Privacy Policy

Dabbler LLC ("we," "us," or "our") operates the Routo platform ("Service"), a web-based application and browser extension designed for Arizona Non-Emergency Medical Transportation (NEMT) providers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. INFORMATION WE COLLECT

1.1 Information You Provide

When you register for and use Routo, we collect:

• Account Information: Name, email address, phone number, company name, and business address
• Business Information: Provider identification numbers, business registration details
• Protected Health Information (PHI): Patient names, AHCCCS IDs, dates of birth, service dates, trip details (pickup/dropoff locations, mileage, number of trips), billing information, and insurance information

1.2 Information Automatically Collected

• Usage Data: Log files, IP addresses, browser type, device information, pages visited, time spent on pages
• Technical Data: Cookies, session data, authentication tokens
• Extension Data: Information collected by our Chrome browser extension when used to automate form filling

1.3 Information from Third Parties

• Authentication Providers: If you sign in using third-party authentication services
• Subcontractors: Data processed by our cloud hosting provider (Supabase) in accordance with our Business Associate Agreement

2. HOW WE USE YOUR INFORMATION

We use the information we collect to:

• Provide Services: Operate the Routo platform, process trip logs, automate form submissions, and generate reports
• Account Management: Create and manage your account, authenticate users, process payments
• Communication: Send service-related notifications, respond to inquiries, provide customer support
• Compliance: Comply with legal obligations, enforce our Terms of Service, protect our rights
• Improvement: Analyze usage patterns to improve our Service (using de-identified data where possible)
• Security: Detect and prevent fraud, security threats, and unauthorized access

3. HOW WE DISCLOSE YOUR INFORMATION

3.1 Permitted Disclosures

We may disclose your information:

• To Your Organization: Information is accessible to authorized members of your provider organization
• To Subcontractors: We use Supabase for cloud hosting and database services. Supabase has executed a Business Associate Agreement with us and is contractually obligated to protect PHI
• As Required by Law: When required by law, court order, or government regulation
• For Legal Protection: To protect our rights, property, or safety, or that of our users or others
• With Your Consent: When you explicitly authorize disclosure

3.2 We Do Not Sell Your Information

We do not sell, rent, or trade your PHI or personal information to third parties for marketing purposes.

4. PROTECTED HEALTH INFORMATION (PHI)

4.1 HIPAA Compliance

As a Business Associate, we are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). We have implemented administrative, physical, and technical safeguards to protect PHI, including:

• Encryption: Data encrypted at rest and in transit using industry-standard encryption
• Access Controls: Role-based access controls and authentication requirements
• Audit Logging: Comprehensive logging of all PHI access and modifications
• Row Level Security: Database-level security policies preventing unauthorized access
• Employee Training: Regular training on HIPAA requirements and PHI handling
• Risk Assessments: Regular security assessments and vulnerability testing

4.2 Business Associate Agreements

We enter into Business Associate Agreements (BAAs) with all providers who use our Service. These agreements establish the permitted uses and disclosures of PHI and our obligations to protect it.

5. YOUR RIGHTS AND CHOICES

5.1 Access and Correction

You have the right to:

• Access: Request access to your PHI maintained by us
• Correction: Request correction of inaccurate or incomplete PHI
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements)

5.2 Account Settings

You can update your account information and preferences through your account settings in the Service.

5.3 Opt-Out

You may opt out of non-essential communications by updating your notification preferences or contacting us.

5.4 Data Portability

You may request a copy of your data in a portable format by contacting us.

6. DATA SECURITY

We implement industry-standard security measures to protect your information:

• Encryption: All data encrypted in transit (HTTPS/TLS) and at rest
• Access Controls: Multi-factor authentication available, role-based access controls
• Monitoring: Continuous security monitoring and threat detection
• Incident Response: Procedures for responding to security incidents
• Regular Audits: Regular security audits and assessments

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. DATA RETENTION

We retain your information in accordance with our Data Retention Policy, which complies with HIPAA requirements and applicable laws. Generally, we retain information for as long as:

• Your account is active
• Necessary to provide our Service
• Required by law or our Business Associate Agreements (typically 7 years after account termination)
• Necessary to resolve disputes or enforce our agreements

Protected Health Information (PHI): We retain PHI for 7 years after account termination, as required by HIPAA and our Business Associate Agreements. Upon account termination, we will return or destroy PHI in accordance with our Business Associate Agreements and applicable law, typically within 30 days of termination.

Audit Logs: We retain audit logs of PHI access and modifications for 7 years to comply with HIPAA audit requirements.

For detailed information about our data retention practices, please contact us or refer to our Data Retention Policy.

8. CHILDREN'S PRIVACY

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. INTERNATIONAL DATA TRANSFERS

All PHI and personal information is stored and processed within the United States. We do not transfer PHI outside the United States.

10. BREACH NOTIFICATION

In the event of a breach of unsecured PHI, we will:

• Notify affected providers within 72 hours of discovery
• Provide details about the breach, including types of PHI involved and mitigation steps
• Comply with all applicable breach notification requirements under HIPAA and state law
• Follow our comprehensive Breach Response Plan to ensure proper handling and notification

Our Breach Response Plan outlines detailed procedures for breach detection, investigation, notification, and remediation. If you have questions about our breach response procedures, please contact our Privacy Officer.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)
• Displaying a notice in the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

12. THIRD-PARTY LINKS

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

13. CALIFORNIA PRIVACY RIGHTS

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right to request deletion of your personal information. To exercise these rights, please contact us using the information below.

14. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

15. COMPLAINTS

If you believe we have violated your privacy rights, you may file a complaint with:

• Us: Contact us using the information above
• U.S. Department of Health and Human Services: Office for Civil Rights
  • Website: https://www.hhs.gov/hipaa/filing-a-complaint
  • Phone: 1-800-368-1019

We will not retaliate against you for filing a complaint.

This Privacy Policy is effective as of the date listed above and applies to all users of the Routo platform.