Privacy Policy

Last Updated: October 20, 2025

RespiratorTest.com is committed to protecting your privacy and complying with HIPAA regulations for Protected Health Information (PHI). This policy explains how we collect, use, and safeguard your information.

1. Information We Collect

1.1 Personal Information

We collect the following types of personal information:

Account Information: Name, email address, phone number, company name, job title
Payment Information: Credit card details (processed securely through Stripe; we do not store full card numbers)
Employee Information: Name, email, employee ID, home base/location assignment

1.2 Protected Health Information (PHI)

When employees complete the OSHA respirator medical evaluation questionnaire, we collect:

Date of birth, height, weight
Medical history responses (cardiovascular, respiratory, mental health conditions)
Current medications and treatments
Work environment and respirator usage details

IMPORTANT: All questionnaire responses containing PHI are encrypted at rest using AES-256 encryption and accessible ONLY to licensed healthcare professionals (PLHCPs). Employers cannot view this medical information.

1.3 Technical Information

We automatically collect:

IP address (anonymized in analytics)
Browser type and version
Device information
Pages visited, time spent, and clickstream data
Cookies and similar tracking technologies

2. How We Use Your Information

2.1 Service Delivery

Administer respirator medical evaluations
Generate digital certificates upon medical clearance
Provide compliance tracking dashboards to employers
Process payments and manage credit balances
Send access codes via email or SMS

2.2 Medical Review

PHI is used exclusively by licensed PLHCPs to:

Evaluate medical clearance for respirator use
Review flagged responses requiring medical attention
Approve or deny respirator medical clearance

2.3 Communications

Send service-related notifications (certificate issuance, evaluation status)
Respond to customer support inquiries
Send account updates and important service changes
Marketing emails (with opt-out option)

2.4 Analytics and Improvement

Analyze usage patterns to improve the Service
Monitor performance and diagnose technical issues
Conduct internal research and development

3. How We Share Your Information

3.1 Within Your Organization

Employers can see:

Employee names and certificate status (PASS/PENDING/DENIED)
Certificate expiration dates
Compliance dashboard metrics

Employers CANNOT see:

Medical questionnaire responses
Specific medical conditions or reasons for PENDING/DENIED status
Any Protected Health Information (PHI)

3.2 Service Providers

We share information with trusted third-party service providers who assist in operating our Service:

AWS (Amazon Web Services): Cloud hosting and infrastructure
Stripe: Payment processing (subject to their privacy policy)
Twilio/SNS: SMS notifications for access codes
SES: Email delivery

All service providers are bound by confidentiality agreements and HIPAA Business Associate Agreements (BAAs) where applicable.

3.3 Legal Requirements

We may disclose information if required to do so by law or in response to:

Valid legal process (subpoena, court order, warrant)
OSHA or other regulatory investigations
Requests from law enforcement or government agencies
Protection of our rights, property, or safety, or that of others

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

4. Data Security

4.1 Encryption

In Transit: All data transmitted over the internet uses TLS 1.2+ encryption
At Rest: PHI is encrypted using AES-256 encryption in our database

4.2 Access Controls

Role-based access control (RBAC) restricts data access based on user role
Multi-factor authentication (MFA) available for administrator accounts
PHI accessible only to authorized PLHCPs

4.3 Audit Logging

All access to PHI is logged with timestamps, user identities, and actions taken. Audit logs are retained for 30 years in compliance with OSHA recordkeeping requirements.

4.4 Infrastructure Security

Hosted on AWS with HIPAA-eligible services
Regular security updates and vulnerability patching
Automated backups with encryption
Network firewalls and intrusion detection systems

5. Data Retention

We retain your information as follows:

Medical Evaluation Records: 30 years (OSHA requirement for exposure records)
Account Information: Duration of active account plus 7 years
Payment Records: 7 years (tax and accounting requirements)
Audit Logs: 30 years
Marketing Data: Until you opt out or request deletion

6. Your Privacy Rights

6.1 Access and Portability

You have the right to request a copy of your personal information and medical evaluation records. Employees can download their certificates directly from the platform.

6.2 Correction

You may request correction of inaccurate personal information. Medical evaluation records cannot be altered after submission but you may retake the evaluation if needed.

6.3 Deletion

You may request deletion of your account and personal information, subject to:

Legal retention requirements (OSHA 30-year recordkeeping for exposure records)
Completed transactions and issued certificates
Regulatory compliance obligations

6.4 Opt-Out

You may opt out of:

Marketing emails (via unsubscribe link)
Analytics cookies (via browser settings)
SMS notifications (note: may affect service delivery)

6.5 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: privacy@respiratortest.com

Phone: 1-866-898-0484

7. Cookies and Tracking Technologies

7.1 Types of Cookies

Essential Cookies: Required for login, session management, and core functionality
Analytics Cookies: Google Analytics 4 (IP anonymization enabled)
Functional Cookies: Remember preferences and settings

7.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

8. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and maintained on servers located in the United States. By using the Service, you consent to this transfer. We implement appropriate safeguards to protect your information.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected
Right to know if personal information is sold or disclosed
Right to opt-out of sale of personal information (we do not sell personal information)
Right to deletion of personal information
Right to non-discrimination for exercising privacy rights

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new "Last Updated" date and, where appropriate, by email notification.

13. Contact Us

For questions about this Privacy Policy or our privacy practices, contact:

Privacy Officer

Email: privacy@respiratortest.com

Phone: 1-866-898-0484

Website: https://respiratortest.com/contact

HIPAA Notice of Privacy Practices

This Privacy Policy serves as our Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (HIPAA). We are committed to protecting the privacy of your Protected Health Information (PHI) and complying with all applicable HIPAA regulations.

For a complete copy of our HIPAA Notice of Privacy Practices, please contact us at privacy@respiratortest.com.