Privacy Policy

RESTORE-Skills

Privacy Policy

Effective Date: May 6, 2026   |   Reviewed Annually

Applies to: restoreskills.com and all RESTORE platform products

Data Protection Officer: Ilya Gotfryd, VP of Engineering

Privacy inquiries: info@restoreskills.com

1. About RESTORE-Skills and This Policy

RESTORE-Skills builds digital therapeutics platforms for skilled nursing facilities (SNFs). Our products include RESTORE-Insights (our primary EMR platform), RESTORE-Skills, RESTORE-Wellness, and RESTORE-Care. These platforms are used by physical therapists, occupational therapists, and speech-language pathologists to document therapy sessions, track patient outcomes, and generate clinical reports.

This Privacy Policy explains how RESTORE-Skills collects, uses, shares, and protects information in connection with: (1) visitors to our marketing website at restoreskills.com, and (2) the protected health information (PHI) and other data we process through our platforms on behalf of our healthcare customers.

This policy is written in plain language so that SNF administrators, healthcare procurement teams, and enterprise buyers can evaluate our data handling practices with confidence.

2. Our Role Under HIPAA: We Are a Business Associate

RESTORE-Skills is a HIPAA Business Associate, not a Covered Entity.

We process PHI and ePHI on behalf of our SNF customers, who are the Covered Entities.

We do not issue Notices of Privacy Practices to patients. That is our customers' obligation.

We are contractually bound by Business Associate Agreements (BAAs) with all SNF customers.

 

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, a Business Associate is an entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. RESTORE-Skills functions in this capacity for every SNF customer that uses our platforms.

As a Business Associate, we are required to:

  • Implement administrative, physical, and technical safeguards to protect ePHI
  • Enter into signed BAAs with all Covered Entities before accessing PHI
  • Report breaches of unsecured PHI to the Covered Entity within the timeframes required by HIPAA
  • Ensure that any subcontractors who handle PHI on our behalf enter into BAAs
  • Use and disclose PHI only as permitted by our BAAs and applicable law

 

The SNF facility, not RESTORE-Skills, determines the purposes and means for using patient health information. We act only on documented instructions from our SNF customers and in accordance with our contractual obligations.

3. What Information We Collect and Process

3.1 Clinical and Healthcare Data (Processed Through Our Platforms)

When SNF customers use our platforms, we process the following categories of protected health information on their behalf:

  • Therapy session records, progress notes, daily skilled notes, and clinical assessments
  • Treatment plans, care goals, and therapy minutes documentation
  • Patient identifiers: names, dates of birth, diagnoses, ICD-10 codes, and clinical outcome measures
  • Insurance and payer information as required for therapy documentation
  • Electronic signatures from therapists and supervisors

 

We also process non-PHI healthcare operations data including:

  • Therapist and clinical staff credentials, license numbers, and employment records
  • SNF facility information: names, addresses, National Provider Identifiers (NPIs), and administrator contact details
  • Platform usage analytics (de-identified where possible) to improve clinical functionality

3.2 Website Visitor Data (restoreskills.com)

When individuals visit our marketing website, we may collect:

  • Contact information submitted through inquiry forms: name, title, organization, email address, and phone number
  • Communication content from chat sessions or demo request forms
  • Technical data: IP address, browser type, device type, pages visited, and time spent on pages
  • Analytics data collected through Google Analytics (see Section 8 on Cookies)

Website visitor data is not PHI and is not governed by HIPAA. It is governed by the terms of this Privacy Policy and applicable state privacy laws.

3.3 Support and Customer Success Data

When customers or their staff submit support tickets or contact our team through Intercom, we may receive information about the user's environment, which in some circumstances may incidentally reference patient details. We handle all support communications with the same security controls applied to our platform data.

4. How We Use Information

4.1 Clinical Platform Data

We use and process PHI only as permitted by our BAAs and HIPAA, specifically for:

  • Providing, operating, and maintaining the RESTORE platform products contracted by our SNF customers
  • Delivering customer support and responding to technical issues reported by SNF users
  • Performing security monitoring, logging, and incident response to protect the integrity and confidentiality of ePHI
  • Complying with legal obligations, including audit and breach notification requirements

We do not use PHI for marketing, advertising, or any purpose not explicitly authorized by the applicable BAA.

4.2 Website Visitor Data

We use website visitor contact information to:

  • Respond to demo requests, sales inquiries, and information requests
  • Send product updates and communications to contacts who have opted in
  • Analyze website traffic to improve our marketing content and user experience

You may opt out of marketing communications at any time using the unsubscribe link in any email we send, or by contacting privacy@restoreskills.com.

5. How We Share Information

5.1 Sharing With SNF Customers

PHI processed through our platforms belongs to the SNF customer, who is the Covered Entity and the controller of that data. We return, provide access to, or destroy PHI in accordance with customer instructions and applicable contractual terms. We do not share one customer's patient data with any other customer.

