What's Next Health

1. Introduction & Overview

Welcome to WhatsNext, a digital platform designed to help parents and guardians navigate the autism and ADHD evaluation process. This Privacy Policy explains how WhatsNext Health, LLC ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our platform at whatsnext.health (the "Service").

Who We Are

WhatsNext Health, LLC is a North Carolina-based company providing digital tools and resources to support families navigating developmental evaluations. We are committed to protecting your privacy and being transparent about how we handle your information.

What This Policy Covers

This Privacy Policy applies to:

All information collected through our website and platform
Data you provide when creating an account
Information entered about your child and family
Documents you upload
Your interactions with our AI assistant
Usage data and analytics

This policy does NOT cover:

Information collected by third-party websites we link to
Practices of healthcare providers you may connect with through our platform
Data collected offline or through other channels

How to Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: privacy@whatsnext.health
Mail: WhatsNext Health, LLC [Address] High Point, NC [ZIP]
Response Time: We aim to respond within 7 business days

2. Information We Collect

We collect several types of information to provide and improve our Service:

Account Information

When you create an account, we collect:

Name: Your full name as provided during signup
Email address: Used for account access, notifications, and communication
Password: Stored in encrypted format. We never see or have access to your plain-text password
Profile preferences: Settings you choose for your account experience
Subscription tier: Your current subscription level (Free, Essential, or Premium)
Account activity: Login times, last access, and usage patterns

Child & Family Information

To personalize your journey, we collect limited information about your child:

Child's first name: Optional, used for personalization only
Date of birth: Used to calculate age and developmental stage
Age: Calculated from date of birth for age-appropriate guidance
Developmental stage: Your selection of where you are in the evaluation process (pre-screening, seeking evaluation, post-diagnosis, etc.)
Primary concerns: Topics you select that are most relevant to your situation
Insurance type: Medicaid, private insurance, TRICARE, or none (for resource matching)
State/location: Your state code for state-specific resources and information

Important: We do NOT collect or store:

Medical diagnoses or diagnostic codes
Social Security Numbers (SSN)
Protected Health Information (PHI) as defined by HIPAA
Detailed medical history beyond developmental stage
School-specific identifiers

Journey & Progress Data

We track your progress through the evaluation journey:

Journey steps completed: Which roadmap steps you've finished
Custom journey steps: Steps you create yourself
Action items: Tasks assigned to you and their completion status
Notes and annotations: Personal notes you add to steps or documents
Milestone completions: Key achievements in your journey

Documents & Files

When you upload documents, we store:

Uploaded files: PDFs, images, Word documents, and other file types you upload
Document metadata:
- File names and sizes
- Upload dates
- Document types (evaluation report, school document, medical record, etc.)
- Tags and categories you assign
OCR-extracted text: Text extracted from documents for search functionality (PDFs and images)
Document organization: Folders, tags, and relationships you create

Security: All uploaded documents are encrypted at rest and in transit. We scan files for viruses before storage.

Provider & Care Team Data

Information about providers and your care team:

Saved providers: Providers you save to your directory
Favorites: Providers you mark as favorites
Provider notes: Personal notes and contact logs you maintain
Care team members: Information about therapists, doctors, and other professionals
Appointment information: Dates, notes, and reminders you enter

Screening Tool Data

When you complete screening questionnaires:

Responses: Your answers to screening questions (M-CHAT, Vanderbilt, SNAP-IV, etc.)
Screening results: Scores and interpretations generated from your responses
Historical data: Previous screening attempts and results over time
Screening metadata: Dates, screening types, and versions used

Important: Screening results are for informational and educational purposes only. They are not medical diagnoses and should be shared with your healthcare provider.

AI Conversation Data

When you interact with our AI assistant:

Messages: Questions and prompts you send to the AI
AI responses: The guidance and information provided by the AI
Conversation history: Previous messages and context (if you enable history)
Usage metrics: Number of questions asked, topics discussed, and usage patterns

AI Data Protection:

Conversations are encrypted in transit
Anthropic (our AI provider) does not use your data to train their models
You can delete conversation history at any time
Disabling history may reduce the quality of AI responses (less context)

Usage & Analytics

To improve our platform, we collect:

Pages visited: Which pages and features you use
Feature usage: How often you use specific features
Time spent: How long you spend on different sections
Device information: Device type, operating system, and browser
IP address: Used for security, fraud prevention, and geolocation (general area only)
Error logs: Crash reports and error messages to identify bugs
Performance data: Page load times and technical performance metrics

Analytics Tools: We use PostHog (if implemented) for usage analytics. You can opt out of non-essential analytics in your account settings.

