Privacy Policy

1. Who We Are

Fonx Solutions LLC ("Fonx Solutions," "we," "us," or "our") is a managed services firm providing comprehensive operations management services to independent healthcare practices in Maryland, Virginia, and Washington D.C.

If you have any questions about this Privacy Policy, please contact us at:

Email: info@fonxsolutions.com
Phone: 301-276-5940

2. Information We Collect

We collect information you voluntarily provide to us through our website, including through our contact forms, consultation request forms, and demo request forms. This may include:

• First and last name
• Practice or organization name
• Email address
• Phone number
• Practice specialty
• Any additional information you include in message fields

We do not collect sensitive health information, patient data, financial account numbers, or Social Security numbers through this website.

3. How We Use Your Information

We use the information you provide solely to:

• Respond to your consultation or demo requests
• Communicate with you about our services
• Schedule and conduct consultations
• Follow up regarding your inquiry

We will not use your contact information to add you to any marketing lists without your explicit consent.

4. How We Share Your Information

We do not sell, rent, trade, or otherwise transfer your personal information to third parties. We may share your information only in the following limited circumstances:

• Service providers: Trusted vendors who assist us in operating our website or conducting our business, provided they agree to keep your information confidential
• Legal requirements: If required by law, regulation, or legal process
• Business protection: To protect the rights, property, or safety of Fonx Solutions, our clients, or others

5. HIPAA Notice

Fonx Solutions is committed to HIPAA-compliant operations. This website does not collect, store, or transmit any Protected Health Information (PHI). If you are an existing client and need to share PHI with us, please use the secure channels established during your onboarding process — do not submit PHI through website forms.

When providing managed services, Fonx Solutions operates as a Business Associate (not a Covered Entity) under HIPAA. A signed Business Associate Agreement (BAA) is required before any PHI-adjacent data may be stored or processed on the Fonx Intelligence Platform. See our Business Associate Agreement template.

5A. Platform Data (Fonx Intelligence Dashboard)

This section applies only to credentialed users who access the Fonx Intelligence Platform (the "Platform" or "Dashboard") — not to general visitors of the fonxsolutions.com marketing website.

What the Platform collects and stores:

• Practice financial data: Profit & loss summaries, operating margins, cash position, and revenue cycle metrics entered by or on behalf of the practice. Stored in Google Firestore under the practice's account.
• A/R and billing metrics: Collection rate, denial rate, days in A/R, and payer performance data at the aggregate/practice level — not tied to individual patients.
• Aggregate patient operations data: Visit counts, no-show rates, new patient percentages, and similar operational metrics. Individual patient names, dates of birth, diagnoses, SSNs, insurance member IDs, and other directly identifying patient information are not collected by the Platform and must not be entered.
• Web analytics (client portal): Page load events, section navigation events, and error events logged through the Platform's internal analytics system. These events are tied to authenticated user sessions, not to individual patients.
• Lead and pipeline data: For practices in the Foundation and Operational tiers, marketing lead data may be surfaced in the Platform via HubSpot and Mailchimp integrations. This data relates to prospective patient or referral contacts, not current patients, and is subject to the applicable integration vendor's privacy policies.
• User account records: Firebase Authentication records (email address, hashed password, Google OAuth tokens where applicable), user profile data (name, role, assigned practice), and session activity logs retained for security and audit purposes.
• Audit logs: Every data edit made through the Platform is recorded in an append-only audit log (who changed what, when, before and after values). Audit log entries are retained within Firestore for operational and compliance purposes.

How Platform data is used: Platform data is used solely to provide the Services described in the applicable Service Agreement — including generating reports, surfacing alerts, enabling AI-assisted summaries, and allowing Fonx staff to manage client accounts. Platform data is not used for advertising, sold to third parties, or used to train machine learning models by Fonx Solutions.

Data residency: Platform data is stored in Google Cloud (Firebase / Firestore), US region. See Google's data residency documentation at cloud.google.com/about/locations.

Data retention: Client platform data is retained for the duration of the active Service Agreement plus a post-termination period as specified in the Service Agreement and BAA (typically 60 days for return or destruction upon request). Audit logs may be retained longer as required by applicable law or contractual obligation.