5.2 Sharing With Subprocessors

We engage the following categories of subprocessors to support our operations. All subprocessors that handle PHI are bound by signed BAAs. We do not permit subprocessors to use PHI for any purpose other than providing services to us.

  • Cloud Infrastructure: Amazon Web Services (AWS) — all data is hosted on AWS in the United States, in encrypted form at rest
  • Identity and Access Management: Keycloak — multi-tenant authentication and role management
  • Database Services: PostgreSQL and Amazon DocumentDB — encrypted at rest and in transit
  • Customer Support: Intercom — support ticket routing and communication
  • Session Analytics: Fullstory — session replay within the platform (see Section 8)
  • CRM and Marketing: HubSpot — limited to website visitor and contact data; not used for PHI
  • Monitoring and Observability: Datadog — application performance monitoring
  • Internal Collaboration: Google Workspace — internal operations only; no patient PHI processed through Google services

 

We review the security posture and compliance certifications of all Tier 1 subprocessors at least annually. Customers may request the current list of subprocessors by contacting privacy@restoreskills.com. We provide at least 60 days advance notice before adding a new subprocessor that will process PHI.

5.3 Required Disclosures

We may disclose information if required by law, including:

  • In response to a valid legal process such as a subpoena, court order, or government investigation
  • To protect the rights, property, or safety of RESTORE-Skills, our customers, or the public
  • In connection with an acquisition, merger, or sale of substantially all of our assets, in which case the acquiring entity must agree to handle PHI in accordance with this policy and applicable BAAs

5.4 No Sale of Personal Information

RESTORE-Skills does not sell, rent, or trade personal information or PHI to any third party for their own marketing or commercial purposes.

6. Security Measures

We implement a defense-in-depth security program designed to protect both PHI and non-PHI data. Our security controls include:

Encryption

  • All ePHI is encrypted at rest using AES-256 encryption across AWS RDS (PostgreSQL), Amazon DocumentDB, and S3 storage
  • All data in transit is encrypted using TLS 1.2 or higher; we do not permit plaintext transmission of PHI
  • Encryption keys are managed using AWS Key Management Service (KMS)

Access Controls

  • Role-based access control (RBAC) is enforced through Keycloak across all platforms, ensuring users can access only the data required for their role
  • Multi-factor authentication (MFA) is required for all administrative accounts and all access to production systems
  • Privileged access to production infrastructure is restricted and requires VPN authentication
  • Access is provisioned through a formal request and approval process and revoked promptly upon termination

Monitoring and Logging

  • Tamper-evident audit logs are maintained for all access to systems containing ePHI, in compliance with HIPAA's Audit Controls standard (45 CFR § 164.312(b))
  • Security event monitoring is performed continuously through AWS CloudTrail, GuardDuty, and Datadog
  • All security logs are retained for a minimum of six years

Vulnerability Management

  • We conduct regular vulnerability scans of all in-scope systems
  • We engage an independent third party to perform annual penetration testing
  • Critical and high-severity findings are remediated within defined SLA timelines

Compliance Program

  • RESTORE-Skills is pursuing SOC 2 Type I certification, which evaluates our security controls against the AICPA Trust Services Criteria
  • Our security program is managed by our Data Protection Officer and reviewed at least annually
  • All employees and contractors with PHI access complete HIPAA-specific security awareness training

Physical Security

  • Our platforms are hosted entirely in AWS data centers, which maintain SOC 2, ISO 27001, and HIPAA-compliant physical security controls
  • Employee devices are encrypted and managed through mobile device management (MDM) with enforced screen lock and antivirus protections

7. Data Retention and Disposal

We retain PHI and ePHI in accordance with the requirements of our BAAs and applicable law. For healthcare records, we observe a minimum retention period of six years from the date of creation or the date the record was last in effect, consistent with HIPAA's documentation requirements (45 CFR § 164.316(b)(2)(i)).

Upon contract termination, we will return or destroy PHI as directed by the SNF customer and as specified in the applicable BAA. We provide written confirmation of destruction upon request.

Website visitor contact information is retained for as long as necessary to fulfill the purpose for which it was collected, or until you request deletion. Marketing opt-out requests are processed within 10 business days.

All data disposal is performed using secure erasure methods. Physical media containing ePHI is destroyed using NIST 800-88-compliant methods.

8. Cookies and Analytics Technologies

8.1 Marketing Website (restoreskills.com)

Our marketing website uses the following technologies to understand visitor behavior and improve our content:

  • Google Analytics: Collects anonymized traffic data including pages viewed, session duration, and geographic region. You can opt out using the Google Analytics Opt-out Browser Add-on.
  • HubSpot: Tracks form submissions and website interactions for sales and marketing purposes. HubSpot sets cookies to identify returning visitors.

You can control cookie preferences through your browser settings. Note that disabling certain cookies may affect website functionality.

