Privacy Policy

We collect: (a) account information you provide — clinic name, address, DEA registration, owner email, and the names and roles of the staff you add; (b) usage and security information — sign-in events, IP address, browser and device information, audit records, and error logs generated as you use the Service; and (c) website information — limited information from visitors to our public pages. We do not operate third-party advertising networks, and we do not run third-party analytics on patient data.

When you use the Service, Lucido creates and processes the minimum PHI the REMS workflow requires — such as patient identifiers, vital signs, dosing details, and session observations — solely to provide the Service to your clinic, as your Business Associate under HIPAA and the BAA. We do not sell PHI, and we do not use PHI for our own purposes or for marketing. Session records auto-delete after your clinic's configured retention window.

We use account, usage, and security information to operate, secure, maintain, and support the Service; to generate the REMS documentation your clinic files; to maintain the audit log your clinic relies on; to communicate with you about the Service; and to comply with law. We do not use PHI for advertising or marketing.

We do not sell personal information or PHI, and we do not share it for cross-context behavioral advertising. [Counsel: add any disclosures required by the California Consumer Privacy Act / CPRA or other state privacy laws — including the categories of information collected, the purposes of use, and consumer rights — to the extent they apply to website visitors.]

Lucido runs on Amazon Web Services, which hosts the Service under a signed Business Associate Addendum. [Counsel: list any other subprocessors that may process personal information or PHI — for example, transactional email or error-monitoring providers — each under an appropriate data-protection or business-associate agreement.] We may disclose information if required by law or to protect rights and safety, and in connection with a merger, acquisition, or sale of assets, subject to the protections of the BAA for PHI. We do not otherwise share PHI.

Session and PHI records auto-delete after your clinic's configured retention window. Account information is retained while your account is active and as needed to comply with our legal obligations, resolve disputes, and enforce our agreements. Security and audit logs are retained for the period required by HIPAA and our compliance program. [Counsel: confirm retention periods — e.g., six years for HIPAA documentation under 45 CFR § 164.316(b)(2).]

We protect information with encryption in transit (TLS) and at rest, an append-only audit log, role-appropriate authentication (owner accounts via Amazon Cognito with optional multi-factor authentication, and staff PINs), least-privilege access controls, and a database that is not publicly reachable. No method of transmission or storage is completely secure, but we work to protect your information and to notify you of incidents as required by the BAA and applicable law.

Your clinic can export its data and request deletion of its data. Patients' rights under HIPAA — including access, amendment, and an accounting of disclosures — are supported through your clinic, which is the Covered Entity and the patients' point of contact. [Counsel: add any rights available to website visitors under applicable state privacy law and how to exercise them.]

The Service uses strictly necessary, httpOnly session cookies to keep owners, staff, and patients signed in and to secure the application. We do not use cookies for third-party advertising or cross-site tracking. [Counsel: confirm whether a cookie notice or consent banner is required for the public website.]

The Service is provided to clinics for use by their staff and is not directed to children or to the general public. Any PHI relating to a minor patient is processed on the clinic's behalf, under the BAA and at the clinic's direction.

We operate the Service in the United States. If you access it from outside the United States, you understand that information is processed in the United States. [Counsel: add any international data-transfer terms if the Service is offered outside the U.S.]

We may update this Policy from time to time. For material changes we will provide notice and update the version and effective date shown above.

Questions about this Policy or our privacy practices can be sent to privacy@lucido-go.com, or by mail to TASHABAR LLC, 403 N Kennicott Ave, Arlington Heights, IL 60005. [Counsel: confirm the name or title of the privacy contact.]