Skip to content
ContactFollowUp
Open menu

Privacy

Privacy Policy

A plain-language privacy policy for the ContactFollowUp service. Tuned for the healthcare-CRM context — PHI handled as a data processor under a Business Associate Agreement.

Last updated: May 15, 2026

1. Who we are

ContactFollowUp is a product of Northern Software Consulting, LLC, a Delaware limited liability company with its principal place of business in the United States. In this policy, “ContactFollowUp,” “we,” “our,” and “us” refer to Northern Software Consulting, LLC operating the ContactFollowUp service.

2. The two kinds of data we handle

We handle two kinds of data with two very different postures:

  • Account data — information about you as a paying customer or signed-up trial user (name, email, billing address, login activity). We are the data controller for this category.
  • Protected Health Information (PHI) — information about your patients that you (the covered entity) store in ContactFollowUp. We are a data processor for this category, acting on your behalf under a signed Business Associate Agreement. We do not use PHI for our own purposes, ever.

3. Account data we collect

  • Email address and name (account creation, login, support).
  • Practice name and size (provisioning and pricing).
  • Billing address and payment method (handled by Stripe; we receive a token, not card numbers).
  • Login metadata: IP address, user-agent, login timestamps (security + audit).
  • Product usage telemetry: feature events, error rates, performance traces. Never includes PHI.

4. How we use account data

  • To provide and maintain the Service.
  • To bill you and to recover non-payment.
  • To detect, prevent, and respond to abuse and security incidents.
  • To send product updates and release notes (you may unsubscribe from non-transactional email at any time).
  • To improve the Service — aggregated and anonymized only.

5. PHI: our posture as a Business Associate

When your account stores PHI, you are the covered entity (or another business associate) and we are your business associate. We:

  • Sign a Business Associate Agreement with you before any PHI lands in our system.
  • Encrypt PHI at the field level using AES-256-GCM, with customer-managed keys stored in your secrets store.
  • Record every PHI write in an immutable audit log retained for 7 years.
  • Never use PHI for marketing, training AI models we sell, or any purpose other than providing the Service to you.
  • Restrict access to PHI to the minimum personnel needed to operate the Service, under a confidentiality agreement.

6. Subprocessors

We use a small set of subprocessors to operate the Service. The full list is published on the Security pageand inside the product (BAA management UI). We require each subprocessor that touches PHI to sign a BAA with us; we surface a tenant-side UI so you can track the BAAs you are responsible for under HIPAA's Business Associate provisions.

7. Cookies and similar technologies

  • hn_session — first-party server-side staff session cookie. HttpOnly, Secure, SameSite=Lax.
  • hn_portal_session — first-party server-side patient-portal session cookie, separated from the staff cookie so a staff compromise can never impersonate a patient.
  • hn-theme — first-party theme preference (light / dark), stored in localStorage; not sent to the server.
  • We do not use third-party advertising cookies or cross-site tracking pixels on the marketing site or in the product.

8. Data retention

  • Account data: for the life of the account plus 90 days after termination.
  • PHI: per the customer's configuration; the Service supports patient data export and deletion at any time.
  • Audit log: 7 years.
  • Backups: 35 days, encrypted at rest, region-isolated.

9. Your rights

Under various privacy laws (GDPR, CCPA, state privacy laws), you may have the right to access, correct, port, or delete your personal information. To exercise any of these rights, email privacy@contactfollowup.com. Patient rights with respect to PHI are governed by HIPAA and exercised through the covered entity (your provider), not directly with ContactFollowUp.

10. International transfers

By default we store data in the United States. Enterprise customers may request deployment in a specific AWS or Azure region. If you access the Service from outside the United States, your data is transferred to and processed in the United States; we rely on Standard Contractual Clauses where required by EU law.

11. Security

Our full security posture is documented at /security. Briefly: AES-256-GCM at rest; TLS 1.2+ in transit; immutable audit log; MFA + OIDC SSO; field-level permissions on Enterprise; service-account model for automation; documented incident response with 24-hour notification on confirmed PHI-impacting incidents.

12. Children

The Service is not intended for direct use by individuals under 13. Where the Service stores PHI about a minor patient, that storage happens at the direction of the covered entity (your provider) and is subject to the same protections as any other PHI.

13. Changes to this policy

We will post material changes at this URL and notify account administrators by email at least 30 days before the change takes effect. The “Last updated” date at the top of the page reflects the most recent revision.

14. Contact

Privacy questions: privacy@contactfollowup.com. Security questions: security@contactfollowup.com. Postal address available on request.