Admin Privacy Policy

This Privacy Policy explains how Healplace.com, Inc. ("Healplace," "we," "our," or "us") collects, uses, stores, and protects information relating to users of the Cardioplace admin platform ("Cardioplace"). Cardioplace is a clinical monitoring and escalation platform operated by Healplace.com, Inc.

This policy applies to clinicians, nurses, medical directors, care coordinators, administrators, and authorized operations personnel who access the Cardioplace admin platform.

This policy supplements, and does not replace:

• Any participation agreement between Healplace and your organization.
• Any applicable Business Associate Agreement ("BAA").
• Your organization's HIPAA and privacy policies.

• Identity Information — name, work email address, organization and assigned practice, professional role and permissions.
• Authentication and Security Information — sign-in method, device identifiers, IP address, browser and user-agent data, session timestamps, timezone and approximate region.
• Operational and Audit Information — patient records accessed, alerts acknowledged or resolved, threshold modifications, medication verifications, chat and call activity, escalation actions, profile updates, administrative actions.
• System and Support Information — error logs, system diagnostics, session duration, technical support records.

• Authenticate and authorize access.
• Deliver clinical alerting and escalation workflows.
• Maintain legally required audit trails.
• Support patient-safety review and compliance obligations.
• Investigate security incidents and suspected misuse.
• Maintain system reliability and operational integrity.
• Improve the platform using de-identified and aggregated information only.

Cardioplace maintains immutable audit records of actions performed within the platform. Audit trails are required for:

• HIPAA compliance.
• Joint Commission review.
• Patient-safety investigation.
• Clinical accountability.

Audit records may include:

• User actions.
• Alert resolutions.
• Escalation timestamps.
• Access events.
• Communication activity.

Audit logs cannot be edited or deleted by end users.

Your activity may be accessible to:

• Your organization's authorized administrators.
• Privacy and compliance personnel.
• Authorized Healplace support and security personnel on a strict need-to-know basis.
• Government regulators or legal authorities where required by law.

We do not sell personal information and do not use admin activity information for advertising or marketing.

• Encryption in transit using HTTPS/TLS.
• Encryption at rest.
• Role-based access controls.
• Session monitoring.
• Access logging.
• Least-privilege operational access.

• As required by HIPAA and applicable law.
• In accordance with organizational retention policies.
• As necessary for patient-safety review, compliance, legal obligations, and operational integrity.

Security logs are generally retained for at least 90 days and longer where required for investigation or compliance.

Users may access Cardioplace only on devices permitted under their organization's security policies. Shared, unmanaged, or public devices should not be used to access patient information.

Subject to legal and operational limitations, you may:

• Access your profile information.
• Request correction of inaccurate information.
• Request a copy of audit records associated with your account.
• Request account deactivation through your organization.

Requests may be submitted to privacy@healplace.com.

If a security incident affecting your information or accessible patient information occurs, Healplace will provide notification consistent with HIPAA breach notification requirements and applicable law.

We may update this policy periodically. Material changes will be communicated through the platform or by email.