Privacy Policy

Effective Date: April 11, 2026  |  Last Updated: April 11, 2026

1. Introduction

Simple Functional AI ("SFAI," "we," "us," or "our") operates the clinician portal at simplefunctionalai.com (the "Platform"), the patient-facing portal, and related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, store, share, and protect your information when you interact with our Services.

SFAI is a multi-tenant SaaS platform that provides functional medicine practitioners with tools to manage patient intake, lab analysis, care plan generation, and patient education. By using our Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Services.

We are committed to protecting your privacy and the security of your personal health information. We never sell your data. We never show you ads. Your health information is protected with encryption, HIPAA-compliant practices, and strict access controls.

2. Information We Collect

2a. Information You Provide Directly

When you create an account or use our Services, you may provide:

  • Name, email address, and login credentials
  • Clinic name, address, phone number, and provider information
  • Payment and billing information (processed by Stripe; we do not store full credit card numbers)
  • Messages sent through the platform, including coach chat and clinic messaging
  • Intake form responses
  • Scheduling preferences and appointment information

2b. Protected Health Information (PHI)

As part of the clinical workflow, our platform processes the following types of PHI on behalf of the practitioner:

  • Patient demographics (name, date of birth, contact information)
  • Laboratory test results and biomarker data
  • Health scores and functional medicine assessments
  • Clinical observations, diagnoses, and medical history
  • Supplement plans, nutrition plans, and exercise protocols
  • Check-in responses, symptom tracking, and progress reports
  • Body composition data
  • Documents uploaded by the practitioner (e.g., lab result PDFs)

2c. Information Collected Automatically

When you access our Services, we may automatically collect:

  • Browser type, operating system, and device information
  • IP address and approximate geographic location
  • Pages visited, features used, and interaction patterns within the platform
  • Authentication tokens and session identifiers (stored as secure cookies)
  • Error logs and performance metrics

We do not collect precise geolocation data or biometric information.

3. How We Use Your Information

3a. Account and Platform Operations

We use your information to:

  • Create and manage your account
  • Authenticate your identity and maintain session security
  • Provide the core functionality of the platform, including patient management, lab analysis, care plan generation, and the patient portal
  • Process payments and manage subscriptions via Stripe
  • Send transactional communications, including intake notifications, retest reminders, and system alerts
  • Provide customer support and respond to inquiries
  • Improve, maintain, and monitor the performance and security of our Services

3b. PHI Processing

PHI is processed solely to provide clinical functionality on behalf of the practitioner, including:

  • Generating AI-assisted clinical packets (doctor and client packets)
  • Extracting and analyzing laboratory results from uploaded documents
  • Calculating functional health scores and biomarker trends
  • Powering the AI coaching feature with de-identified protocol data
  • Generating progress reports and case review summaries
  • Delivering personalized content through the patient portal

All PHI processing follows the data handling practices described in Section 6 (AI Processing and PHI Redaction).

3c. Marketing

We do not use your personal health information for marketing purposes. We do not sell, rent, or trade your personal information to third parties for their marketing use. We may send you occasional product updates or service announcements to the email address associated with your account. You can opt out of non-essential communications at any time.

4. How We Share Your Information

We do not sell your information. We share your information only in the following limited circumstances:

4a. Sub-Processors

We use the following third-party service providers ("sub-processors") to operate our platform:

ProviderPurposeData Accessed
Amazon Web Services (AWS)Cloud hosting, databaseAll Platform data including PHI
StripePayment processingBilling info only
VercelWebsite hostingNo PHI
TwilioSMS messagingPhone numbers + messages (PHI)
OpenAIAI content generationDe-identified data only
SentryError monitoringNo PHI
Calendly / Cal.comSchedulingName + email only

Each sub-processor is contractually required to protect the data it processes on our behalf. Where PHI is involved, we maintain Business Associate Agreements (BAAs) as required by HIPAA.

4b. Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to:

  • Comply with a legal obligation, subpoena, or court order
  • Protect and defend the rights, property, or safety of SFAI, our users, or the public
  • Enforce our Terms of Service or investigate potential violations

4c. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our platform before your information becomes subject to a different privacy policy.

5. Data Storage and Security

5a. Where Your Data Is Stored

All platform data, including PHI, is stored on Amazon Web Services (AWS) infrastructure in the US-East-2 (Ohio) region. Data at rest is stored in DynamoDB (database) and S3 (file storage). Authentication credentials are managed through AWS Cognito. The web application is hosted on Vercel, which does not store PHI.

5b. Security Measures

We implement the following security measures to protect your data:

  • Encryption of data at rest and in transit (TLS/SSL)
  • Secure authentication via AWS Cognito with hashed passwords and token-based session management
  • Role-based access controls ensuring each clinic can only access its own data (multi-tenant isolation via clinic_id)
  • httpOnly, secure cookies for session tokens to prevent cross-site scripting attacks
  • PHI redaction pipeline that strips identifiable information before AI processing (see Section 6)
  • Automated lab document redaction using AWS Textract and Comprehend Medical
  • Regular security reviews and updates to dependencies

While we implement strong safeguards, no system can guarantee absolute security. We continuously review and improve our security practices.

