Legal

Privacy Policy

SoberLab handles some of the most sensitive information in healthcare. This policy explains what we collect, how we use it, and the protections that surround resident data on the SoberLab platform.

Last updated: June 26, 2026

For protected health information and substance use disorder records, SoberLab acts as a business associate of your organization under HIPAA and 42 CFR Part 2. Those records are governed first by our Business Associate Agreement and applicable law.

01

Scope of this policy

This policy applies to information SoberLab, Inc. collects through the SoberLab platform, websites, and mobile applications. It describes our practices as the operator of the Services. Where SoberLab processes protected health information on behalf of a recovery organization, our Business Associate Agreement and HIPAA / 42 CFR Part 2 govern.

02

Information we collect

We collect the following categories of information:

Account & sign-in data — your name, work email, and profile from Google single sign-on, plus role and organization assignment set by your administrator;
Customer Data — information your organization enters, including resident records, census, scheduling, billing, and front-desk communications, which may contain PHI;
Usage & device data — log data, IP address, browser/device type, and actions taken in the Services, used for security and reliability;
Support communications — messages you send to our team.
03

How we use information

We use information to operate, secure, support, and improve the Services; to authenticate users; to provide customer support; to detect and prevent fraud or abuse; and to meet legal and contractual obligations. We do not use PHI for advertising, and we never sell personal information.

04

Google sign-in

SoberLab uses Google as its sole authentication provider. When you sign in, Google shares your basic profile (name, email, and account identifier) with SoberLab so we can verify your identity and match you to your organization. We request only the minimum scope needed to authenticate you and do not access your Gmail, Drive, or contacts.

05

How we share information

We share information only as needed to run the Services:

With subprocessors — vetted vendors for cloud hosting, communications, and analytics, bound by contract and, where applicable, a BAA;
Within your organization — according to the role-based permissions your administrator configures;
For legal reasons — when required by law or to protect rights, safety, and the integrity of the Services.

We do not sell or rent personal information, and we do not share PHI except as permitted by our BAA and 42 CFR Part 2.

06

Data retention

We retain Customer Data for the duration of your subscription and as directed by your organization. After termination, data is available for export for 30 days and then deleted or de-identified per our retention schedule, unless longer retention is required by law.

07

Security

We protect information with encryption in transit and at rest, role-based access controls, network segmentation for Part 2 records, continuous monitoring, and regular third-party audits. See our Compliance & Security page for details. No system is perfectly secure, but we maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the data.

08

Your rights & choices

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict use of your personal information. Because SoberLab processes most records on behalf of recovery organizations, residents should direct requests to the organization that holds their records; we will assist that organization in responding. Staff users can contact us directly to exercise rights over their own account data.

09

Data residency & transfers

Customer Data is hosted in data centers located in the United States. If we transfer data across borders, we use appropriate safeguards consistent with applicable law.

10

Children’s privacy

The Services are intended for use by staff of recovery organizations and are not directed to children under 13. Resident records concerning minors are handled by the organization under applicable law and our BAA.

11

Changes to this policy

We may update this policy as our Services and the law evolve. For material changes we will notify administrators and update the "last updated" date above. Continued use after changes take effect constitutes acceptance.

Privacy questions or requests?

Contact our privacy team at privacy@soberlab.io. Residents should contact their recovery organization directly to exercise rights over their records.