Legal

Privacy policy

What this website collects, why, who touches it, and how to reach us about it. In plain English first, then the detail.

Version 1.0Last revised: July 12, 2026Effective: July 12, 2026

This policy covers this website only

It does not govern the sites we build for practices. Those are covered by each practice’s own notices and by the Business Associate Agreement we sign with them.

If anything here is unclear, or you want to know exactly what is running on this page right now, email hello@failsafedigital.com and we will tell you straight.

Who we are

Failsafe Digitalis a web and digital compliance studio for healthcare. We build websites for medical and dental practices and we sign the Business Associate Agreement that covers the web layer we build. This policy covers this website, meaning the pages you are reading now and the forms on them. It does not govern the sites we build for our clients. Those are covered by each practice’s own notices and by the BAA we sign with them.

When this policy says “we,” it means Failsafe Digital. When it says “you,” it means you, the person visiting this site.

The short version

  • We collect very little. Basic analytics, a recording of how you move through the page (your scrolling and clicks, never what you type), and whatever you put in our audit or contact forms.
  • Turn it off and we stop. If your browser sends Global Privacy Control, no analytics and no session recording load at all. That is enforced in the code, not promised in a paragraph.
  • This site holds no patient data. We do not ask for protected health information here, and our forms are not built to receive it.
  • We do not sell your information. Not to advertisers, not to data brokers, not to anyone.
  • You can ask us to delete it. Email us and we will.

What we collect

Information you give us

If you request a free liability audit or otherwise contact us, we collect what you type into the form. Today that is:

  • Your name
  • Practice name
  • Work email
  • Practice website
  • Phone (optional, only if you choose to)
  • Anything we should know (optional, only if you choose to)

If you email us directly, we hold that email and whatever is in it, the same way any business holds its correspondence.

Information collected automatically

Like most websites, this one records basic technical and usage information when you visit: the pages you view, the site or search that referred you, an approximate location derived from your IP address, your browser and device type, and the date and time of the visit. We use this to understand which pages are useful and whether the site is working.

We also record sessions. We use Microsoft Clarity, which captures how you move through a page: your scrolling, your clicks, where you pause. It lets us replay a visit and see where the site confused someone. We would rather tell you that plainly than bury it in a vendor list.

What it does not capture: what you type.Every field in our forms is explicitly marked to be masked from that recording, in the page’s own code, so it stays masked no matter what a setting somewhere says later.

We do not use any of this to build an advertising profile of you, and we do not try to identify individual visitors from it.

What we never collect here

This site does not collect patient information and it does not collect protected health information (PHI). We do not ask for it, our forms do not request it, and there is no field on this site whose purpose is to receive it.

Please do not send us PHI

Please don’t include any patient information. We are not a healthcare provider, this form is not for PHI, and anything of that nature is deleted from our inbox. If you are a patient trying to reach a practice, contact the practice directly. If you are a practice and you need to send us something that contains patient information, stop and email us first at hello@failsafedigital.com. We will put a covered channel and a signed BAA in place before anything moves. That is the whole business.

If PHI reaches us anyway, through a form or an unsecured email, we will delete it and tell you we did. We will not use it, and we will not keep a copy for our records.

How we use it

We use what we collect to:

  • Run the audit you asked for and send you the result.
  • Reply to your question, quote a project, and carry out an engagement if you hire us.
  • Keep the site working, secure, and free of abuse.
  • Understand which pages people read, so we write better ones.
  • Meet our own legal, tax, and record-keeping obligations.

If you ask us for an audit, we may follow up about it. If you would rather we did not, say so and we will stop. We do not add you to a marketing list without your say-so, and every email we send you can be unsubscribed from.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Cookies and analytics

We use a small number of cookies and similar technologies: strictly necessary ones that make the site function, and analytics that tell us, in aggregate, how the site is used.

We should be straight with you about something, because we write about it constantly. Third-party analytics on a healthcare provider’s site can leak information about a patient to a third party, and the HHS Office for Civil Rights has said so directly. That is a real problem and it is most of what we are hired to fix.

This is not that site. This is our marketing site. You are not a patient here, nothing you do on this page reveals anything about your health, and we are not a healthcare provider. So we use ordinary analytics, like any business trying to find out which of its pages actually work. On the sites we build for practices, where a visitor really is a patient, the rules are completely different, and that is the whole job.

