Legal

Privacy Policy

This Privacy Policy describes how The Headache Vault, LLC (“The Headache Vault,” “we,” “us,” or “our”) collects, uses, and protects information when you use our website at headachevault.com and our clinical platform (collectively, the “Services”). We are committed to protecting your privacy and handling your information with care.

This policy covers non-PHI data collected through our website and platform. For information about how we handle Protected Health Information (PHI) as a HIPAA Business Associate, see our HIPAA Privacy & Security Statement at headachevault.com/hipaa.

1. Information We Collect

We collect two categories of information:

1a. Information you provide directly

When you create a provider account, we collect: name, email address, professional credentials, state of practice, and specialty. When you enroll as a patient (or are enrolled by a provider), we collect: name, email address, and contact information. When you contact us, we collect the contents of your message and your email address.

1b. Information collected automatically

We use Vercel Analytics to collect aggregated, non-identifiable information about how visitors use our website, including page views and navigation patterns. Vercel Analytics does not use cookies, does not collect personally identifiable information, and does not transmit data to third-party advertising networks. We also collect standard server logs (IP addresses, browser type, referring URLs) for security and operational purposes. These logs are retained for 30 days.

We do not use Google Analytics, Facebook Pixel, or any other third-party advertising or tracking technology.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Services
• Send transactional communications (account setup, enrollment invitations, check-in reminders)
• Respond to your questions and support requests
• Ensure the security and integrity of the platform
• Comply with legal obligations

We do not sell your personal information. We do not use your information for advertising purposes. We do not share your information with third parties except as described in this policy.

3. Protected Health Information

The Headache Vault is a HIPAA Business Associate. When our Services are used by healthcare providers (Covered Entities) to manage patient health information, that information constitutes Protected Health Information (PHI) under HIPAA. We handle PHI only under the terms of executed Business Associate Agreements with provider customers.

Patient health data — including check-in entries, medication records, disability scores, and clinical notes — is PHI and is governed by our HIPAA Privacy & Security Statement, not this Privacy Policy. See headachevault.com/hipaa for details.

4. Data Storage and Security

Provider and patient account data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure with encryption at rest and in transit. Our platform is deployed on Vercel with TLS encryption for all connections. We implement role-based access controls, row-level security policies, and audit logging.

We have executed Business Associate Agreements with Anthropic (AI processing) and Vercel (hosting). Our Supabase BAA is pending execution.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at alex@headachevault.com.

5. Data Retention

Provider account data is retained for the duration of the account plus 90 days after account deletion, unless a longer retention period is required by law. Patient health data retention is governed by our HIPAA Privacy & Security Statement and applicable state law. Server logs are retained for 30 days. Aggregated analytics data (Vercel Analytics) is retained per Vercel's standard retention policy and contains no personally identifiable information.

6. Your Rights

Depending on your location, you may have rights regarding your personal information, including the right to access, correct, or delete your account data. To exercise these rights, contact us at alex@headachevault.com. Patient rights regarding PHI are described in our HIPAA Privacy & Security Statement.

California residents: Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information.

7. Cookies

Our marketing website does not use cookies for analytics or tracking. Vercel Analytics operates without cookies. Our authenticated application uses session cookies strictly for authentication purposes (Supabase Auth). No third-party cookies are set on any page of our Services.

8. Children's Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at alex@headachevault.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last Updated” date at the top of this page reflects the most recent revision. Continued use of the Services after changes are posted constitutes acceptance of the updated policy.

10. Contact

The Headache Vault, LLC
Privacy inquiries: alex@headachevault.com
General: headachevault.com/about

This document is a draft pending attorney review. Not legal advice.