com

Right to Request Restrictions (45 CFR § 164.522(a))

Request restrictions on how we use or disclose your child's PHI. We are required to accommodate requests to restrict disclosure to health plans when you pay out-of-pocket in full.

Right to Confidential Communications (45 CFR § 164.522(b))

Request that we communicate with you only by email, phone, or at a specific address. We will accommodate all reasonable requests.

Right to a Paper Copy of This Notice

Request a printed copy at any time by emailing hello@wellcub.com.

6. HITECH Act Protections

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA enforcement and extended requirements to business associates. Under HITECH:

  • Business associates are directly liable for HIPAA violations (not just covered entities)
  • Civil penalties range from $137 to $2,067,813 per violation category per year (2024 adjusted)
  • Criminal penalties apply for intentional misuse of PHI
  • You have the right to receive a copy of your records electronically if they are maintained electronically
  • We must notify you of any breach of unsecured PHI within 60 days of discovery (see Section 7)

7. Breach Notification (45 CFR §§ 164.400–414)

In the event of a breach of unsecured PHI, we will:

  1. Notify affected individuals within 60 days of discovering the breach
  2. Notify the U.S. Department of Health & Human Services (HHS) within 60 days
  3. For breaches affecting 500+ individuals in Florida: notify prominent media outlets within 60 days
  4. For breaches affecting fewer than 500 individuals: report to HHS annually

Florida's Identity Protection Act (F.S. § 501.171) requires breach notification within 30 days for breaches of Florida residents' personal information. We comply with the stricter state requirement.

Notification will include: what happened, what information was involved, what we are doing, what you can do, and our contact information.

8. Data Retention

Per the Florida Medical Records Act (F.S. § 456.057):

  • Medical records: 7 years from the date of the last entry
  • Minor patient records: retained until the child turns 18, plus 7 years (until age 25, whichever is later)
  • HIPAA-required audit logs: 6 years from creation or last effective date

Non-medical account data is deleted within 90 days of account closure, unless retention is required by law.

9. Florida-Specific Disclosures

  • Medical record copies (F.S. § 395.3025): You may request copies within 30 days; we may charge up to $1/page for paper copies.
  • Minor records: Florida law (F.S. § 456.057(7)) grants certain minors (12+) confidential access to records related to substance abuse, STDs, mental health, and reproductive health without parental consent.
  • Data breach notification (F.S. § 501.171): We will notify Florida residents of breaches within 30 days — stricter than the federal 60-day requirement.
  • Florida Digital Bill of Rights (SB 262): Florida residents have additional rights regarding their personal data. We honor opt-out requests for profiling and targeted advertising (though we conduct neither).

10. Business Associate Agreements

Covered entities (medical practices) using WellCub must execute a Business Associate Agreement (BAA) with WellCub, Inc. before onboarding. WellCub serves as a Business Associate under HIPAA (45 CFR § 160.103) and is directly liable for safeguarding PHI. To request a BAA, email hello@wellcub.com.

11. How to File a HIPAA Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

  • WellCub Privacy Officer: hello@wellcub.com
    We will acknowledge receipt within 5 business days and respond within 30 days. You will not face retaliation for filing a complaint.
  • U.S. Department of Health & Human Services, Office for Civil Rights:
    Online: hhs.gov/hipaa/filing-a-complaint
    Phone: 1-800-368-1019 · TDD: 1-800-537-7697
    Complaints must be filed within 180 days of the alleged violation.
  • Florida Agency for Health Care Administration (AHCA):
    For Florida-specific complaints about covered entities.
    Phone: 1-888-419-3456 · ahca.myflorida.com

12. Changes to This Notice

We reserve the right to change this Notice at any time. We will post the revised Notice with a new effective date. If material changes are made, we will notify affected users by email at least 30 days in advance and require re-consent for material changes. The most current version is always available at wellcub.com/privacy.

13. Contact Our Privacy Officer

Privacy Officer · WellCub, Inc.
Email: hello@wellcub.com
For urgent HIPAA compliance matters, include “URGENT HIPAA” in the subject line.
State of incorporation: Florida, United States