Privacy Policy
Version 2026-07-01 · How BedFlows handles your information
Bedflows, Inc ("BedFlows," "we," "us," or "our") operates the BedFlowsplatform for California Assisted Living Waiver (ALW) bed availability coordination. This Privacy Policy explains what information we collect, how we use it, and the choices available to you.
Draft notice: This policy should be reviewed by qualified legal counsel and your designated Privacy Officer before production use with real patient data.
1. Scope
This policy applies to information collected through the BedFlows web application, invite and account registration flows, and related support communications. It does not cover third-party websites or services you access independently (for example, a facility's own website).
2. Information we collect
Account and profile information
- Name, email address, role, and organization affiliation
- Authentication data (password hashes managed by our auth provider; we do not store plaintext passwords)
- Terms and HIPAA acceptance timestamps
Operational and facility data
- Facility and SNF profiles (name, location, contact details, care capabilities)
- Bed availability counts, notes, and update timestamps
- SNF discharge pipeline entries, which may include patient first and last names (PHI)
- Coordinator search activity metadata (filters used, not patient identifiers in search results)
Technical and security data
- IP address, browser type, device information, and session identifiers
- Audit logs of significant actions (who changed what, and when)
- Error and performance diagnostics needed to operate the Service
3. How we use information
We use collected information to:
- Provide, secure, and maintain the Service
- Enforce role-based access controls and HIPAA gates
- Display bed availability and pipeline data to authorized users
- Send transactional emails (invites, password resets, account notices)
- Investigate abuse, troubleshoot issues, and comply with legal obligations
- Improve reliability and usability (using aggregated or de-identified data where possible)
We do not sell personal information. We do not use patient names for advertising.
4. Protected health information (PHI)
BedFlows stores limited PHI (patient names in the SNF pipeline). PHI is visible only to authorized SNF staff and BedFlows administrators — not to care coordinators or unrelated facilities. Access is enforced at the database layer, not only in the user interface.
Facilities and SNFs must execute our HIPAA Business Associate Agreement before accessing PHI features. BedFlows acts as a business associate with respect to PHI processed on behalf of covered entities using the Service.
5. How we share information
We share information only as described below:
- Within your organization: Data you submit is visible to other authorized users in your facility, SNF, or care coordination agency according to role-based permissions.
- Service providers: We use vetted subprocessors to host and operate the Service, including cloud infrastructure, authentication, email delivery, and payment processing. These providers process data on our instructions and under contractual confidentiality and security obligations.
- Legal requirements: We may disclose information if required by law, regulation, legal process, or to protect the rights, safety, and security of BedFlows, our users, or the public.
- Business transfers: Information may transfer in connection with a merger, acquisition, or asset sale, subject to continued protection consistent with this policy.
6. Subprocessors
Primary infrastructure and communications providers include:
- Supabase — database hosting, authentication, and row-level security
- Vercel — application hosting and delivery
- Resend — transactional email (invite and account messages; no patient data in current templates)
- Stripe — subscription billing (billing contact and payment metadata only)
When PHI is stored in production, BedFlows maintains Business Associate Agreements with subprocessors that handle PHI, as required by HIPAA.
7. Security
We implement administrative, technical, and organizational safeguards appropriate to the data we process, including encryption in transit, access controls, audit logging, rate limiting, and session protections. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
8. Retention
We retain account and operational data for as long as your organization uses the Service and as needed to comply with legal, contractual, and audit obligations. PHI retention follows your organization's policies and applicable law. You may request deletion of your user account subject to organizational and legal constraints.
9. Your rights and choices
Depending on your location and role, you may have rights to access, correct, delete, or export personal information, or to object to certain processing. Workforce users should contact their organization's administrator first; organizations may contact BedFlows at privacy@bedflows.com.
California residents may have additional rights under the CCPA/CPRA. BedFlows does not sell personal information. To exercise California privacy rights, email privacy@bedflows.com with "California Privacy Request" in the subject line.
10. Children
The Service is not directed to individuals under 18 and is not intended for use by minors. We do not knowingly collect information from children.
11. International users
The Service is operated from the United States and intended for California ALW coordination. If you access the Service from outside the U.S., you understand that information may be processed in the U.S.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes affecting PHI practices will be communicated through the Service or to organization administrators where appropriate.
13. Contact
Privacy Officer / privacy inquiries: privacy@bedflows.com
General support: hello@bedflows.com
See also our Terms of Use.
Last updated: July 1, 2026