8.2 Fullstory Session Replay (Within the EMR Platform)

RESTORE-Skills uses Fullstory within our EMR platform to capture full session replay recordings for the purpose of identifying usability issues, debugging technical problems, and improving platform workflows. The following protections govern this use:

  • Fullstory records full user sessions within the platform, which may include on-screen PHI. All such recordings are treated as PHI and are subject to the same security and access controls as other ePHI we process
  • Session data is accessible only to authorized RESTORE-Skills engineering and product personnel
  • Fullstory operates as a subprocessor under a signed BAA; session recordings are automatically deleted after 90 days

SNF customers who have questions about Fullstory's use within our platform may contact privacy@restoreskills.com.

9. Your Rights and How to Exercise Them

9.1 Rights of SNF Customers and Healthcare Providers

If you are an SNF administrator, therapist, or other healthcare professional who uses our platforms, your rights with respect to your account and credential data include:

  • Access: Request a copy of the personal data we hold about you as a platform user
  • Correction: Request correction of inaccurate account or credential information
  • Deletion: Request deletion of your account data, subject to our legal and contractual retention obligations

For all such requests, contact privacy@restoreskills.com. We will respond within 30 days.

Note: Rights with respect to patient PHI must be exercised through the SNF facility that is the Covered Entity. RESTORE-Skills does not independently control patient data and cannot independently fulfill patient-level access, amendment, or deletion requests. Direct patient inquiries to the applicable SNF facility.

9.2 Rights of Website Visitors

If you are a website visitor or marketing contact, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate contact information
  • Request deletion of your marketing data
  • Opt out of marketing communications at any time

To exercise these rights, email privacy@restoreskills.com with the subject line “Privacy Request.” We will respond within 30 days, or within the shorter period required by applicable state law.

10. State-Specific Privacy Protections

RESTORE-Skills operates in 16 states: Alabama, Florida, Georgia, Illinois, Indiana, Kentucky, Michigan, Missouri, Montana, Ohio, New Jersey, Pennsylvania, Utah, Virginia, Vermont, and West Virginia.

In addition to HIPAA, several states where we operate have enacted stricter privacy protections for mental health, behavioral health, and sensitive health records. We acknowledge and respect the following:

  • Illinois (MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES CONFIDENTIALITY ACT): Illinois law imposes stricter confidentiality requirements on mental health records than HIPAA, including more limited disclosure permissions. Any processing of mental health records for Illinois SNF customers is subject to these heightened requirements.
  • Florida (FLORIDA STATUTE § 394.4615): Florida law provides specific protections for mental health treatment records. Disclosure of such records requires specific authorization beyond standard HIPAA consent.
  • New Jersey (N.J.S.A. 30:4-24.3): New Jersey restricts disclosure of mental health records and requires heightened protections for behavioral health information.
  • Pennsylvania (MENTAL HEALTH PROCEDURES ACT): Pennsylvania imposes additional restrictions on the disclosure of mental health treatment records beyond federal HIPAA requirements.

If your SNF facility operates in one of these states and processes behavioral health or mental health records through our platforms, please contact privacy@restoreskills.com to discuss specific data handling requirements applicable to your jurisdiction.

Residents of states with comprehensive consumer privacy laws (including Virginia and Montana) may have additional rights under those laws with respect to non-PHI personal information. Contact us at privacy@restoreskills.com to exercise these rights.

11. Breach Notification

In the event of a breach of unsecured PHI, RESTORE-Skills will notify affected SNF customers without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach, consistent with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Our breach notification will include:

  • A description of the breach, including the date of the breach and date of discovery
  • The type of PHI involved
  • Steps the SNF facility should take to protect individuals from potential harm
  • What RESTORE-Skills is doing to investigate the breach, mitigate harm, and prevent future incidents

The SNF customer (as the Covered Entity) is responsible for notifying affected individuals and, where required, the Department of Health and Human Services (HHS). RESTORE-Skills will cooperate fully with the SNF facility in meeting these obligations.

For non-PHI breaches affecting website visitors, we will notify affected individuals as required by applicable state breach notification laws.

12. Contact Us

For all privacy inquiries, data subject rights requests, breach reports, or questions about this policy, please contact:

 

Data Protection Officer

Ilya Gotfryd, VP of Engineering

RESTORE-Skills

Email: privacy@restoreskills.com

We will respond to all privacy inquiries within 30 days of receipt. For matters involving potential breaches or urgent PHI concerns, please indicate “URGENT” in the subject line.

13. Changes to This Policy

We review and update this Privacy Policy at least annually, and whenever there are material changes to our data practices, applicable law, or the scope of our services.

We will notify SNF customers of material changes to how we process PHI at least 30 days before the changes take effect, consistent with our BAA obligations and our Vendor Management Policy's 60-day subprocessor notification requirement.

We will post the updated policy on restoreskills.com with a revised Effective Date. Continued use of our services after the effective date constitutes acceptance of the updated policy.

Previous versions of this policy are available upon request.

 

Last reviewed: May 6, 2026 | Next review due: May 2027

This document is maintained by the RESTORE-Skills Data Protection Officer and is subject to annual review.