1. Introduction
Slipstream Labs ("we," "us," or "our") operates Slipstream ER. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using the Service, you agree to the practices described here.
Important — No Patient Data: Slipstream ER is a scheduling tool for provider (staff) management. It is not designed to hold, process, or store patient data or Protected Health Information (PHI). Please do not enter patient names, medical record numbers, or any patient-related health information into the Service.
2. What We Collect
2.1 Account Information
When you register for an account, we collect:
- Your name and email address
- Your password (stored as a salted hash — never in plain text)
- Your organization or department name
- Billing information (processed directly by Stripe — we do not store full card numbers)
2.2 Scheduling Data You Enter
To provide the Service, we store the scheduling data you choose to enter, including:
- Provider names, roles, and contact details for the staff members on your schedule
- Shift types, schedule structures, and assignment data
- Time-off requests, swap requests, and coverage preferences
- Any CSV or calendar data you import
This data belongs to you. We treat it as confidential Customer Data (see Section 5 — Data Isolation).
2.3 Usage and Technical Data
We automatically collect limited technical information to operate and improve the Service:
- Log data (IP address, browser type, pages visited, timestamps)
- Device and browser information
- Error reports and performance metrics
3. How We Use Your Data
We use the information we collect to:
- Provide, maintain, and improve the Service
- Authenticate users and enforce access controls
- Process billing and send receipts via Stripe
- Send transactional emails (account confirmation, password reset, billing notices)
- Respond to support requests
- Detect and prevent fraud, abuse, or security incidents
- Comply with applicable legal obligations
We do not use your scheduling data for advertising, profiling, or sale to third parties.
4. Data Isolation (Tenant Separation)
Slipstream ER is a multi-tenant application. Each customer's data is logically isolated by a unique site identifier. Your scheduling data is never visible to, or accessible by, other customers. Access is enforced at the database and application level on every request.
5. Data Never Sold
We do not sell, rent, trade, or otherwise transfer your personal information or Customer Data to third parties for their own commercial purposes. Full stop.
6. Subprocessors
We work with a limited set of trusted third-party service providers ("subprocessors") to deliver the Service:
- Macaly / Convex (Infrastructure & Hosting): The Service is built on the Macaly platform, which uses Convex for database and backend infrastructure. Your data is stored in Convex's cloud database. Convex acts as a data processor on our behalf.
- Stripe (Payment Processing): Subscription billing is handled by Stripe, Inc. Stripe processes your payment card data directly and is PCI-DSS compliant. We receive only a payment token and summary billing information from Stripe.
We do not share Customer Data (your scheduling data) with subprocessors beyond what is strictly necessary to operate the Service.
7. Data Retention
We retain your account and scheduling data for as long as your account is active or as needed to provide the Service. When you cancel your subscription:
- Your data remains accessible in read-only mode for 30 days after cancellation to allow data export.
- After 30 days, your data is deleted from our systems.
- Billing records may be retained longer as required by law (typically 7 years for financial records).
8. Deletion Requests
You may request deletion of your account and all associated data at any time by emailing code3spots@me.com. We will complete the deletion within 30 days and confirm by email.
9. Security
We use industry-standard security practices including encrypted data transmission (TLS), hashed passwords, and access controls. However, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong, unique password and to enable two-factor authentication when available.
10. Cookies
We use session cookies and local storage to keep you signed in and to maintain application state. We do not use third-party tracking cookies or advertising pixels.
11. Children's Privacy
The Service is intended for use by healthcare professionals and organizations. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
For privacy questions, data requests, or concerns, contact us at:
Email: code3spots@me.com
Slipstream Labs