3. How We Use Your Information

We use the information we collect for the following purposes:

To Provide Services

Account management: Create and manage your account, authenticate logins, process subscriptions
Personalized roadmaps: Generate personalized journey roadmaps based on your child's age, developmental stage, and location
AI-powered guidance: Provide relevant, contextual advice from our AI assistant based on your journey stage
Document storage: Securely store and organize your uploaded documents
Progress tracking: Track your journey progress and milestones
Partner collaboration: Enable "Plus One" partner access when you invite a family member
Transactional emails: Send account confirmations, password resets, and subscription notifications

To Improve Our Platform

Understanding usage: Analyze how features are used to prioritize improvements
Bug identification: Use error logs to identify and fix technical issues
User experience optimization: Improve navigation, design, and functionality based on usage patterns
Feature development: Develop new features based on user needs and feedback
AI training: Improve AI response quality (using anonymized, aggregated data only - never your personal conversations)

To Communicate With You

Account updates: Notify you of important account changes
Action item notifications: Remind you of assigned tasks and upcoming milestones
Milestone celebrations: Celebrate your progress and achievements
Support responses: Respond to your help requests and questions
Service announcements: Inform you of important platform updates, maintenance, or changes

Legal & Security

Legal compliance: Comply with applicable laws and regulations
Fraud prevention: Detect and prevent fraudulent activity and abuse
Terms enforcement: Enforce our Terms of Service and acceptable use policies
Safety protection: Protect user safety and platform security
Legal proceedings: Respond to legal requests, court orders, or government inquiries

We DO NOT sell your information. We never have and never will sell your personal information to third parties.

Service Providers

We share information with trusted service providers who help us operate our platform:

Supabase: Database hosting, authentication, and file storage (data centers in US/EU)
Vercel: Website hosting and content delivery (global CDN)
Anthropic: AI processing for our assistant (encrypted, not used for training)
Resend: Email delivery service (transactional emails only)
Stripe: Payment processing (when implemented) - only payment information, not health data
PostHog: Analytics and product insights (if implemented) - anonymized usage data

All service providers are contractually bound to:

Use data only for specified purposes
Implement appropriate security measures
Comply with applicable privacy laws
Not share your data with third parties

With Your Partner (Plus One Feature)

When you invite a partner using our "Plus One" feature:

They gain access to shared child profiles, journeys, documents, and action items
You control who you invite - only you can send invitations
Partners must create their own account and agree to our Terms of Service
You can revoke partner access at any time
Partners can remove themselves from access

Your responsibility: You are responsible for who you invite. Only invite people you trust to access your child's information.

With Your Care Team (Future - Phase 2)

When we launch provider features (planned for Phase 2):

You will have the option to share specific information with healthcare providers
This will be opt-in only - you control what is shared
You will choose which providers receive access
You can revoke access at any time
We will provide detailed information about what is shared before you opt in

Current status: This feature is not yet available. We will update this policy when provider sharing becomes available.

Legal Requirements

We may disclose your information if required by:

Law or regulation: When legally required to do so
Court order: In response to a valid court order or subpoena
Government request: For law enforcement or national security purposes
Legal proceedings: To protect our rights, property, or safety, or that of our users
Business transfer: In connection with a merger, acquisition, or sale of assets (with advance notice)

We will notify you: Whenever possible, we will notify you before disclosing your information unless legally prohibited.

5. Data Security

We take the security of your information seriously and implement multiple layers of protection.

How We Protect Your Data

Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
Encryption at rest: All stored data (database and files) is encrypted at rest
Row-level security (RLS): Database-level access controls ensure users can only access their own data
Secure authentication: We use Supabase Auth with industry-standard password hashing (bcrypt)
Regular security updates: We apply security patches and updates promptly
Access controls: Staff access to data is limited and monitored
Virus scanning: Uploaded files are scanned for malware before storage
Security monitoring: We monitor for suspicious activity and unauthorized access attempts

What You Can Do

You play an important role in protecting your account:

Strong password: Use a unique, strong password (at least 8 characters with mixed case, numbers, and symbols)
Two-factor authentication: Enable 2FA when available (coming soon)
Keep credentials private: Never share your login credentials with anyone
Log out on shared devices: Always log out when using shared or public computers
Review partner access: Regularly review and manage who has access to your child's information
Report suspicious activity: Contact us immediately if you notice unauthorized access

Our Limitations

Important disclaimers:

No system is 100% secure - while we implement industry-standard protections, absolute security cannot be guaranteed
We are not currently HIPAA-compliant - We are working toward HIPAA compliance but are not yet a HIPAA-covered entity
We are not a healthcare provider - We do not provide medical diagnosis, treatment, or healthcare services
For HIPAA-protected health information: If you need to share protected health information (PHI) with providers, consult with your healthcare provider about HIPAA-compliant communication methods

6. Data Retention

We retain your data only as long as necessary to provide our Service and comply with legal obligations.

