Privacy

When you sign up: your email, name, organization name, and a hashed password. When you use Mand: client demographics, treatment plans, assessments, and pre-authorization narratives — all entered or uploaded by you.

We process the data to render the application: drafting narratives, matching payer templates, evaluating compliance rules, generating service authorizations. We do NOT sell, share, or analyze customer data outside the scope of running Mand for you.

When the AI drafts a narrative, the prompt + response goes to the model provider (Groq or Anthropic). Both have stateless APIs with no training on customer data. Their data-retention policies apply only to in-flight requests.

Customer data is stored in a single-tenant Postgres database on a dedicated VPS in US-East. Daily encrypted backups go to Cloudflare R2. Sessions are HMAC-signed cookies with a 12-hour TTL.

Within Mand: the founder (Pat) for support and incident response. Future hires will be on a least-privilege basis. Within your org: the workers and BCBAs you grant access to. Across orgs: nobody — row-level security ensures one org cannot see another's data.

We sign BAAs before any real PHI enters Mand. The signup flow asks whether you intend to enter real client data, and if you do, no account is created until we have a signed BAA on file. If you only want to evaluate the product, you can create a demo-mode account immediately — the database itself refuses to accept real-PHI inserts for those orgs (defense-in-depth, in case someone fat-fingers a real client name into the demo). Email [email protected] to start a BAA. We do not display "HIPAA-compliant" badges because HIPAA compliance is a posture, not a certification — we describe our controls plainly and let your compliance officer evaluate.

You can export all your org's data as JSON at any time (request via email; this becomes a self-serve button when we have multiple customers). You can delete your org and have its rows hard-deleted within 30 days. Audit-event logs are retained for 7 years per standard healthcare-records practice and cannot be deleted, but they reference no PHI directly — just IDs, timestamps, and actor context.

Questions? Email [email protected]. The founder reads every message.