Privacy Policy

Overview

FormAlly is a HIPAA-grade form builder operated by Attenti LLC (“FormAlly,” “we,” “us”) for therapy practices and the clinicians, staff, and patients they serve. This Privacy Policy describes the information we collect, how we use it, how we protect it, and the choices you have. It applies to formally.health and any FormAlly feature that links to this policy.

FormAlly is designed for use by HIPAA-covered entities. When a therapy practice uses FormAlly to handle Protected Health Information (“PHI”), Attenti LLC operates as a Business Associate of that practice under a signed Business Associate Agreement (“BAA”). The practice is the Covered Entity and remains the controller of its patients’ PHI; FormAlly processes PHI only under the BAA and only as instructed by the practice.

Information we collect

Account information

When you or your practice create an account, we collect your name, email address, role, and the practice or organization name. If you sign in via a third-party identity provider, we receive the basic profile fields that provider returns and the unique identifier we use to keep you signed in.

Customer-submitted form data, including PHI

When a practice uses FormAlly to collect intake forms, consents, assessments, treatment plans, or any other clinical or administrative record, the practice and its patients submit data into FormAlly. This may include patient names, contact information, demographic information, clinical responses, assessment scores, billing information, and similar records that the practice is responsible for under HIPAA. We process this data strictly as a Business Associate under the BAA executed with that practice.

Audit logs

For every access to a record containing PHI, every administrative action, every approval-chain transition, and every authentication event, we store a timestamped audit record. Audit logs are required by HIPAA and are retained on the schedule described under “Retention.”

Operational telemetry

We collect server logs (IP address, request path, user agent, response status, timestamp) and application error reports for the purpose of operating, securing, and debugging the service. Operational telemetry is retained on a shorter schedule than audit logs, is scrubbed of PHI before storage, and is not used for advertising.

How we use information

• To provide, secure, and improve the service.
• To authenticate you, authorize access to practice resources, and honor the role-based access controls your practice configures.
• To produce the audit logs HIPAA requires of a Business Associate.
• To respond to your support requests and to communicate service-related notices (security alerts, scheduled maintenance, policy changes).
• To meet legal obligations and to enforce our Terms of Service.

We do not sell personal information. We do not share personal information with advertisers, ad networks, or data brokers. We do not use PHI to train machine-learning models, and we do not allow our subprocessors to do so on our behalf.

AI features and PHI

FormAlly may, in the future, offer AI-assisted features such as note summarization, draft generation, sentiment analysis, or trend extraction. The following commitments apply to any current or future AI feature in FormAlly:

• We do not send PHI to a third-party AI or machine-learning provider unless that provider is explicitly named on your BAA.
• AI features that operate on PHI are off by default and require explicit opt-in by your practice administrator.
• We do not use customer PHI to train, fine-tune, or evaluate generalized or non-personalized AI models, and we do not allow our subprocessors to do so on our behalf.
• Any new AI subprocessor that may handle PHI is added to your BAA before activation, with reasonable advance notice and the ability to object.

Subprocessors

We rely on a small set of subprocessors to operate the service. All subprocessors that may handle PHI on our behalf are bound by an executed BAA.

• Google Cloud Platform.Primary hosting, database, and storage. United States region. Bound by Google’s Cloud BAA.
• Stripe, Inc. Billing and payment processing. PCI-DSS Level 1 service provider. We do not store full card numbers; Stripe is the system of record for payment instruments.
• Amazon Web Services (SES).Transactional email delivery (sign-in links, MFA recovery, notifications). Bound by AWS’s Business Associate Addendum where any email contents may include PHI.

Identity providers used for sign-in (e.g., Google Workspace) are authentication pass-throughs only — we receive an opaque token and the user’s claimed email address. They are not subprocessors and never receive PHI from us.

FormAlly self-hosts its application error tracking inside the same hosting boundary as the rest of the service; error reporting does not involve a third-party SaaS vendor. Error payloads are scrubbed of request bodies, query strings, cookies, and authentication headers before storage.

Retention

• Account data is retained for the duration of the contract and for ninety (90) days after termination, after which it is deleted unless a longer retention period is required by law.
• Customer-submitted PHI is retained for the duration of the contract and made available for export for thirty (30) days after termination, then deleted in accordance with the BAA and applicable state retention requirements.
• Audit logs are made available to you on request — including a complete export at account closure. We retain only what we are legally required to keep for our own compliance recordkeeping after that point.
• Operational telemetry (server logs, error reports) is retained for up to ninety (90) days.

Security

• All traffic to FormAlly is encrypted in transit using TLS 1.2 or higher.
• Customer data is encrypted at rest using provider-managed envelope encryption. Sensitive fields receive an additional field-level encryption layer.
• Access to production systems is restricted on a least-privilege basis, requires multi-factor authentication, and is logged.
• We operate FormAlly under HIPAA Security Rule administrative, physical, and technical safeguards. A current BAA is available before any PHI enters the system.
• We maintain an incident response process and will notify affected customers of a security incident in accordance with the BAA and applicable law.

Your rights

Subject to applicable law, you may request to access, correct, export, or delete the personal information we hold about you. Where FormAlly processes PHI as a Business Associate, requests from patients should be directed to the Covered Entity (your practice), which controls that data; we will support the practice in fulfilling those requests.

To exercise rights with respect to your own account, email mcoffman@attenti.net. We will respond within the timelines required by the laws that apply to you.

Children and minor patients

FormAlly is intended for use by licensed clinicians and the staff of therapy practices. We do not knowingly create accounts for individuals under the age of eighteen (18). Practices that treat minor patients may store records about those patients in FormAlly under the practice’s custodial responsibility and the BAA between the practice and FormAlly; in that case the practice, not the minor patient, is our customer.

International users

FormAlly is operated from the United States and processes data in the United States. If you access the service from outside the United States, you understand that your information will be transferred to and processed in the United States.

Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days’ advance notice by email to the address associated with your account and by updating the Effective date above. Continued use of FormAlly after the new policy takes effect constitutes acceptance of the change.

Contact

For privacy questions or requests, contact us at mcoffman@attenti.net.

Attenti LLC
PO Box 1069
Langhorne, PA 19047