5B. AI Processing (Donna / Anthropic Claude)

The Platform includes an AI-assisted summary and insight feature ("Donna") powered by the Anthropic Claude API. The following disclosures apply to AI processing:

• API key ownership: AI features are invoked using the practice's own Anthropic API key (configured per client during onboarding) or a Fonx-managed key, depending on service tier. Fonx Solutions does not store or have access to client-provided Anthropic API keys beyond the encrypted runtime environment.
• Data sent to Anthropic: Donna sends structured, aggregate operational and financial metrics to the Anthropic API to generate practice-level executive summaries. Fonx Solutions' data handling policies expressly prohibit sending individual patient identifiers, PHI, or any personally identifying information to the Anthropic API. Summaries are generated from the same aggregate metrics displayed on the Dashboard.
• Anthropic's data handling: Anthropic processes API inputs under its own Privacy Policy and Usage Policy. Fonx Solutions does not control Anthropic's data handling practices. Clients should review Anthropic's policies. A data processing agreement with Anthropic is required before any PHI-adjacent data may be processed by the AI feature.
• AI outputs: AI-generated summaries are displayed in the Dashboard and are not independently stored by Fonx Solutions beyond normal audit log retention. They are not used to train Anthropic's or Fonx's models.
• No automated decisions: AI-generated summaries are informational only. No automated decisions with legal or clinical effect are made by or through the AI feature.

5C. Sub-Processors

Fonx Solutions engages the following third-party sub-processors in connection with the Platform and Services. Each sub-processor is subject to contractual data protection obligations. Clients requiring sub-processor BAAs for HIPAA compliance should review Section 5 and consult the applicable vendor documentation before onboarding under a Managed tier engagement.

• Google Firebase / Google Cloud — Authentication, database (Firestore), cloud functions, and hosting. Google Cloud BAA available. Data subject to Google Privacy Policy.
• SendGrid (Twilio) — Transactional email delivery (digest reports, invitations, alert notifications). Recipient email addresses and limited practice metadata are processed. HIPAA-compliant plan required before PHI-adjacent email processing. SendGrid Security.
• Anthropic — AI-powered summaries via the Claude API. Aggregate operational data only; no PHI. See Section 5B above. Anthropic Privacy Policy.
• Intuit QuickBooks — Financial data integration (P&L, cash position). Financial data only; no patient PHI. Subject to Intuit Privacy Statement.
• Google Analytics 4 — Web traffic analytics for the fonxsolutions.com marketing website only. GA4 is not loaded on any client portal or dashboard page. Subject to Google Privacy Policy.
• Mailchimp (Intuit) — Marketing and lead pipeline data for prospective client outreach. Lead contact information only; no patient PHI. HIPAA BAA required if used in connection with a PHI-adjacent workflow. Mailchimp Privacy Policy.
• HubSpot — CRM and lead pipeline management. Lead contact and deal-stage data; no patient PHI. HIPAA BAA required at Enterprise tier. HubSpot Privacy Policy.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our website is served over HTTPS encryption. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your contact information for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. If you request that we delete your information, we will do so promptly unless we are required by law to retain it.

8. Your Rights

You have the right to:

• Request access to the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Opt out of any future communications from us

To exercise any of these rights, please contact us at info@fonxsolutions.com or call us at 301-276-5940.

9. Cookies & Tracking

Our website may use basic browser cookies to ensure functionality and improve your experience. We do not currently use third-party advertising or tracking cookies. If this changes, we will update this policy accordingly.

Platform-specific cookies and client-side storage: If you are a credentialed Platform user, the following additional client-side storage mechanisms apply:

• Firebase Authentication cookies: When you log in to the Fonx Intelligence Platform, Firebase Auth sets a session cookie and stores an ID token and refresh token in your browser's localStorage. These are used exclusively to authenticate your session and are not used for advertising or cross-site tracking. The ID token expires after one (1) hour; the refresh token persists until revoked. The Platform enforces a 30-minute inactivity auto-logout independent of the Firebase token lifecycle.
• Platform sessionStorage / localStorage cache: The Platform may cache non-PHI operational data (such as client lists and dashboard state) in sessionStorage or localStorage to improve performance across page loads. This data is cleared on logout and is not transmitted to third-party advertising networks. Fonx Solutions' data handling policies prohibit caching any field-level PHI in browser storage.
• Google Analytics 4: The marketing website (fonxsolutions.com) uses Google Analytics 4 to collect aggregate traffic data (pages visited, session duration, geographic region). GA4 sets first-party analytics cookies. No GA4 tracking is present on any page of the authenticated client portal or dashboard. You may opt out of GA4 tracking by using the Google Analytics Opt-out Browser Add-on.

10. Third-Party Links

Our website may contain links to third-party websites (such as LinkedIn). We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Children's Privacy

Our website is intended for healthcare practice professionals and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Fonx Solutions LLC
Email: info@fonxsolutions.com
Phone: 301-276-5940
Service Area: Maryland · Virginia · Washington D.C.