Privacy Policy | Popweave

Plain language first. We explain what we collect, why we collect it, who we share it with, and how you can control it. If you have questions, email privacy@popweave.com.

1) Who we are & how this policy applies

Popweave is a healthcare engagement platform for members, providers, employers, and payers. This policy applies to popweave.com, our apps, and services. Depending on your relationship with us and our customers, we may act as a HIPAA Business Associate (supporting covered entities) or as a non-HIPAA consumer app. When HIPAA applies, we process Protected Health Information (PHI) under Business Associate Agreements (BAAs). When HIPAA does not apply, we handle your information under consumer privacy laws (e.g., FTC Act §5, CPRA, GDPR).

2) What we collect

Account & contact: name, email, phone, organization.
Health & benefits (PHI/PII): conditions, medications, providers, claims/EOBs, coverage, care plans (when connected with your consent or under a customer BAA).
App & device: IP, device/browser type, security telemetry, and cookie IDs for secure sessions.
Support content: messages you send us (avoid sending sensitive data to general inboxes).

3) How we use information (minimum necessary)

Provide and secure the service (authentication, session management, fraud prevention).
Show your clinical/claims data when you connect a payer or provider (with consent or under a BAA).
Member engagement features (reminders, programs, care coordination).
Improve quality and reliability (de-identified/aggregated analytics).
Comply with law, standards, and contracts.

No selling of personal data or PHI. We do not sell your data and we do not share it for cross-context behavioral advertising.

4) Legal bases & consent

For U.S. users, we rely on your consent and our legitimate interests to provide the service, except when HIPAA/BAA governs PHI. For EEA/UK users (if applicable), we rely on consent (Art.6(1)(a)), contract (6(1)(b)), or legitimate interests (6(1)(f))—and additional protections for special category data (Art.9) when relevant.

5) Who we share with

Your direction: providers, payers, caregivers, or employers (only with appropriate permissions/contractual safeguards).
Service providers (sub-processors): hosting, email, logging, security scanning—under contracts that restrict use to our instructions.
Legal: when required by law, to protect safety, or to respond to lawful requests.

We maintain a current list of sub-processors and will notify you of material changes. Contact privacy@popweave.com to request the list.

6) Security

Encryption in transit and at rest; modern TLS only.
Role-based access, least privilege, MFA for staff, audit logging.
Network isolation, patching, vulnerability scanning, and backups.
Security reviews for vendors handling PHI or personal data.
Responsible disclosure: report bugs to security@popweave.com.

7) Breach & incident notifications

If we discover an incident affecting your data, we will investigate, mitigate, and notify affected parties and regulators as required by applicable law (for HIPAA, typically without unreasonable delay and no later than 60 days; for GDPR, supervisory authority within 72 hours when required).

8) Your privacy choices & rights

Access & portability of your data.
Correction of inaccurate data.
Deletion (when legally permitted or after contract ends).
Opt-out of marketing emails.
Do Not Sell or Share (CPRA): we do not sell or share personal information for cross-context ads.

Submit requests at privacy@popweave.com. We will verify your identity before fulfilling requests.

9) Retention

We keep data only as long as needed to deliver the service and meet legal/contractual obligations (e.g., HIPAA records). When no longer needed, we delete or de-identify it according to our retention schedule.

10) Children

The service isn’t directed to children under 13. For pediatric use, a parent/guardian or authorized entity must consent as required by law.

11) Cookies & similar tech

We primarily use essential session cookies to keep you signed in and protect the service. We may later add analytics or preference cookies with notice and, where required, consent. You can manage cookies in your browser and via our banner.

12) International transfers

Data may be processed in the U.S. and other countries with appropriate safeguards (e.g., SCCs for EEA/UK where applicable).

13) Changes to this policy

We’ll post updates here and adjust the effective date. If changes are material, we’ll provide additional notice.

14) Contact

Privacy questions or requests: privacy@popweave.com
Security issues: security@popweave.com

Note: This page is provided for general information and does not replace legal advice. Please have counsel review for your specific use cases and jurisdictions.