Privacy Policy
This Guide Diagnostics, Inc. Privacy Policy document is supplied in beta / preview form for limited internal evaluation and is subject to substantial change after further legal review.
Effective Date: July 1, 2025
Last Updated: July 8, 2025
A. Who and What This Policy Covers
This Privacy Policy explains how Guide Diagnostics, Inc. ("Guide," "we," "us," or "our") collects, uses, shares, and safeguards "Personal Data" through our Guide Care platform when you:
- visit any website that links to this Policy (including guide.care and any sub‑domains);
- use our software‑as‑a‑service platform or mobile applications (collectively, the "Services"); or
- communicate with us in any way (email, phone, events, social media, etc.).
We adopt a privacy‑first architecture—treating data protection as a design requirement, not an afterthought—because we view exceptional privacy stewardship as a core competitive advantage that sets Guide Care apart.
Our promise: We operate on a strict "never sell, never share" principle—your Personal Data is never sold, and it is shared only in the limited circumstances described in this Policy.
B. Special Categories That Are Not Covered Here
| Category | Where to Look |
|---|---|
| Protected Health Information (PHI) we handle as a HIPAA "covered entity" or "business associate." | See our separate Notice of Privacy Practices. |
| Employee & contractor data collected for HR purposes. | See our Internal Workforce Privacy Notice. |
| Third‑party sites or services you reach from links on our platform. | Those sites' own privacy policies apply. |
C. Contacting Us
| Purpose | How |
|---|---|
| General privacy questions | [email protected] |
| GDPR or UK GDPR rights requests | Email subject line: "GDPR Data Request" |
| Children's privacy concerns | Email subject line: "Children's Privacy Request" |
| Mailing address | Guide Diagnostics, Inc. – Privacy Office
999 Peachtree St. NE, Suite 400
Atlanta, GA 30309, USA |
1. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity & Contact | Name, email, phone, company, job title | You / your employer |
| Account | Username, hashed password, role, preferences | You |
| Usage & Device | Pages viewed, features used, IP address, browser, OS, device ID | Automatic (cookies, SDKs, server logs) |
| Professional | Résumé details if you apply for a job | You or recruiters |
| Health | PHI only when strictly necessary for the clinical features of our Services | You, your provider |
| In‑product Communications | Messages, notes, attachments you upload to the platform | You / your organization |
We may combine information from these sources to operate the Services but never to sell or advertise to third parties.
2. Why We Process Your Data & Our Legal Bases
| Purpose | Legal Basis (GDPR/UK GDPR) |
|---|---|
| Provide, secure, and support the Services | Contract (Art. 6 (1)(b)) |
| Manage accounts, billing, and transactions | Contract |
| Protect the platform from fraud, abuse, or security threats | Legitimate Interests (Art. 6 (1)(f)) |
| Improve and develop features (aggregated, de‑identified analytics) | Legitimate Interests |
| Comply with HIPAA, GDPR, CCPA/CPRA, and other laws | Legal Obligation (Art. 6 (1)(c)) |
| Send optional product updates or surveys | Consent (Art. 6 (1)(a)); you may withdraw any time |
We do not engage in automated decision‑making that produces legal or similarly significant effects without human review (Art. 22 GDPR).
3. How We Share Information
We never sell your data. We share it only:
- With service providers under strict written contracts (cloud hosting, email delivery, security, analytics limited to aggregated/non‑identifying data).
- For legal reasons – if required by a valid subpoena, court order, or to protect rights, property, or safety.
- For corporate transactions – if we merge, acquire, or sell assets, data will transfer subject to this Policy or an equally protective one.
All vendors undergo security and privacy due‑diligence and are bound by confidentiality, data‑protection, and HIPAA Business Associate Agreements where applicable.
4. International Transfers
- We host primary production systems in the United States.
- When we transfer Personal Data out of the EEA/UK/Switzerland, we rely on:
- Adequacy decisions (e.g., EU–U.S. Data Privacy Framework), or
- Standard Contractual Clauses (SCCs) approved by the European Commission / UK ICO.
