Privacy Policy
Last updated: May 20, 2026
WhiteWater Development LLC ("WhiteWater," "we," "us," or "our") operates Halo, an electronic medical record platform used by healthcare providers to deliver care. This Privacy Policy explains what information we collect, how we use and share it, the third-party service providers involved, and your rights. When Halo handles protected health information, we act as a business associate of the healthcare providers (the covered entities) who use the platform, under HIPAA Business Associate Agreements.
1. Information we collect
- Account information — name, email address, phone number, and authentication credentials (or, if you use Sign in with Google, the name, email, and basic profile Google provides).
- Health information— information entered by patients and their care teams, including visit notes, diagnoses, medications, lab and test results, vitals, and messages. This is "protected health information" (PHI) under HIPAA, and we process it on behalf of the healthcare providers who use Halo.
- Payment information — billing details processed by our payment processor. We do not store full payment card numbers.
- Technical and usage information — information such as device and browser type and log data, used to operate, secure, and improve Halo.
2. How we use information
- To provide and operate Halo for healthcare providers and their patients;
- To authenticate users and secure accounts;
- To process payments for services delivered through the platform;
- To send appointment reminders and account and care-related notifications;
- To maintain, secure, and improve Halo and to comply with legal and regulatory obligations.
We use protected health information only as permitted by the applicable Business Associate Agreement and HIPAA, and only to provide and support the platform.
3. Sign in with Google
If you choose to sign in with Google, we request only your basic profile and email address to create and secure your account. Halo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell this data, use it for advertising, or share it with third parties except as needed to operate the platform or as required by law.
4. How we share information
We do not sell personal or health information. We share information only as needed to operate Halo and as permitted by HIPAA and our Business Associate Agreements:
- With the healthcare providers who use Halo and, at their direction, with pharmacies, labs, and other providers involved in a patient's care;
- With service providers who process data on our behalf under written agreements (see the list below). Each provider that handles PHI does so under a HIPAA Business Associate Agreement;
- For legal reasons when required by law or to protect rights, safety, and the integrity of the platform.
5. Third-party service providers
The following service providers help us operate Halo. Providers that handle protected health information do so under a HIPAA Business Associate Agreement, and all protected health information remains within the United States.
| Provider | Purpose | Handles PHI |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure that hosts Halo and stores its data — managed database (Amazon Aurora), file/document storage (Amazon S3) with encryption (AWS KMS), compute (ECS, Lambda), authentication (Amazon Cognito), and transactional email (Amazon SES). All protected health information is stored within AWS. | Yes |
| Google LLC | Optional “Sign in with Google” authentication. When a user chooses to sign in with Google, we receive their name, email address, and basic profile information to create and secure the account. We do not use Google sign-in data for advertising. | No |
| Stripe, Inc. | Payment processing for services delivered through Halo. Stripe handles payment card details directly; we do not store full card numbers. | No |
| DrFirst, Inc. (Rcopia) | Electronic prescribing and medication history. When a provider prescribes medication, relevant clinical information is shared to route the prescription to the pharmacy. | Yes |
| Kno2 | Secure clinical document exchange and fax, used to send and receive medical records, referrals, and results with pharmacies, labs, and other providers. | Yes |
| Twilio Inc. | Delivery of text-message (SMS) appointment reminders and account notifications. Message content is limited to scheduling and account information, not clinical detail. | Yes |
| Sinch | Inbound and outbound fax transmission for clinical documents exchanged with pharmacies, labs, and other providers. | Yes |
| Vercel Inc. | Hosting for this public website (haloemr.com). The site is static and does not collect or store protected health information. | No |
6. HIPAA and protected health information
When Halo processes protected health information, WhiteWater acts as a business associate of the healthcare providers who use the platform. Those providers are the covered entities responsible for the health records. Protected health information is encrypted in transit and at rest, access is restricted and logged, and all access and changes are recorded in an append-only audit trail.
7. Data security
We use administrative, technical, and physical safeguards to protect information, including encryption in transit and at rest, role-based access controls, multi-factor authentication for clinical staff, and continuous monitoring. No system is perfectly secure, but we work to protect information and to respond promptly to any incident.
8. Data retention
Medical records are retained for the period required by law and by the healthcare provider's record-keeping obligations. Because a medical record is a legal document, information generally is not hard-deleted; corrections are made through amendments that preserve the original entry.
9. Your rights
Requests to access, copy, correct, or amend health information, or for an accounting of disclosures, are handled by the healthcare provider (the covered entity) that maintains your record, with our support as their business associate. Contact your provider, or reach us using the details below and we will route your request appropriately.
10. Children's privacy
Halo is intended for use by adults, or by a parent or legal guardian managing care on behalf of a minor. We do not knowingly allow children to create their own accounts.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by notice within the platform.
12. Contact us
For privacy questions, email support@haloemr.com.