Competency Health

Privacy Policy

Effective May 1, 2026

This Privacy Policy describes how Competency Health(“we,” “us,” or “the Service”) collects, uses, and protects information when clinical staff and their organizations use our clinical-competency tracking platform. We take privacy seriously, particularly because we operate in a healthcare setting where confidentiality is non-negotiable.

Important. This document covers our handling of workforce data (training records of the clinicians who use the Service). It is not a HIPAA Notice of Privacy Practices for patients — Competency Health is not designed to store, process, or disclose Protected Health Information (PHI), and users are explicitly prohibited from entering PHI into the Service. See AI Disclosureand the “What you should not enter” section below for details.

1. Who controls your data

When your employer (a hospital, clinic, or healthcare organization) signs up for the Service, that organization is the data controller for the records associated with their staff. We act as a data processor / business associatefor those records and only use them on the controller's instructions and for the purposes set out in our agreement with them.

For questions about your specific records (correction, export, deletion), contact your manager or department lead first; they administer your account.

2. Information we collect

2.1 Account information

  • Name, work email address, work phone number (optional)
  • Department, role, role assignments, and dual-role capabilities
  • Hashed password and (if enabled) hashed two-factor authentication secrets and recovery codes
  • Account state: invitation status, last login, idle-timeout state

2.2 Training and competency data

  • Phases, competencies, target reps, weight tier, and requirement type assigned to your department
  • Skill logs you record (date, method, confidence level, optional free-text notes)
  • Sign-offs from preceptors, with timestamps and the responsible signer
  • License and certification entries (type, expiration, optional uploaded verification documents)
  • Continuing-education entries (course name, category, hours, completion date, attachments) — when enabled

2.3 Communication content

  • Direct messages between you and other authorized users in your department
  • Threaded comments on rep notes
  • Department announcements you post or read

2.4 Operational and security telemetry

  • Audit logs: account events, role changes, sign-off events, password / 2FA changes, accessed records
  • Aggregate usage metrics (no third-party analytics SDKs that build cross-site profiles)
  • Standard server logs (timestamps, IP address, user agent) retained for security investigations

3. How we use your information

We use the information above only to:

  • Provide the core training-tracking, sign-off, reporting, and communication features of the Service
  • Authenticate users, including via two-factor authentication
  • Generate the AI-assisted “Competency Coach” reflections (see AI Disclosure)
  • Send transactional emails: invitations, password resets, certification expiry alerts, scheduled reports
  • Maintain the security and integrity of the Service (audit logs, abuse prevention)
  • Comply with legal obligations and respond to lawful requests from your organization

We do not sell, rent, or share your data with advertisers. We do not run third-party advertising trackers on the Service.

4. What you should not enter into Competency Health

Competency Health is a workforce tracking tool. The Service is not designed to store Protected Health Information (PHI). You should not include the following in any free-text field (rep notes, direct messages, announcements, descriptions, or AI prompts):

  • Patient names, initials, or identifiers (MRN, account number, etc.)
  • Patient demographics combined with health details
  • Specific room numbers, dates, or any other identifier that could re-identify a patient

If you accidentally enter PHI, contact your manager and we will remove it. Repeated PHI submissions may be treated as a compliance event under your organization's policies.

5. Sub-processors and infrastructure

We use the following third-party services to operate Competency Health. Each is bound by a Business Associate Agreement (BAA) where applicable, or contractual confidentiality obligations otherwise:

  • Hosting + DNS: Vercel (current) / AWS (planned for HIPAA production deployments)
  • Database: Supabase (encrypted at rest and in transit)
  • AI generation: Anthropic (Claude API) — used only with workforce data, no PHI
  • Email delivery: the SMTP relay configured by your organization
  • Source control: GitHub (code only, no customer data)

6. Data retention

  • Active records are retained while your organization remains a customer and your account is active.
  • Audit logs are retained for at least 6 years to support training-record requirements.
  • Backups are retained for up to 30 days after the source data is deleted.
  • Soft-deleted users / competencies remain in the database (marked inactive) to preserve the integrity of historical sign-offs and rep records.

7. Your rights and choices

You may, subject to your organization's policies:

  • View and edit your own profile, password, two-factor settings, and notification preferences in Settings.
  • Request a copy of your data through your manager or department lead.
  • Request correction or deletion of your data through your manager or department lead.
  • Opt out of email notifications per category in Settings → Notifications.

8. Security

We protect your data with industry-standard safeguards including:

  • HTTPS/TLS for all network traffic
  • Encryption at rest for the database and backups
  • Password hashing (bcrypt with a per-user salt)
  • Role-based access control with department isolation
  • Optional two-factor authentication with single-use recovery codes
  • 15-minute idle session timeout
  • Audit logging of significant account events

9. Children's privacy

The Service is not directed at children under 13. We do not knowingly collect data from children.

10. International users

The Service is operated from and intended for use within the United States. By using the Service from another country, you consent to your data being processed in the U.S.

11. Changes to this Policy

We may update this Privacy Policy. Material changes will be notified by email to account administrators at least 30 days before they take effect, and the “Effective” date above will be updated.

12. Contact

Questions about this Policy: privacy@competency.health. Security reports: security@competency.health.