Privacy Policy

1. Who We Are

T.O.O.LS INC ("Org," "we," "us," or "our") operates CaseFlow Operations, a case management platform developed by A MackProjekt. This Privacy Policy explains how we collect, use, store, and protect personal information and Protected Health Information (PHI) in connection with the Platform.

2. Information We Collect

3. How We Use Your Information

• To provide case management services and program support.
• To authenticate and authorize access to the Platform.
• To maintain HIPAA compliance, audit trails, and security monitoring.
• To generate anonymized aggregate analytics for program reporting.
• To communicate with you about your account, program status, and access requests.
• To comply with legal obligations and regulatory requirements.

4. HIPAA Compliance

The Organization is a covered entity and/or business associate under HIPAA. PHI collected on this Platform is handled in accordance with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subparts A and C). We maintain a Business Associate Agreement (BAA) with all third-party services that process PHI on our behalf, including our cloud infrastructure providers.

5. Data Sharing & Disclosure

We do not sell your personal information. We may share data only as follows:

• Within the Organization: Staff and supervisors access client data only as required for their authorized role.
• Service Providers: Vercel (hosting), Convex (database), Vercel KV (session storage), Google (authentication/chat), Resend (email) — all under appropriate data processing agreements.
• Legal Requirements: If required by law, court order, or government authority.
• Emergency Situations: To prevent imminent harm to you or others.

6. Data Retention

We retain personal data and PHI for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, and resolve disputes. Program data is typically retained for a minimum of 6 years from the date of last service in accordance with HIPAA requirements.

7. Security

We implement administrative, technical, and physical safeguards to protect your information, including:

• AES-256 encryption at rest and TLS 1.3 in transit.
• Two-factor authentication enforced for all staff and admin accounts.
• Role-based access controls limiting data access to authorized users.
• Complete audit logging of all data access and modification events.
• Regular security assessments and compliance reviews.

8. Your Rights

Depending on your location and applicable law, you may have the right to:

• Access, correct, or request deletion of your personal information.
• Request an accounting of disclosures of your PHI (under HIPAA).
• Restrict how your information is used or shared in certain circumstances.
• File a complaint with the U.S. Department of Health & Human Services Office for Civil Rights.

To exercise these rights, contact: privacy@sdtoolsinc.org

9. Children's Privacy

The Platform is not directed to individuals under 18. We do not knowingly collect personal information from minors without verified parental or guardian consent as required by applicable law.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify authorized users of material changes via the Platform or email. Continued use after the effective date of any changes constitutes acceptance.

11. Contact Us

For privacy-related questions or to submit a request:
privacy@sdtoolsinc.org
T.O.O.LS INC · San Diego, California