Privacy Policy

Draft — Pending Legal Review

This privacy policy is a draft and has not yet been reviewed by legal counsel. It is not yet effective.

Effective Date: [To be determined]

Introduction

Forthbridge, LLC ("Forthbridge," "we," "us," or "our") operates the Forthbridge OS platform, its applications, and its websites — including forthbridge.com, docs.forthbridge.ai, and forthbridge.ai. This Privacy Policy describes how Forthbridge collects, uses, and protects personal information across all of these services.

Protected Health Information

Protected Health Information (PHI) processed through the Forthbridge OS platform is governed by the Business Associate Agreement (BAA) in place for your organization — either directly with Forthbridge or through an authorized partner such as Atticus Health. Forthbridge acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA).

This Privacy Policy does not govern PHI. PHI is subject to the terms of the applicable BAA and HIPAA regulations. Details on PHI handling practices are available in our security documentation.

Information We Collect

From Platform Users

When providers, staff, or patients use Forthbridge OS applications, we collect:

Account information — Name, email address, phone number, and role, collected through the platform's self-hosted identity provider.
Usage data — Actions taken within the platform, features accessed, and interaction patterns.
Device information — Browser type, operating system, and device identifiers.
Session data — Login timestamps, session duration, and IP addresses.

From Website Visitors

When you visit our websites or submit forms, we may collect:

Contact information — Name, email address, company, and job title submitted through contact or demo request forms.
Analytics data — IP address, browser type, referring URL, and pages visited.

How We Use Your Information

We use the information we collect to:

Provide and operate the Forthbridge OS platform and its applications.
Authenticate users and enforce access controls.
Communicate about services, updates, and security notices (with opt-out for non-essential communications).
Improve platform functionality, user experience, and our products and services.
Develop new features and offerings.
Maintain security, detect anomalies, and prevent abuse.
Comply with legal obligations.
Create de-identified or aggregated data for product development.

Forthbridge does not use personal information for targeted advertising, profiling for automated decision-making, or sale to third parties.

Forthbridge does not sell personal information. We do not sell or share personal information for cross-context behavioral advertising or targeted advertising as those terms are defined under applicable state privacy laws.

We may share information with:

Infrastructure providers — Under BAAs, solely to operate and secure the platform.
Analytics providers — Under BAAs (e.g., Snowflake), for platform analytics and reporting.
Authorized partner organizations — Such as Atticus Health, where your access to the platform is provided through a partner arrangement. Information shared with authorized partners is limited to what is necessary to administer your access and services.
As required by law — In response to valid legal process, court orders, or regulatory requirements.
In connection with a business transfer — If Forthbridge is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a different privacy policy.

Data Security

Forthbridge implements layered security controls to protect personal information, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, audit logging, and continuous monitoring. All infrastructure is deployed on dedicated, HIPAA-compliant cloud resources in the United States. All personal information and Customer Data is stored and processed within the United States.

Breach Notification

In the event of a security breach affecting personal information, Forthbridge will:

Investigate and contain the incident promptly upon discovery.
Notify affected individuals, organizations, and regulators as required by applicable federal and state breach notification laws, including HIPAA (45 CFR Part 164, Subpart D).

Data Retention

Platform data is retained in accordance with HIPAA requirements and our data retention policies:

Clinical records — 7 years
Audit logs — 7 years
Application logs — 90 days
Session data — 30 days

After the applicable retention period expires, data is securely deleted or de-identified in accordance with NIST 800-88 guidelines.

Your Rights

The following information is provided to satisfy requirements under applicable state privacy laws, including those in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy legislation. To the extent that personal information constitutes PHI governed by HIPAA, it is exempt from these state laws and the rights below apply only to non-PHI personal information.

Categories of Personal Information Collected. In the preceding twelve (12) months, we may have collected the following categories of personal information:

Category	Examples	Source
Identifiers	Name, email address, phone number, IP address	Directly from you; automatically collected
Internet or network activity	Browser type, pages visited, features accessed, interaction patterns	Automatically collected
Professional or employment information	Job title, organization, role	Directly from you
Geolocation data	IP-derived approximate location	Automatically collected
Inferences	Usage patterns and preferences drawn from the above	Derived from collected data

Your Rights. You may have the right to:

Access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
Delete personal information we have collected from you, subject to legal retention requirements.
Correct inaccurate personal information.
Portability — Obtain a copy of your personal information in a portable and readily usable format.
Opt out of the sale of personal information, targeted advertising, or profiling (Forthbridge does not engage in these activities, but we honor opt-out requests if exercised).
Non-Discrimination — Forthbridge will not discriminate against you for exercising your privacy rights.

Patients may access and export their health records through the platform.

To exercise any of these rights, contact us at privacy@forthbridge.com. We will respond within forty-five (45) days. If we deny your request, we will explain the reason and provide instructions for appeal.

Universal Opt-Out Signals. Forthbridge honors Global Privacy Control (GPC) and similar browser-based opt-out signals as required by applicable state laws.

Children's Privacy

The Forthbridge OS platform is designed for healthcare organizations and is not directed at children under 13. We do not knowingly collect personal information from children under 13 outside of the healthcare context. If we become aware that we have collected personal information from a child under 13 outside of the healthcare context and without parental consent, we will promptly delete that information. The Patient App may be used by minors under parental or guardian supervision as part of their healthcare.

Cookies and Tracking

We use session cookies for authentication and platform operation. Our websites use self-hosted analytics — no tracking data is sent to third-party advertising networks. We do not use third-party advertising trackers. You may manage cookies through your browser settings.

Third-Party Links

The platform and documentation may contain links to third-party services. Forthbridge is not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party services you access.

Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least thirty (30) days' advance notice of material changes through the platform and/or by posting the revised policy on our websites with the updated effective date. Non-material changes (such as typographical corrections or clarifications) may be made without advance notice. Your continued use of our services after the effective date of a revised policy constitutes acceptance of the updated policy.

Further Information

For technical details on how Forthbridge implements the security and privacy practices described in this policy, see our security documentation at docs.forthbridge.ai. The commitments in this Privacy Policy are not expanded or modified by the content of our technical documentation.

Contact

Forthbridge, LLC Email: privacy@forthbridge.com 5718 Westheimer Rd Ste 1800 Houston, TX 77057

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at the address above.

Introduction​

Protected Health Information​

Information We Collect​

From Platform Users​

From Website Visitors​

How We Use Your Information​

How We Share Your Information​

Data Security​

Breach Notification​

Data Retention​

Your Rights​

Children's Privacy​

Cookies and Tracking​

Third-Party Links​

Changes to This Policy​

Further Information​

Contact​