Privacy Policy
SoberLab handles some of the most sensitive information in healthcare. This policy explains what we collect, how we use it, and the protections that surround resident data on the SoberLab platform.
For protected health information and substance use disorder records, SoberLab acts as a business associate of your organization under HIPAA and 42 CFR Part 2. Those records are governed first by our Business Associate Agreement and applicable law.
Scope of this policy
This policy applies to information SoberLab, Inc. collects through the SoberLab platform, websites, and mobile applications. It describes our practices as the operator of the Services. Where SoberLab processes protected health information on behalf of a recovery organization, our Business Associate Agreement and HIPAA / 42 CFR Part 2 govern.
Information we collect
We collect the following categories of information:
How we use information
We use information to operate, secure, support, and improve the Services; to authenticate users; to provide customer support; to detect and prevent fraud or abuse; and to meet legal and contractual obligations. We do not use PHI for advertising, and we never sell personal information.
Google sign-in
SoberLab uses Google as its sole authentication provider. When you sign in, Google shares your basic profile (name, email, and account identifier) with SoberLab so we can verify your identity and match you to your organization. We request only the minimum scope needed to authenticate you and do not access your Gmail, Drive, or contacts.
How we share information
We share information only as needed to run the Services:
We do not sell or rent personal information, and we do not share PHI except as permitted by our BAA and 42 CFR Part 2.
Data retention
We retain Customer Data for the duration of your subscription and as directed by your organization. After termination, data is available for export for 30 days and then deleted or de-identified per our retention schedule, unless longer retention is required by law.
Security
We protect information with encryption in transit and at rest, role-based access controls, network segmentation for Part 2 records, continuous monitoring, and regular third-party audits. See our Compliance & Security page for details. No system is perfectly secure, but we maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the data.
Your rights & choices
Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict use of your personal information. Because SoberLab processes most records on behalf of recovery organizations, residents should direct requests to the organization that holds their records; we will assist that organization in responding. Staff users can contact us directly to exercise rights over their own account data.
Data residency & transfers
Customer Data is hosted in data centers located in the United States. If we transfer data across borders, we use appropriate safeguards consistent with applicable law.
Children’s privacy
The Services are intended for use by staff of recovery organizations and are not directed to children under 13. Resident records concerning minors are handled by the organization under applicable law and our BAA.
Changes to this policy
We may update this policy as our Services and the law evolve. For material changes we will notify administrators and update the "last updated" date above. Continued use after changes take effect constitutes acceptance.
Privacy questions or requests?
Contact our privacy team at privacy@soberlab.io. Residents should contact their recovery organization directly to exercise rights over their records.