Active Accounts

Data retention: We retain all your data while your account is active
Subscription changes: Data persists when you upgrade, downgrade, or switch between subscription tiers
Free tier: Data is retained even if you're on the free tier (as long as account is active)

Deleted Accounts

When you delete your account, we delete your information according to this schedule:

Personal information: Deleted within 30 days of account deletion
Documents: All uploaded documents deleted within 30 days
Journey and progress data: Deleted within 30 days
Child profiles: All child profile data deleted within 30 days
AI conversations: Conversation history deleted within 30 days

Backups: Backups may retain your data for up to 90 days before permanent deletion. During this period, data is not accessible through the platform.

Anonymized analytics: We may retain anonymized, aggregated analytics data for up to 2 years for platform improvement purposes. This data cannot identify you.

Legal Holds

We may retain your data longer than described above if:

Required by law or legal proceedings
Subject to a legal hold or preservation order
Needed for fraud investigation or dispute resolution

In such cases, we will notify you (when permitted by law) and retain data only as long as legally required.

7. Your Rights & Choices

You have several rights regarding your personal information. We make it easy to exercise these rights.

Access & Export

View your data: You can view all your data through your account dashboard
Export data: Premium tier users can export all data (available in Account Settings)
Data copy: All users can request a copy of all data we hold about you (email privacy@whatsnext.health)
Format: Exports are provided in machine-readable format (JSON, CSV)

Correction

You can correct or update your information at any time:

Profile information: Edit your name, email, and preferences in Account Settings
Child profiles: Update child information, developmental stage, and concerns
Journey data: Edit steps, notes, and action items
Documents: Update document tags, categories, and metadata

Deletion

You can delete your information:

Individual items: Delete individual documents, action items, or notes from your account
Child profiles: Delete entire child profiles (removes all associated data)
Account deletion: Delete your entire account (removes all data per Data Retention section)
Conversation history: Delete AI conversation history (available in AI Assistant settings)

Portability

Data export: Export your data in machine-readable formats (JSON, CSV)
Transfer to other services: You can transfer exported data to other platforms
Format: Data is provided in standard, interoperable formats

Objection

You can object to certain uses of your data:

Marketing emails: Opt out of marketing emails (we don't send marketing during beta)
Analytics tracking: Opt out of non-essential analytics in Account Settings
AI conversation history: Disable conversation history (may reduce AI quality)
Email notifications: Customize which email notifications you receive

How to Exercise Your Rights

Most rights can be exercised directly through your Account Settings. For assistance:

Email: privacy@whatsnext.health
Response time: We respond to requests within 30 days
Verification: We may need to verify your identity before processing requests
No fee: Exercising your rights is free (unless request is excessive or unfounded)

8. Children's Privacy (COPPA Compliance)

We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA).

Our Platform and Children

Designed for parents: WhatsNext is designed for parents and legal guardians (18+)
No child accounts: Children under 13 do not create accounts or interact with our platform
Parent-controlled: All information about children is entered and controlled by parents
Limited child information: We collect only minimal information needed to personalize guidance (name, age, developmental stage)

Child Information We Collect

Parents may enter limited information about their child:

First name (optional): Used only for personalization within the platform
Age/date of birth: Used to provide age-appropriate guidance and resources
Developmental observations: Parent-entered observations about developmental concerns
Screening results: Results from parent-completed screening questionnaires (M-CHAT, Vanderbilt, etc.)

We do NOT collect:

Medical diagnoses or diagnostic codes
Social Security Numbers
Protected Health Information (PHI)
Detailed medical or educational records (unless parent uploads documents)
Information directly from children

Parent Control

Parents have complete control over their child's information:

View: Parents can view all child information through their account
Edit: Parents can update or correct child information at any time
Delete: Parents can delete child profiles and all associated data
Share: Parents control who has access (via Plus One invitations)

Child data deletion: When a parent deletes their account, all child information is automatically deleted within 30 days.

COPPA Compliance

We comply with the Children's Online Privacy Protection Act:

No direct collection from children: We do not knowingly collect information directly from children under 13
Parental consent: By using our Service, parents consent to our collection of limited child information for personalization purposes
No direct marketing to children: We never market directly to children
No behavioral tracking of children: We do not track children's behavior or preferences
Parental access: Parents can access, review, and delete their child's information at any time

If you believe we have collected information from a child under 13 without parental consent, please contact us immediately at privacy@whatsnext.health.

9. International Users

Primary Service Area

Based in United States: WhatsNext is a US-based company operating primarily for US users
US healthcare system: Our platform is optimized for navigating the US healthcare system
Data storage: Data is primarily stored in US data centers (Supabase US regions)

International Access

International users welcome: Users outside the US can access and use our platform
Data transfer: By using WhatsNext, you consent to your data being transferred to and stored in the United States
Applicable laws: We comply with applicable international data protection laws (GDPR, PIPEDA, etc.)

