Privacy Policy

Last updated: March 22, 2026

ProviderHub.cloud ("we," "us," or "the platform") is a Google Drive permissions management service for healthcare credentialing. This policy describes how we collect, use, and protect your information.

Key principle: ProviderHub.cloud is a permissions manager, not a file manager. We never download, store, copy, or redistribute your Google Drive files.

1. Information We Collect

1.1 Google Account Information

When you sign in with Google OAuth, we receive your name, email address, and profile picture. For providers, we also access the names and IDs of folders you explicitly select through the Google Picker (via the drive.file scope). We do not access your entire Drive.

1.2 Data We Store

User accounts (name, email, role), share records (folder IDs, permission IDs, timestamps), organization records (name, domain, plan), audit log entries, and encrypted OAuth tokens (AES-256/Fernet).

1.3 Data We Do NOT Collect

File contents, health information, financial information (beyond Stripe IDs), Social Security numbers, or biometric data.

2. How We Use Your Information

We call the Google Drive API to create, modify, and delete read-only permissions on folders at the provider's explicit direction. Provider profile data (name, email) is visible to organizations they share with. We use Anthropic's Claude AI for optional folder summaries — only file metadata (names, types) is sent, never file contents.

3. Google API Services User Data Policy

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data for advertising, credit evaluation, or training generalized AI models.

4. Data Security

OAuth tokens encrypted at rest (AES-256/Fernet). All connections over TLS. HTTP-only session cookies with SameSite=Lax. The platform architecturally cannot store your files.

5. HIPAA Compliance

We do not store, process, or transmit Protected Health Information (PHI). Credentialing documents are professional records. Even if shared folders contain PHI, the platform never accesses file contents. We offer BAAs to Enterprise and Health System tier customers upon request.

6. How to Revoke Access

Visit Google Account Settings → Third-party apps, find "ProviderHub.cloud," and click "Remove access."

7. Data Retention and Deletion

Account data retained while active. OAuth tokens deleted on revocation. Audit logs retained per tier (1/3/7 years). Contact privacy@providerhub.cloud for deletion requests (processed within 30 days).

8. California Privacy Rights (CCPA/CPRA)

Right to know, right to delete, right to opt out of sale (we do not sell data), right to non-discrimination. Contact privacy@providerhub.cloud.

9. Contact

Email: privacy@providerhub.cloud