ChiroFlow

Privacy Policy

Effective 2026-04-25 · Operated by WellSpring Digital LLC

This Privacy Policy describes how WellSpring Digital LLC ("we", "us", "ChiroFlow") collects, uses, and shares information when you use the ChiroFlow platform.

Who we are

WellSpring Digital LLC is a US-based software company. ChiroFlow is our practice-management product for chiropractic practices. When a chiropractic practice uses ChiroFlow, the practice (not WellSpring Digital LLC) is the "covered entity" under HIPAA; we act as a "business associate" under a signed Business Associate Agreement.

Information we collect

  • From practices and their staff: account information (name, email, role), authentication metadata (sign-in events, MFA setup), audit log entries.
  • From patients: contact information you provide (name, email, phone, date of birth, address), appointment requests, reminder preferences, messages you choose to send through the portal.
  • Automatically: request logs (IP address, user agent, timestamps), CloudTrail and CloudWatch logs needed to operate and audit the service.

How we use it

  • To operate the platform, schedule appointments, and deliver reminders.
  • To send you transactional emails and (if you opt in) text messages about appointments at the practice you registered with.
  • To maintain audit logs required for HIPAA compliance, security monitoring, and incident response.
  • To provide support to practices and (when authorized by the practice) to patients.

Who we share it with

We share data with sub-processors strictly as needed to operate the service, each covered by a Business Associate Agreement where PHI is involved:

  • Amazon Web Services — hosting, storage, email (SES), SMS (SNS / End User Messaging), authentication (Cognito).
  • Google Workspace — internal email and operational tooling (no patient data sent).

We do not sell personal information. We do not share patient data with advertisers, analytics vendors, or other third parties beyond what is operationally necessary.

SMS / text message communications

ChiroFlow sends text messages only to patients who have explicitly opted in — either by checking the SMS consent checkbox during online booking or by adding an SMS reminder in the patient portal. Providing your phone number alone does not constitute consent.

  • Message frequency: Varies based on your appointment activity (typically 1–4 messages per month)
  • Message and data rates may apply depending on your mobile carrier plan
  • To opt out: Reply STOP to any message at any time
  • For help: Reply HELP or contact your practice directly

We do not sell or share your phone number with third parties for their marketing purposes. Your mobile information is used solely to communicate with you about your care. SMS consent is not a condition of receiving care or booking an appointment.

See the SMS Terms page for full details on the program, opt-in language, and carrier disclosures.

Retention

Audit logs and security telemetry are retained for at least 6 years to meet HIPAA requirements. Patient records are retained per the practice's policy and applicable state law. Suppressed email addresses (those that have bounced or marked our messages as spam) are retained indefinitely to prevent re-sending.

Your rights

As a patient, your right to access, amend, or receive an accounting of disclosures of your protected health information runs through the practice you registered with. Contact your practice directly to exercise these rights.

For questions about this policy or how WellSpring Digital LLC handles information, email us at privacy@chiroflow.pro.

Changes

We may update this Privacy Policy from time to time. The effective date at the top of the page reflects the most recent revision.

This policy is provided in good faith and was drafted in plain language. It is not a substitute for legal advice. Practices using ChiroFlow are responsible for their own notices of privacy practices under HIPAA.