Privacy Policy

Introduction

Vochella Technologies Inc. ("Vochella," "we," "us," or "our") operates a HIPAA-compliant platform for Speech-Language Pathologists (SLPs) and their clients. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our services. We comply with the Health Insurance Portability and Accountability Act (HIPAA) in the United States, the Personal Health Information Protection Act (PHIPA) in Ontario, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

Information We Collect

We collect information necessary to provide our services:

• Account information: Name, email address, and credentials you provide when creating an account.
• Protected Health Information (PHI): Client names, health conditions, treatment data, session notes, video submissions, and other clinical information you or your clients enter into the platform.
• Usage data: How you interact with the platform, including features used and session activity.
• Payment information: Processed securely by Stripe; we do not store full payment card details.

How We Use Your Information

We use your information to:

• Provide, maintain, and improve our SLP platform and services
• Process payments and send receipts
• Generate AI-assisted documentation (e.g., SOAP note drafts, session summaries, progress reports). Clinical data is processed through our AI provider under a Business Associate Agreement; we apply the minimum necessary standard and strip direct identifiers where technically feasible. You control whether AI features are enabled for your account.
• Send transactional communications (e.g., session reminders, magic links)
• Comply with legal obligations and enforce our terms
• Support you with technical assistance

Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Infrastructure: Our platform runs on Supabase, a HIPAA-eligible infrastructure provider with whom we maintain a Business Associate Agreement (BAA).
• Access controls: Row-level security ensures users only access their own data. PHI is never exposed to unauthorized parties.
• Audit logging: Access to sensitive data (e.g., receipts, reports) is logged before data is returned.

Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your data (subject to legal retention requirements)
• Object to or restrict certain processing
• Data portability
• Withdraw consent where processing is consent-based

To exercise these rights, contact us at support@vochella.com.

HIPAA, PHIPA & PIPEDA Compliance

Vochella is designed to meet the requirements of HIPAA (U.S.), PHIPA (Ontario), and PIPEDA (Canada). We enter into Business Associate Agreements (BAAs) with covered entities and ensure that all third-party service providers handling PHI are BAA-compliant. We apply the minimum necessary standard when sharing data and maintain administrative, physical, and technical safeguards as required by applicable regulations.

Third Parties

We work with the following categories of service providers:

• Supabase: Database, authentication, and storage. BAA in place.
• Stripe: Payment processing. BAA in place. We use generic descriptions (e.g., "Treatment Session") and never include diagnosis in payment metadata.
• OpenAI: AI features (e.g., SOAP note drafting, session summaries, progress reports). Clinical data processed under a BAA. We apply the minimum necessary standard, strip direct identifiers (such as client names) where technically feasible, and never transmit data beyond what is required for the specific feature. OpenAI does not use Vochella data to train its models.

We do not sell your personal information or PHI.

Children's Privacy

Our platform includes interactive home practice features designed for use by children under the supervision of their parent, guardian, or treating SLP. When a child uses these features, we may collect:

• Audio recordings of speech exercises (collected only with explicit parental or guardian consent through our in-app consent flow)
• Practice session activity, including responses to exercises and progress data
• A child-friendly display name and age tier selected by the parent or SLP (we do not collect a child's full name, email, or contact information directly)

Parental consent: Before any audio recording or AI-based speech analysis features are enabled for a child, we require verifiable parental or guardian consent through our in-app consent mechanism. A parent or guardian may review, request deletion of, or refuse further collection of their child's data at any time by contacting us at support@vochella.com or through the account settings.

COPPA compliance (United States): We comply with the Children's Online Privacy Protection Act. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that we have collected personal information from a child under 13 without proper consent, we will delete that information promptly.

PIPEDA (Canada): For Canadian users, we obtain meaningful consent from a parent or guardian for any collection of personal information from minors, consistent with the Office of the Privacy Commissioner's guidance on consent for minors.

Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

• Clinical records (SOAP notes, progress reports, goal data): Retained for a minimum of 10 years from the date of last entry, or 10 years after a minor client reaches the age of majority, whichever is longer, consistent with Ontario regulatory requirements and HIPAA retention guidance.
• Account information: Retained for the duration of your account and for up to 30 days following account deletion to allow for reactivation, unless a longer period is required by law.
• Audio recordings and video submissions: Retained for the duration of the therapeutic relationship or until the supervising SLP or parent/guardian requests deletion, subject to the minimum clinical retention periods above.
• Payment records: Retained for 7 years as required by tax and financial regulations.
• Audit logs: Retained for a minimum of 6 years.

Upon request for data deletion, we will remove or de-identify personal information that is not subject to a legal retention requirement within 30 days.

Data Residency & Cross-Border Transfers

Our primary infrastructure is hosted by Supabase. Data may be stored and processed in Canada and/or the United States. If you are located in Canada and your data is processed in the United States, that transfer is governed by our BAA and the safeguards described in this policy. We apply the same security and privacy standards regardless of where data is stored.

If your organization requires data to remain within Canada, please contact us at support@vochella.com to discuss available options.

Breach Notification

In the event of a breach of security safeguards involving personal information or PHI, we will:

• Investigate and contain the breach as quickly as possible
• Notify affected individuals and applicable regulatory authorities as required by law, including within 60 days as required by HIPAA, without unreasonable delay as required by PHIPA, and as soon as feasible as required by PIPEDA
• Notify the Information and Privacy Commissioner of Ontario where required under PHIPA
• Provide a description of the breach, the types of information involved, and steps individuals can take to protect themselves
• Maintain records of all breaches and our response actions

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting how we use PHI, we may provide additional notice via email or in-app notification.

Contact Us

For privacy-related questions, BAA requests, or to exercise your rights, contact us: