← Back to RecoveryOS

Privacy Policy

Last updated: March 17, 2026

1. Introduction

RecoveryOS ("we", "us", "our") operates the RecoveryOS housing management platform. This Privacy Policy explains how we collect, use, store, and protect information when you use our Platform.

2. Information We Collect

2.1 Operator Information

  • Account details: name, email, phone number
  • Organization details: business name, address, EIN
  • Payment information: processed securely via Stripe (we do not store card numbers)

2.2 Resident Information (entered by operators)

  • Personal identifiers: name, date of birth, contact information
  • Government-issued ID photos and insurance card images
  • Housing records: admission dates, room assignments, payment history
  • Operational compliance records: drug screening results (pass/fail), curfew compliance, chore assignments
  • Emergency contact information
  • Signed documents (intake agreements, house rules acknowledgments)

2.3 Automatically Collected Information

  • Usage analytics (via PostHog): page views, feature usage, session duration
  • Error tracking (via Sentry): application errors and performance data
  • Device and browser information

3. How We Use Information

  • Providing and improving the Platform
  • Processing payments between residents and operators
  • Generating documents and managing e-signatures
  • Sending transactional communications (invoices, reminders, notifications)
  • Customer support
  • Analytics to improve our product

We do not sell personal information to third parties.

4. Data Security

We implement enterprise-grade security measures:

  • Encryption at rest: All sensitive personal data is encrypted using AES-256-GCM with organization-specific encryption keys
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.3
  • Multi-tenant isolation: Every database query is filtered by organization ID, ensuring complete data separation
  • Role-based access control: Granular permission system controls who can view and modify data
  • Secure file storage: Documents and images are stored in Cloudflare R2 with access-controlled endpoints

5. Data Classification

Data TypeClassificationProtection
Names, DOB, phone, SSNPIIAES-256-GCM encrypted
ID photos, insurance cardsPIIAccess-controlled storage
Drug screening resultsOperational complianceAES-256-GCM encrypted, consent-gated
Incident reportsOperational recordsAES-256-GCM encrypted
Payment recordsFinancial PIIStandard protection, Stripe handles card data

6. 42 CFR Part 2 Compliance

RecoveryOS is designed with awareness of 42 CFR Part 2 regulations regarding the confidentiality of substance use disorder patient records:

  • No substance use disorder terminology appears in user-facing interfaces
  • Sensitive data fields are protected by consent-based access controls
  • Drug screening records are classified as housing compliance data, not clinical records
  • The Platform does not store clinical treatment records, diagnoses, or medical histories

7. Data Sharing

We share information only with:

  • Stripe: Payment processing
  • Twilio: SMS notifications
  • Resend: Email delivery
  • Cloudflare: File storage and CDN
  • Neon: Database hosting (encrypted data)
  • Vercel: Application hosting
  • Sentry: Error tracking (no PII in reports)
  • PostHog: Product analytics (anonymized usage data)

We do not share, sell, or rent personal information to advertisers, data brokers, or any other third parties.

8. Data Retention

  • Active accounts: Data retained for the duration of the subscription
  • After cancellation: Data retained for 30 days, then permanently deleted upon request
  • Consent records: Retained for 6 years per 42 CFR Part 2
  • Financial records: Retained for 7 years per IRS requirements
  • Audit logs: Retained for 6 years

9. Your Rights

  • Access: Request a copy of all data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Export: Request export of your data in a machine-readable format
  • Opt-out: Opt out of non-essential communications at any time

To exercise these rights, contact us at privacy@recoveryos.app.

10. Cookies & Tracking

  • Essential cookies: Authentication session, CSRF protection
  • Analytics cookies: PostHog (anonymized product usage)
  • Referral cookies: 30-day attribution cookie when arriving via a referral link

We do not use advertising cookies or cross-site tracking.

11. Children's Privacy

RecoveryOS is not intended for use by individuals under 18. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification.

13. Contact

Questions? Contact us at privacy@recoveryos.app.

RecoveryOS — Phoenix, AZ