Our Commitment

Security & Privacy

Last updated: May 23, 2026

1. Our commitment

EMPWRD Patient was built by a patient. Matt — our founder — spent nearly two decades inside a healthcare system that mishandled his health information almost as often as it mishandled his care. So we treat your data the way we'd want our own treated: with discipline, with restraint, and with one rule above all the others — you own your health story.

That commitment isn't a marketing line. It's the operating principle behind every architectural decision in this product. The rest of this page explains what that means in practice.

2. HIPAA — what we do and what we say

HIPAA is the U.S. federal law that governs how Protected Health Information (PHI) is handled by Covered Entities — healthcare providers, insurance plans — and their Business Associates.

The EMPWRD Patient application at empwrdpatient.app stores health information you log about yourself. We operate it under HIPAA-aligned policies. That means we follow the security and privacy practices HIPAA requires of Covered Entities and Business Associates — the administrative, physical, and technical safeguards in the Security Rule — even though direct-to-patient apps are not always strictly required to.

You'll notice we use "HIPAA aligned" rather than "HIPAA compliant." That's deliberate. Compliance is a legal status earned through specific audits and contracts. Alignment is our operational standard — what we actually do every day. We'd rather tell you precisely what's true than overclaim. We take this distinction seriously because you should.

3. How your data is protected

The practices below apply across the EMPWRD product family — the marketing site (this site, empwrdpatient.com) and the app (empwrdpatient.app).

For everything we run

  • Encryption in transit: all traffic uses TLS 1.3
  • Encryption at rest: all stored data is encrypted on disk
  • Strict access controls: only the engineers who genuinely need access have it, and only at the minimum scope required
  • Audit logging: all access to identifiable data is logged and retained
  • Routine review: we revisit our security posture regularly and patch promptly
  • Vetted processors: every third-party service we use is bound by written data-processing agreements

For the marketing site (empwrdpatient.com)

  • Form submissions are processed server-side — we never expose API keys or webhook URLs to your browser
  • No third-party advertising cookies, no cross-site behavioral tracking, no data sales
  • Hosted on Vercel's edge infrastructure with automatic security headers

For the app (empwrdpatient.app)

  • Row-level access controls so you can only ever access your own records — the database enforces this, not just the app
  • All sensitive operations require authenticated, audited API calls
  • Backups are encrypted and access-controlled separately from production data

4. Blinded, aggregate data — and how to opt out

To improve the product, understand patterns across the patient community, contribute to research, and make the case for changes to the healthcare system, we may use information about how the EMPWRD Patient community as a whole is doing.

Two principles govern this use:

  • Blinded. Every analysis strips the personal identifiers HIPAA defines — your name, contact info, exact dates, location, account ID, anything that could tie data back to you as an individual. The remaining information cannot be re-linked to you.
  • Aggregate. We work with summary statistics across many users — patterns, trends, distributions — never with individual records. If a finding can't be reported in aggregate, it doesn't get reported.

What we will never do with your data — not in aggregate, not de-identified, not under any framing:

  • Sell your personal information
  • Share data tied to your identity with advertisers, brokers, or platforms
  • Use it in ways inconsistent with what we told you when you signed up

How to opt out

If you would prefer your information not be used even in blinded, aggregate form, you can opt out at any time — no questions asked, no friction, no waiting period. Email us at privacy@empwrdpatient.com with the words "opt out of aggregate use" (or anything else that makes your intent clear). We will:

  • Confirm receipt within one business day
  • Exclude your information from all future aggregate analyses
  • Continue to provide you the EMPWRD Patient product exactly as before

Opting out of aggregate use is separate from deleting your account. You can do either, both, or neither.

5. Your control

You can, at any time:

  • Request a copy of the data we hold about you
  • Correct information that's wrong
  • Delete your account and the data tied to it
  • Opt out of blinded, aggregate use (see above)
  • Unsubscribe from any communication channel

To exercise any of these rights, email privacy@empwrdpatient.com. We respond within the legal time frames applicable to your jurisdiction, and we don't make you justify the request.

6. Incident response

If we ever experience a security incident affecting your information, we will:

  • Notify affected users within 72 hours of confirming the incident
  • Notify regulators as required by applicable law
  • Tell you what happened, what data was involved, and what we're doing about it — in plain language
  • Provide guidance on any steps you should take to protect yourself

We have built our systems to make sure we don't have to send that message. If you believe you've found a security issue in our product, please report it confidentially to privacy@empwrdpatient.com — we'll respond within one business day.

7. Who handles your data

We publish our data processors so you can see exactly who has access to what:

  • GoHighLevel (LeadConnectorHQ) — marketing-site form submissions and email communications
  • Vercel — hosting for the marketing site and app
  • Supabase — database and authentication for the app
  • Cloudflare R2 — encrypted document storage for your in-app files
  • Anthropic — AI processing for in-app features that require it
  • Twilio and Resend — SMS and transactional email delivery
  • Sentry — error monitoring (configured to scrub identifiable data)

Each is bound by a written data-processing agreement. Our full list is kept current in the Privacy Policy.

8. Contact

Security questions, data requests, opt-out, or anything else on your mind:

Matt Toresco, LLC
1121 Park Ave Blvd, Suite B #151
Mount Pleasant, SC 29466
privacy@empwrdpatient.com

This Security & Privacy page describes our operational posture. The legal contract that governs your use of the Site is the Terms of Use, and the binding statement of how we handle personal information is the Privacy Policy. If anything on this page appears to conflict with those documents, the Privacy Policy and Terms of Use control.