We honor Global Privacy Control

Not “where required to.” If your browser sends the GPC signal, no analytics and no session recording load at all. Not Google, not Microsoft, nothing. The tags are never initialized. It is enforced in the site’s code, not promised in a paragraph. You can also block cookies in your browser; the site works fine without them.

Third parties and processors

Here is every third party that touches information from this site. They are processors: they handle it on our instructions, for us, and not for their own purposes. If we add one, it gets added to this list in the same breath.

  • Google (Tag Manager, Analytics 4). Site analytics: which pages are read, what referred you, roughly where you are. Usage and device data, IP address.
  • Microsoft (Clarity). Session replay and heatmaps: how far you scroll, what you click, where you hesitate. A recording of your interaction with the page. Text you type into our forms is masked and is not recorded.
  • Resend. Sends the form submission to our inbox, and sends you the confirmation. The contents of your submission, for up to 30 days.
  • Google (Gmail). Our inbox. It is where your message actually lands and where we reply from. Your message and our correspondence with you.
  • Cloudflare. DNS and inbound email routing for failsafedigital.com. Email in transit. It is not stored.
  • Vercel. Hosts this website and serves the pages you are reading. Standard server logs, including IP addresses, for a short period.
  • GitHub (Microsoft). Stores the code and the writing for this website. Nothing you submit. No visitor data.

That is the whole list. If we add one, it appears here in the same breath. A privacy policy that hides a processor you use is as wrong as one that names a processor you do not.

Beyond our processors, we share information only when the law requires it, when we need to establish or defend a legal claim, or if the business is ever sold or merged, in which case this policy travels with the information.

How long we keep it

  • Audit and contact submissions: up to 24 months from your last contact with us, so we have a record of what we told you, and then we delete them. Our email provider holds its own copy of the message for 30 days, which we cannot purge on demand; after that it expires on its own. We would rather tell you that than imply a delete button we do not have.
  • Analytics: in aggregated or de-identified form, for as long as it is useful. Raw event data is kept for a short window only.
  • Client engagement records: for the life of the engagement and as long afterward as our contracts, insurance, and tax obligations require.
  • Anything you ask us to delete: until you ask, and then it is gone, other than what we are legally required to keep.

How we protect it

Access to form submissions and email is limited to the people at the studio who need it. Data is encrypted in transit. Accounts use multi-factor authentication. Our vendors are chosen partly on their security posture, and where a vendor could ever touch protected health information on a client engagement, we require a Business Associate Agreement first.

No system is perfectly secure, and we will not tell you otherwise. What we will tell you is the truth if something goes wrong, promptly, with what we know and what we are doing about it.

Your rights

Depending on where you live, you may have some or all of the following rights. We extend them to everyone who asks, because drawing a line at a state border would be a strange way to run a privacy program.

  • Access. Ask what we hold about you, and we will tell you.
  • Correction. Tell us something is wrong and we will fix it.
  • Deletion. Ask us to delete what we hold, and we will, other than records we must legally keep.
  • Portability. Ask for a copy in a usable format.
  • Opt out. Unsubscribe from any email, or tell us to stop following up. We stop.
  • No retaliation. Exercising any of these costs you nothing and changes nothing about how we treat you.

To exercise any of them, email hello@failsafedigital.com. We will verify that the request is really yours before we act on it, and we aim to respond within 30 days.

We do not sell or share your personal information, as those words are used in the California privacy laws, and we never have. There is no opt-out to give you because there is nothing to opt out of. We do not use your information for cross-context behavioral advertising.

We are a small US business serving US healthcare practices, and we do not market to the EU or the UK. If you are covered by a privacy law that gives you a right we have not listed, write to us and we will honor it. We would rather do that than argue about which statute reaches us.

Children

This site is for practice owners and the people who run them. It is not directed at children, and we do not knowingly collect information from anyone under 13. If you believe a child has sent us information, email us and we will delete it.

Changes to this policy

When this policy changes, we will update the revision date at the top of the page. If a change is significant, we will say so plainly rather than hoping you do not notice.

Contact us

Questions about this policy, about what we hold, or about anything else on this page:

hello@failsafedigital.com

A postal address and an entity name for formal notices will be added here with the reviewed version.