5c. Breach Notification

In the unlikely event of a data breach involving your personal information or PHI, we will notify affected users and relevant regulatory authorities as required by applicable law, including HIPAA breach notification requirements. Notification will occur without unreasonable delay and no later than 60 days after discovery of the breach.

6. AI Processing and PHI Redaction

SFAI uses artificial intelligence to assist practitioners with clinical content generation, including case reviews, doctor packets, client packets, and the patient-facing AI coaching feature. We take the following steps to protect your PHI during AI processing:

  1. PHI Stripping: Before any data is sent to an external AI provider, our platform runs a mandatory PHI stripping function (stripIntakePHI) that removes all personally identifiable information, including names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, and insurance information.
  2. De-Identification: Only anonymized clinical data is transmitted to AI services. This includes protocol names, supplement names, biomarker names and ranges, exercise plan details, and nutrition plan information -- but never data that could identify the patient.
  3. Document Redaction: Uploaded lab PDFs are processed through AWS Textract and Comprehend Medical to automatically detect and redact PHI before any data extraction occurs. Redacted copies are stored separately in a secure S3 bucket.
  4. No AI Training: We use AI service providers whose API policies confirm that API inputs and outputs are not used to train their models. Your data does not become part of any AI training dataset.
  5. AI Coach Conversations: When patients use the "Ask Your Coach" feature, only de-identified protocol context is provided to the AI. Chat history is stored locally on the patient's device and is not permanently retained on our servers.

7. Data Retention

Account Data: Your account information and associated data are retained for as long as your account is active and you maintain an active subscription. If you cancel your subscription, your data is retained for 90 days to allow for reactivation, after which it is scheduled for deletion.

Patient Records: Patient health records, lab results, care plans, and clinical data are retained for as long as the practitioner's account is active. Practitioners may request deletion of individual patient records in accordance with applicable record retention laws.

AI Conversations: Patient AI coach chat history is stored locally on the patient's device for up to 7 days, after which it is automatically cleared. AI conversations are not permanently stored on our servers.

Backup and Recovery: Redacted lab documents are retained in a secure backup bucket for recovery purposes and are never deleted. Original uploaded documents may be retained in accordance with clinical record-keeping requirements.

Account Deletion: If you request account deletion, we will delete your data within 30 days, except where we are required by law to retain certain records (e.g., billing records, audit logs).

8. Your Rights

8a. All Users

Regardless of your location, you have the right to:

  • Access your data -- View your information through the platform at any time
  • Request correction -- Contact us to correct any inaccurate information
  • Request deletion -- Request that your account and associated data be deleted, subject to legal retention requirements
  • Withdraw consent -- Stop using optional features (such as the AI coach) at any time
  • Data portability -- Request a copy of your data in a commonly used, machine-readable format

8b. Patient Rights

If you are a patient whose data is managed on our platform by your practitioner, you additionally have the right to:

  • Access your health records -- Request access to your health data from your practitioner
  • Request amendments -- Ask your practitioner to amend inaccurate health information
  • Receive an accounting of disclosures -- Request information about how your PHI has been shared
  • Request restrictions -- Ask that we limit how your PHI is used or disclosed
  • Confidential communications -- Request that we communicate with you through alternative means or at alternative locations

To exercise patient rights related to your health records, please contact your practitioner directly. For platform-level requests, contact us using the information in Section 12.

8c. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights, including:

  • Right to know -- You may request that we disclose the categories and specific pieces of personal information we have collected about you
  • Right to delete -- You may request deletion of your personal information, subject to certain exceptions
  • Right to opt out of sale -- We do not sell personal information, so this right is automatically honored
  • Right to non-discrimination -- We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, please contact us at drtom@simplefunctionalai.com. We will verify your identity before processing your request and respond within 45 days.

9. Cookies and Tracking

Our platform uses the following types of cookies:

  • Authentication cookies -- httpOnly, secure cookies that store session tokens (sfai_access_token, sfai_id_token, sfai_refresh_token) required for you to stay logged in. These are essential for the platform to function and cannot be disabled.
  • Preference cookies -- Used to remember your display preferences and settings within the platform.

We do not use third-party advertising cookies, tracking pixels, or social media trackers. We do not participate in cross-site tracking or retargeting. We do not use Google Analytics or similar third-party analytics platforms that track individual user behavior across websites.

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at drtom@simplefunctionalai.com, and we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this page. If we make material changes that affect how we handle PHI or significantly alter your rights, we will notify you by email or through a prominent notice on the platform at least 30 days before the changes take effect.

Your continued use of the Services after the updated Privacy Policy is posted constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, please contact us:

Simple Functional AI

Email: drtom@simplefunctionalai.com

Website: simplefunctionalai.com

© 2026 Simple Functional AI. All rights reserved.