Privacy Policy

We collect three categories of data:

Account data. When you or a staff member creates an account: email address, full name, organization name, and a hashed password. We never store your password in plaintext.

PHI entered by your organization. Client demographics, diagnoses, treatment plans, assessment summaries, and pre-authorization narratives — all entered or uploaded by you, your BCBAs, or your RBTs. This data is processed only under a signed Business Associate Agreement (BAA). See Section 7 (HIPAA) for details.

Usage and log data. Session identifiers, request timestamps, feature interaction events, and error traces. These logs are used for debugging and security monitoring. We design our logging pipeline so that PHI does not appear in log records — only internal IDs, timestamps, and actor context.

Billing data. Billing is handled by Stripe. We receive a payment method token and subscription status from Stripe. We do not store your credit card number, CVC, or full card details on our servers.

We use the data we collect to:

• Run the application: authenticate sessions, render the schedule of authorizations, and evaluate compliance rules;
• Draft pre-authorization narratives using our AI inference pipeline (see Section 3 on AI sub-processors);
• Send transactional emails: session expiration alerts, trial reminders, password reset links, and billing receipts — we do not send marketing email without your explicit opt-in;
• Respond to support requests you initiate;
• Detect fraud, abuse, and security incidents, and maintain the integrity of the audit log.

We do not sell your data. We do not use your data to train AI models. We do not run analytics on aggregate patient populations for any purpose outside running the service for you.

When Mand drafts a narrative, the prompt — which includes PHI you have entered — is sent to a third-party AI inference provider. We use these providers because they offer stateless APIs: they process your request and return a response, and they do not retain the data or use it to train their models.

We do not name specific AI vendors in this policy. Naming vendors would create narrative lock-in as we evaluate providers for security and compliance fit. What we commit to:

• Every AI inference provider we use operates a stateless, no-training API;
• We execute Data Processing Agreements (DPAs) with each AI provider before sending any PHI to them;
• The current list of AI inference providers is maintained in our sub-processor inventory at usemand.com/legal/subprocessors;
• We will notify you at least 30 days before adding a new AI sub-processor that will receive PHI.

Primary database. Your organization's data is stored in a dedicated single-tenant Postgres database hosted in US-East. Your data is not commingled with other customers at the storage layer.

Backups. Daily encrypted backups are written to Cloudflare R2 object storage. Backup files are encrypted at rest before leaving our servers.

Data residency. In normal operation, your data does not leave the United States. AI inference requests travel to US-based inference endpoints. If we add non-US infrastructure, we will update this policy with 30 days' notice.

Encryption. All data is encrypted in transit (TLS 1.2+) and at rest. Sessions use HMAC-signed, httpOnly, Secure cookies with a 12-hour TTL.

Within Mand. The founder has access for support and incident response. Any future Mand employees or contractors will receive access only on a least-privilege basis, scoped to what their role requires, and will be subject to confidentiality agreements.

Within your organization. Only the seats you have provisioned in the admin panel can access your organization's data. Role-based permissions determine what each seat can see and do.

Across organizations. Zero. Row-level security (RLS) is enforced at the database layer. No query run by one organization can return rows belonging to another, regardless of application-layer permissions.

Third parties. We share data only with the sub-processors listed in Section 3 and Section 10, and only to the extent necessary to provide the service. We do not share data with payers, insurers, or government agencies except as required by law or compelled by lawful process. We will notify you of any compelled disclosure unless prohibited from doing so.

We use exactly one cookie:

• A session cookie that authenticates your browser session. It is httpOnly (not readable by JavaScript), Secure (HTTPS only), and SameSite=Strict. It expires after 12 hours of inactivity.

We do not use analytics cookies. We do not use advertising cookies. We do not embed third-party trackers (pixels, beacons, or SDKs) that would share your browsing behavior with anyone outside Mand. Compliance officers: there is nothing to configure here.

BAA first. PHI may not enter Mand until your organization has executed a signed Business Associate Agreement with us. Email [email protected] to start this process.

Demo-mode protection. Organizations without a signed BAA are flagged as demo-mode at the database layer. The database itself enforces a hard block on real-PHI inserts for those organizations. This is a defense-in-depth control — the restriction lives below the application layer.

Controls summary. Our current HIPAA-relevant controls include:

• Encryption at rest and in transit;
• Row-level security enforced at the database layer, preventing cross-org data access;
• HMAC-signed sessions with a 12-hour TTL;
• Audit logging of all PHI access events, retained for 7 years;
• Daily encrypted backups with point-in-time recovery capability;
• DPAs with all sub-processors that receive PHI.

No "HIPAA-certified" claim. HIPAA is a compliance posture, not a certification. There is no official HIPAA certification body. We describe our controls plainly and let your compliance officer evaluate them. If you need a completed security questionnaire, email [email protected].

Export. You can request a full export of your organization's data as JSON at any time by emailing [email protected]. We will fulfill the request within 5 business days. Self-serve export will be available as the platform matures.

Deletion. You can request deletion of your organization and all its data rows by emailing us. Deletion is completed within 30 days. This includes PHI, account data, and all backups containing your data.

Audit log exception. Audit logs are retained for 7 years per standard healthcare-records obligations. These logs contain no PHI — only internal IDs, timestamps, and actor context. Individual audit log records cannot be deleted; this is a legal compliance requirement, not a policy choice.

Right to know. You may email [email protected] at any time to ask what data we hold about your organization. We will respond within 10 business days.

In the event of a breach affecting your organization's data, we will notify you within 72 hours of discovering the breach. The notification will describe: what happened, what data was involved, what we have done or are doing to contain it, and what steps we recommend you take.

We will follow HHS breach notification guidelines and assist you in fulfilling your own notification obligations to affected individuals and relevant authorities.

A current list of all sub-processors — including AI inference providers, infrastructure providers, and billing — is maintained at usemand.com/legal/subprocessors. We update this page when we add or remove a sub-processor and send advance notice per Section 3.

We will provide at least 30 days' email notice before making material changes to this policy. Material changes include changes to what data we collect, how we use it, who we share it with, or your rights under it.

Non-material changes (typos, formatting, clarifications that do not alter your rights or our obligations) may be made without notice. The "Last updated" date at the top of this page reflects the most recent change of any kind.

General questions: [email protected]. Legal and compliance questions: [email protected]. The founder reads every message.