- You consent to these transfers when you use our Services outside the U.S.
5. Retention
| Data Type | Retention Period |
|---|---|
| Account & Transaction Records | Life of account + 7 years (standard audit & tax period) |
| PHI & clinical records | 6 years from the date of creation or last use (HIPAA) |
| Security & access logs | 12 months unless we need them longer for an active investigation |
| Marketing email lists | Until you opt‑out or after 24 months of inactivity |
| Job applicant records | 24 months (or longer if legally required) |
When data is no longer needed, we securely delete or anonymize it.
6. Your Privacy Rights
| Jurisdiction | Rights You Have | How to Exercise |
|---|---|---|
| EU/EEA & UK (GDPR/UK GDPR) | Access, Rectification, Erasure, Restriction, Portability, Objection, Withdraw Consent, Lodge Complaint with your DPA | Email [email protected] |
| California (CCPA/CPRA) | Know, Delete, Correct, Opt‑Out of "sharing" (we don't share for cross‑context ads), Limit Sensitive Data use | Email or submit via in‑product request form |
| Virginia, Colorado, Connecticut, Utah, Indiana, Tennessee, Texas (2024‑2025 state laws) | Similar rights to access, delete, and opt‑out | Same as above |
| All users | Opt‑out of marketing emails at any time | Unsubscribe link or email |
We verify identity before fulfilling requests and respond within 30 days (may extend to 90 days for complex cases, with notice).
7. Cookies & Similar Technologies
| Type | Purpose | Control |
|---|---|---|
| Essential | Login, session management, security | Cannot be disabled and still use Services |
| Functional | Remember preferences | Browser settings |
| Analytics (aggregate only) | Improve performance & features; no profiling or ads | Opt‑out link in cookie banner |
We do not use marketing, targeted‑advertising, or third‑party social‑media pixels.
Our systems currently ignore "Do Not Track" signals because no consistent industry standard exists.
8. Data Security
- Encryption – TLS 1.2+ in transit; AES‑256 at rest.
- Isolated Tenants – Each organization's data stored in logically‑separate databases; no commingling.
- Least‑privilege Access – Role‑based permissions, MFA for employees.
- Continuous Monitoring – Automated threat detection and 24/7 incident response.
- Independent Audits – Annual SOC 2 (Type II) and HIPAA security assessments.
- Security Awareness Training – All workforce members trained at hire and annually.
If we experience a data breach that creates risk of harm, we will notify affected individuals and regulators within the timelines required by law (e.g., HIPAA: 60 days; GDPR: 72 hours).
9. Children's Privacy
The Services are not intended for children under 16. We never knowingly collect Personal Data from anyone under that age without verifiable parental consent. Contact us immediately if you think a minor has provided data in error.
10. Changes to This Policy
We may update this Policy to reflect changes in law or our practices. If we make material changes, we will:
- Post the new version at guide.care/privacy with a new "Last Updated" date.
- Email or in‑app notify account owners at least 30 days before the change takes effect, unless a shorter period is required by law or for urgent security reasons.
Continued use of the Services after the effective date means you accept the revised Policy.
11. Glossary (Plain‑Language Quick Guide)
| Term | What It Means |
|---|---|
| Personal Data / Personal Information | Any information that identifies, relates to, describes, or could reasonably be linked to an individual. |
| PHI | A subset of Personal Data regulated by HIPAA when it relates to past, present, or future health or payment for care. |
| Processing | Any action performed on Personal Data (collecting, storing, using, sharing, deleting, etc.). |
| Controller / Business | The entity that decides why and how Personal Data is processed (that's Guide Care when we serve customers directly). |
| Processor / Service Provider | A third party that processes data solely on instructions from the Controller (our cloud vendors, email providers, etc.). |
Still Have Questions?
Email [email protected] and our Privacy Team will be happy to help.