intakeflowBack to home

Privacy Policy

Last updated: March 20, 2026

1. Our Commitment to Privacy

IntakeFlow, a product of Sigla LLC ("we," "us," or "our"), is committed to protecting the privacy and security of all personal information and Protected Health Information (PHI) entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our platform.

IntakeFlow is designed for use by Skilled Nursing Facilities (SNFs) and Long-Term Care (LTC) providers. We understand the sensitivity of healthcare data and comply with all applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and state-specific healthcare privacy regulations.

2. Information We Collect

Information You Provide

  • Account information: name, email, phone number, facility name, role, state
  • Patient demographic data: names, dates of birth, Social Security numbers (last 4), addresses
  • Medical information: diagnoses, physician names, allergies, admission details
  • Insurance information: Medicare IDs, Medicaid IDs, insurance provider and policy numbers
  • Contact information: emergency contacts, Power of Attorney, family members
  • Electronic signatures and witness signatures
  • Waitlist referral data: referral sources, facility names, contact persons

Information Collected Automatically

  • IP address, browser type, operating system, device information
  • Pages visited, time spent, clickstream data
  • Session duration and activity timestamps (for audit logging)
  • Authentication events and access logs

3. How We Use Your Information

  • Provide, maintain, and improve the IntakeFlow platform
  • Process admissions, generate forms, and facilitate e-signatures
  • Manage waitlist referrals and bed availability notifications
  • Generate PDF admission packets and compliance reports
  • Maintain HIPAA-compliant audit logs of all PHI access
  • Send transactional communications (signing links, notifications)
  • Enforce session timeouts and security measures
  • Respond to legal requests and prevent fraud

4. Protected Health Information (PHI)

IntakeFlow processes PHI on behalf of covered entities (SNFs and LTC facilities) as a Business Associate under HIPAA. We:

  • Execute Business Associate Agreements (BAAs) with all covered entity customers
  • Encrypt all PHI at rest using AES-256 encryption
  • Encrypt all PHI in transit using TLS 1.2 or higher
  • Implement role-based access controls with facility-level isolation
  • Maintain comprehensive audit logs of all PHI access and modifications
  • Enforce automatic session timeouts after 15 minutes of inactivity
  • Will not use or disclose PHI except as permitted by the BAA and applicable law

5. Data Sharing

We do not sell personal information or PHI. We may share information with:

  • Service providers: Infrastructure and hosting partners bound by confidentiality agreements and BAAs where applicable (e.g., Supabase for database hosting)
  • Authorized signers: Remote signing links share limited patient information necessary for the signing process
  • Legal requirements: When required by law, court order, or government investigation
  • Business transfers: In the event of a merger, acquisition, or sale, with appropriate notice and continued privacy protections

6. Data Security

We implement reasonable and appropriate administrative, technical, and physical safeguards to protect information, including:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Row-level security (RLS) for multi-tenant facility isolation
  • Automatic session timeout after 15 minutes of inactivity
  • Security headers: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
  • HIPAA-compliant audit logging of all data access
  • Signing session expiry (72 hours) for remote signing links
  • Input validation and sanitization on all API endpoints

No system can guarantee 100% security. We will notify affected parties and relevant authorities in the event of a data breach as required by HIPAA and applicable state breach notification laws.

7. Data Retention

We retain personal information and PHI for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Patient records and audit logs are retained in accordance with federal and state healthcare record retention requirements (minimum 6 years for HIPAA, longer where required by state law). Upon termination of a customer account, we will delete or return PHI as directed and in accordance with the BAA.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal information
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Opt out of marketing communications
  • Receive an accounting of PHI disclosures
  • File a complaint with HHS Office for Civil Rights

Patient rights regarding PHI are governed by HIPAA and exercised through the covered entity (your facility), not directly through IntakeFlow.

9. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. Session cookies are encrypted and expire upon logout or session timeout.

10. Children's Privacy

IntakeFlow is not intended for use by individuals under 13 years of age. We do not knowingly collect information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of IntakeFlow after changes constitutes acceptance of the revised policy.

12. Contact Us

For questions about this Privacy Policy or our data practices:

Sigla LLC

Email: contact@siglallc.com

Website: siglallc.com