Privacy Policy

1. Introduction

Trustora Healthcare ("Trustora," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Trustora platform, including our web application, APIs, and related services.

Trustora is a HIPAA-compliant healthcare compliance platform. We adhere to the Health Insurance Portability and Accountability Act (HIPAA) and all applicable federal and state privacy regulations.

2. Information We Collect

Account Information: Name, email address, phone number, role, and agency affiliation provided during registration.

Authentication Data: Password hashes (never stored in plain text), OTP delivery preferences, session tokens, and device fingerprints.

Clinical Data: Protected Health Information (PHI) including client records, assessments, treatment plans, and progress notes entered by authorized staff.

Usage Data: Login timestamps, IP addresses, browser information, and audit trail events for security and compliance monitoring.

3. How We Use Your Information

We use collected information to: provide and maintain the Trustora platform; authenticate users and protect account security; deliver OTP verification codes; generate compliance reports and audit trails; send system notifications and alerts; and comply with legal and regulatory requirements.

4. HIPAA Compliance

Trustora operates as a Business Associate under HIPAA. All Protected Health Information is encrypted at rest (AES-256) and in transit (TLS 1.3). We maintain Business Associate Agreements (BAAs) with all covered entities. Access to PHI is controlled through role-based access controls (RBAC) and logged in immutable audit trails retained for 7 years.

5. Data Retention

Clinical records and audit logs are retained for a minimum of 7 years per HIPAA and Minnesota DHS requirements. Account data is retained for the duration of the agency's subscription plus 30 days. You may request account deletion at any time — see our Account Deletion page.

6. Data Security

We implement industry-standard security measures including: AES-256 encryption at rest; TLS 1.3 encryption in transit; AWS infrastructure with SOC 2, HIPAA, and HITRUST compliance; scrypt password hashing with per-user salts; multi-factor authentication (OTP); session management with idle timeout and concurrent session limits; and IP-based anomaly detection.

7. Your Rights

You have the right to: access your personal data; correct inaccurate information; request account deletion; receive a copy of your data; and opt out of non-essential communications. To exercise these rights, contact your agency administrator or email privacy@trustora.com.

8. Contact

For privacy inquiries: privacy@trustora.com

Trustora Healthcare, Minneapolis, MN