Privacy Policy

Rooted Maternal Wellness LLC d/b/a LactaRoute (“LactaRoute,” “we,” “our”) provides practice management software for lactation consultants and maternal health providers. This Privacy Policy describes how we collect, use, and protect information in connection with our platform.

LactaRoute operates as a Business Associate under HIPAA with respect to Protected Health Information (PHI) processed on behalf of provider accounts. Our handling of PHI is governed by our Business Associate Agreement.

From Providers and Practice Accounts:

• Account registration information (name, email, professional credentials, NPI)
• Practice information (practice name, address, tax ID, billing NPI)
• Payment information (processed and stored by Stripe — we do not store raw card data)
• Integration credentials (API keys for third-party services, stored encrypted)
• Usage data and activity logs within the platform

Protected Health Information (PHI) — Processed on Behalf of Providers:

• Client demographic information (names, addresses, dates of birth, contact information)
• Clinical documentation (SOAP notes, encounter records, care plans)
• Appointment and scheduling data
• Insurance information and billing records (superbills, claim data)
• Audio recordings submitted for AI transcription

Automatically Collected:

• Log data (IP addresses, browser type, pages accessed, timestamps)
• Cookies and session tokens necessary for platform operation

We use provider account information to:

• Provide, maintain, and improve the LactaRoute platform
• Process subscription payments and send billing communications
• Send service-related communications (updates, security alerts, support)
• Comply with legal obligations

We use PHI only as directed by the provider and as permitted under our BAA and HIPAA, including to:

• Display and store clinical records within the provider's account
• Generate superbills, insurance claims, and care plan documents
• Transmit appointment confirmations and care plans to clients (when provider initiates)
• Process AI transcription of audio submitted by the provider

We do not sell personal information or PHI to third parties. We share information only:

• With service providers acting as our subcontractors (hosting, database, email, AI transcription) under data processing agreements that restrict their use of the data.
• With the provider's authorized integrations (e.g., Office Ally for claim submission, Google Calendar for appointment sync, Spruce for SMS) as directed by the provider.
• As required by law, including in response to lawful court orders, subpoenas, or government requests.
• In connection with a business transfer (merger, acquisition, or asset sale), with appropriate notice and continued protections for PHI.

We implement the following security measures:

• All data is encrypted in transit using TLS 1.2 or higher.
• PHI and sensitive credentials are encrypted at rest using AES-256-GCM.
• Access to production systems is restricted to authorized personnel.
• Provider accounts are protected by authentication controls (AWS Cognito).
• Platform is hosted on AWS with SOC 2 Type II certified infrastructure.
• We conduct periodic security reviews and vulnerability assessments.

No system is 100% secure. In the event of a breach affecting your PHI, we will notify you as required by HIPAA (within 60 days of discovery) and applicable state law.

• Active account data is retained for as long as your subscription is active.
• After account termination, data is retained for 90 days to allow export, then deleted.
• Certain records may be retained longer as required by applicable law (e.g., billing records).
• Audio files submitted for AI transcription are processed and not stored long-term by LactaRoute.

LactaRoute integrates with the following third-party services. Their privacy practices govern data they independently receive:

• Amazon Web Services (AWS) — cloud hosting and infrastructure
• Stripe — payment processing
• Google — calendar integration and OAuth authentication
• AWS Transcribe / Whisper — AI audio transcription (when AI scribe is used)
• Anthropic (Claude) — AI clinical note generation from transcribed text
• Office Ally — insurance claim submission via SFTP
• IntakeQ — intake forms and appointment mirroring
• Spruce Health — HIPAA-compliant SMS messaging
• Availity — insurance eligibility verification

Providers: You may access, correct, or delete your account information by contacting us. You may export your clinical data from within the platform. You may request deletion of your account and associated data at any time.

Clients (patients of providers): Requests to access or correct your health records should be directed to your healthcare provider, who controls that information within their LactaRoute account. LactaRoute will assist providers in responding to such requests as required by HIPAA.

New Jersey Residents: Under the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:11-44 et seq.), you have the right to be notified in the event of a breach of security involving your personal information. LactaRoute will provide such notification as required by applicable law.

California Residents: If the California Consumer Privacy Act (CCPA) applies to you, you may have additional rights regarding your personal information, including the right to know, delete, and opt out of the sale of personal information. LactaRoute does not sell personal information. Contact us at the email below to exercise your rights.

LactaRoute is not directed to individuals under 18. While the platform stores infant health data as part of maternal-infant care records, this data is entered by and under the control of the licensed provider, consistent with their clinical obligations.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the change takes effect. Continued use of LactaRoute after that date constitutes acceptance of the updated policy.

Our Data Protection Officer (DPO) can be contacted for any privacy-related questions, data subject requests, or compliance inquiries:

DPO / Privacy Officer: privacy@rootedmaternalwellness.com

Per GDPR Article 37 and PIPEDA Principle 1 (Accountability).

We process personal data under the following lawful bases per GDPR Article 6:

• Contract performance: Processing necessary to provide the scheduling, charting, and billing services you signed up for.
• Legal obligation: Retaining clinical and billing records as required by HIPAA, state licensing boards, and tax regulations.
• Consent: Analytics cookies, marketing communications, and AI-assisted features (scribe) — each requiring explicit opt-in.
• Legitimate interest: Security monitoring, fraud prevention, and service improvement analytics (anonymized).

We retain data for the minimum period necessary per category:

• Clinical records (encounters, assessments): 7 years (84 months) — HIPAA minimum.
• Billing records (superbills, claims): 7 years (84 months) — IRS + HIPAA.
• Messages: 3 years (36 months).
• Analytics / audit logs: 2 years (24 months).
• Cookie consent records: 2 years.

Practice administrators may configure shorter or longer retention in their compliance settings. Automated purge runs weekly.

General inquiries: info@rootedmaternalwellness.com

Rooted Maternal Wellness LLC d/b/a LactaRoute
New Jersey, United States