Legal

Privacy Policy

RapidRef Platform · Issued by Whiteframe LLC · Gloucester, Virginia

Effective upon account creation or first use of the RapidRef Platform

This Privacy Policy explains how Whiteframe LLC collects, uses, stores, and protects information in connection with the RapidRef platform. It applies to organization administrators, individual providers, and any other users who access the platform.

1.

Overview

Whiteframe LLC ("Company," "we," "us," or "our") operates the RapidRef platform ("Platform"), a clinical reference and operations tool for emergency services organizations. This Privacy Policy describes our practices with respect to the collection, use, disclosure, and retention of personal information we receive from or about users of the Platform.

This Privacy Policy applies to all users of the Platform, including organization administrators and individual providers accessing the Platform through their organization's subscription. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy does not apply to information collected by third-party websites, applications, or services that may be linked to or from the Platform.

2.

Information We Collect

2.1 Information You Provide Directly

When an organization creates an account or when an administrator adds a user to the Platform, the following information is collected:

  • Name
  • Email address
  • Password, which is stored in encrypted, hashed form and is never stored in plain text
  • Job title or role within the organization, where provided

This information is used to create and manage user accounts, authenticate access to the Platform, and allow organization administrators to manage their team.

2.2 Information Collected Automatically

When users access and use the Platform, we automatically collect certain information through the Platform's infrastructure and analytics systems, including:

  • Device identifiers: unique identifiers associated with the device on which the Platform is installed or accessed. Device identifiers are used to associate an account with a specific device for purposes of device management, including the ability for organization administrators to perform remote logout and revoke device access when a provider leaves an organization, a subscription lapses, or access is otherwise terminated by the organization.
  • Usage and activity data: information about how users interact with the Platform, including content sections accessed, features used, frequency and duration of use, checklist completions, and similar engagement data. This information is used for platform analytics, service improvement, and to provide organization administrators with visibility into platform adoption and usage patterns within their organization.
  • Technical data: device type, operating system version, app version, crash reports, error logs, and similar technical information used for performance monitoring and bug resolution.

2.3 Information We Do Not Collect

RapidRef does not collect, store, or process patient information of any kind. The Platform is a clinical reference tool and is not designed or intended for the entry, storage, or transmission of patient records, patient identifiers, or clinical documentation relating to specific individuals receiving care.

In the event that future functionality enables data transmission to third-party electronic patient care reporting systems, any such integration will be designed to exclude patient-identifying information, and this Privacy Policy will be updated accordingly prior to the release of such functionality.

3.

How We Use Information

We use the information we collect for the following purposes:

  • Account creation and authentication: to create and manage user accounts and to authenticate access to the Platform.
  • Platform operation and delivery: to provide the features and functionality of the Platform, including content synchronization, offline access, push notifications, and administrative controls.
  • Device management: to enable organization administrators to manage authorized devices, including the ability to remotely revoke access when a user's authorization is terminated by the organization.
  • Analytics and service improvement: to understand how the Platform is used, identify areas for improvement, develop new features, and monitor platform performance.
  • Communication: to send account-related communications, including onboarding information, service updates, billing notifications, and support responses.
  • Security and compliance: to detect and prevent unauthorized access, investigate suspected violations of this Privacy Policy or our Terms of Service, and comply with applicable legal obligations.
  • Aggregated analytics: to produce anonymized, aggregated data about Platform usage across our customer base. Aggregated data does not identify any individual user or organization and may be used for benchmarking, product development, and reporting purposes.
4.

How We Share Information

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes. We share information only as described below.

RecipientPurpose and Scope
SupabaseOur primary database and authentication provider. Stores account data, user records, and platform content. Supabase processes data on our behalf as a service provider.
StripeOur payment processor. Processes subscription fees and billing information for organization accounts. Stripe receives billing and payment data necessary to process transactions. Stripe does not receive provider-level user data.
Expo / FirebaseOur push notification infrastructure. Device tokens are used to deliver push notifications from organization administrators to their team. No personal data beyond device tokens is transmitted for this purpose.
SentryError tracking and performance monitoring. Receives technical crash and error data to enable us to identify and resolve platform issues. Error data may include device type, app version, and technical stack traces.
Legal and regulatoryWe may disclose information when required to do so by law, regulation, court order, or legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of Company, our users, or others.
Business transfersIn connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, user information may be transferred as part of that transaction. We will notify affected users of any such transfer and any material changes to this Privacy Policy.
5.

Data Retention

We retain personal information for as long as the associated account is active and for a reasonable period thereafter to allow for account reinstatement, dispute resolution, and compliance with legal obligations. Specifically:

  • Account information is retained for the duration of the active subscription and for ninety (90) days following termination or expiration, during which time the organization may request an export of its data.
  • Device identifiers associated with departed users are purged from active device management records upon administrator removal of the user account.
  • Usage and activity data may be retained in anonymized or aggregated form beyond the period above for the purposes described in Section 3(g).
  • Billing records are retained as required by applicable law and for the period necessary to resolve any billing disputes.

Following the applicable retention period, we will delete or anonymize personal information in accordance with our data deletion practices.

6.

Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These safeguards include encrypted data transmission, hashed password storage, access controls, and monitoring for unauthorized activity.

No method of transmission over the internet or electronic storage is completely secure. While we take the protection of your information seriously, we cannot guarantee absolute security. Users are responsible for maintaining the confidentiality of their login credentials and for promptly notifying us of any suspected unauthorized access.

7.

Your Rights

Users and organizations may have rights with respect to their personal information depending on applicable law, including under the Virginia Consumer Data Protection Act (VCDPA). These rights may include the right to:

  • access the personal information we hold about you;
  • request correction of inaccurate personal information;
  • request deletion of your personal information, subject to applicable legal requirements and our data retention obligations;
  • obtain a copy of your personal information in a portable format; and
  • opt out of certain processing of personal information where applicable.

Organization administrators may manage user account information directly through the Platform dashboard. For requests that cannot be fulfilled through the dashboard, or to exercise any of the rights described above, please contact us using the information in Section 10.

We will respond to verifiable requests within the timeframes required by applicable law. We may need to verify your identity before processing a request. We will not discriminate against you for exercising your rights under applicable privacy law.

8.

Children

The Platform is designed and intended for use by adult professionals in emergency services roles. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us using the information in Section 10.

9.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify organization administrators by email or through a notice in the Platform dashboard at least thirty (30) days prior to the effective date of the change. The updated Privacy Policy will be made available on our website. Your continued use of the Platform following the effective date of any change constitutes your acceptance of the updated Privacy Policy.

10.

Contact

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

CompanyWhiteframe LLC
PlatformRapidRef
AddressGloucester, Virginia
Websiterapidref.app
Emailsteven@whiteframe.dev
RapidRef Privacy Policy · Whiteframe LLC · Version 1.0Gloucester, Virginia