formisoft

Privacy Policy

Last updated: February 2026

1. Introduction

Formisoft (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our patient intake platform.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization details.

Patient Data

When healthcare providers use Formisoft to collect patient information, that data is stored on behalf of the provider (the “covered entity”). We act as a business associate and process this data only as directed by the provider.

Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, and form completion rates.

3. How We Use Your Information

  • To provide and maintain our patient intake platform
  • To process form submissions on behalf of healthcare providers
  • To send transactional emails (intake links, notifications)
  • To improve our platform and develop new features
  • To provide customer support
  • To comply with legal obligations

4. Data Security & Residency

We implement appropriate technical and organizational measures to protect personal data, including encryption at rest and in transit (AES-256 and TLS 1.3), role-based access controls, audit logging, and regular security assessments.

All data is stored and processed exclusively within the United States on AWS infrastructure. Your data never leaves US borders.

5. Data Retention

We retain account data for the duration of your subscription. Patient data collected through forms is retained until deleted by the healthcare provider or upon account termination. Audit logs are retained for a minimum of 6 years for compliance purposes.

6. HIPAA Compliance

All healthcare providers accept a Business Associate Agreement (BAA) during onboarding. We maintain appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule. You can review your BAA status in your Compliance settings.

7. Third-Party Services

We use the following third-party services to operate our platform:

  • Amazon Web Services — Cloud infrastructure and data storage (US regions only)
  • Stripe — Payment processing
  • Resend — Transactional email delivery
  • Twilio — SMS delivery for appointment reminders and patient notifications
  • PostHog — Product analytics to improve user experience (no PHI is sent to PostHog)

8. Cookies

We use cookies and similar technologies for authentication, storing your preferences, and product analytics (PostHog). You can manage cookie preferences through the cookie consent banner displayed when you first visit our site. Essential cookies required for authentication cannot be disabled.

9. Data Breach Notification

In the event of a breach involving protected health information (PHI), we will notify affected covered entities within 72 hours as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). We will also cooperate with covered entities in notifying affected individuals and the Department of Health and Human Services as required by law.

10. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a machine-readable format
  • Object to processing of your data

11. Contact Us

For privacy-related inquiries, please contact us at privacy@formisoft.com or through our contact page.