Future Expansion

Canada, UK, and others: We plan to expand to other countries in the future
Localization: Privacy practices will be updated to comply with local laws and regulations
Data residency: When we expand, we may offer data storage in local regions where required by law

10. Cookies & Tracking

We use cookies and similar technologies to provide and improve our Service.

Essential Cookies

These cookies are necessary for the platform to function:

Authentication: Keep you logged in during your session
Security: Help prevent fraud and unauthorized access
Session management: Maintain your session state as you navigate the platform

These cannot be disabled without breaking core functionality.

Analytics Cookies

These cookies help us understand how our platform is used:

Usage analytics: Track which pages and features are most popular (PostHog or similar)
Feature usage: Understand how features are used to prioritize improvements
Performance monitoring: Identify slow pages and technical issues

You can opt out of analytics cookies in your Account Settings. Opting out does not affect platform functionality.

Your Choices

Most browsers allow you to:

Refuse cookies: Configure your browser to refuse all cookies
Delete cookies: Delete existing cookies from your browser
Cookie notifications: Receive notifications when cookies are set

Note: Refusing essential cookies may prevent you from using certain features of our platform.

Do Not Track: We do not currently respond to Do Not Track signals, but you can opt out of analytics tracking in your Account Settings.

11. Third-Party Links

Our platform may contain links to external websites and resources.

External Resources

Provider websites: Links to healthcare provider websites
Resource articles: Links to educational articles and resources
Government sites: Links to state and federal resources
Other services: Links to third-party tools and services

Third-Party Privacy

Not responsible: We are not responsible for the privacy practices of third-party websites
Review policies: We encourage you to review the privacy policies of any external sites you visit
Use at your own risk: You use third-party sites at your own risk

When you click external links, you leave our platform and are subject to the third party's privacy policy.

12. AI & Automated Processing

Our platform uses artificial intelligence (AI) to provide personalized guidance.

How We Use AI

AI assistant: Anthropic Claude API processes your messages and provides guidance
Contextual responses: AI uses your conversation history and journey stage to provide relevant advice
Personalization: AI responses are personalized based on your child's age, developmental stage, and progress

Data Sent to AI

When you interact with our AI assistant, we may send:

Your messages: The questions and prompts you send to the AI
Relevant context: Your child's age, developmental stage, and journey progress
Conversation history: Previous messages (if you enable conversation history)

We do NOT send:

Medical diagnoses or PHI
Full document contents (unless you specifically share them in a message)
Information about other users

AI Data Protection

Anthropic terms: Anthropic does not use your data to train their models (per their terms of service)
Encryption: All data sent to AI is encrypted in transit
Conversation deletion: You can delete conversation history at any time
Opt-out: You can disable conversation history (though this may reduce response quality)

No Automated Decisions

Important: Our AI provides guidance and suggestions only. It does not:

Make automated decisions affecting your rights
Diagnose conditions or prescribe treatments
Replace professional medical advice
Make decisions without human review

All decisions remain with you. The AI is a tool to support your journey, not to make decisions for you.

13. Business Transfers

If WhatsNext is acquired, merged, or undergoes a business transfer:

Transfer of Data

Data transfer: Your data may be transferred to the acquiring entity
Advance notice: We will notify you via email at least 30 days before the transfer
New entity obligations: The new entity must honor this Privacy Policy or provide equivalent protections
Your choice: You can delete your account before the transfer if you do not want your data transferred

Continuity of Service

Service continuation: We will attempt to maintain continuity of service during transfers
Notifications: You will be notified of any changes to privacy practices
Your rights: Your rights under this policy will be preserved or enhanced

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Policy Updates

Periodic updates: We review and update this policy annually, or more frequently if needed
Material changes: We will notify you of material changes via email 30 days before they take effect
Continued use: Your continued use of the Service after changes constitutes acceptance
Review regularly: We encourage you to review this policy periodically

How We Notify You

Email notification: We send email notifications for material changes
In-app notice: We may display in-app notices for significant updates
Updated date: The "Last Updated" date at the top of this policy reflects the most recent changes
Version history: We maintain a version history of policy changes (available upon request)

If You Disagree

If you disagree with changes to this Privacy Policy:

Review changes: Read the updated policy carefully
Contact us: Email privacy@whatsnext.health with questions or concerns
Delete account: You can delete your account if you do not agree to the changes

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Privacy Inquiries

Email: privacy@whatsnext.health
Response time: We aim to respond within 7 business days
Mail: WhatsNext Health, LLC [Address] High Point, NC [ZIP]

Data Protection Officer

Email: dpo@whatsnext.health (when appointed)
Note: We will appoint a Data Protection Officer as we grow and when required by law

General Support

Support email: hello@whatsnext.health
Help Center: https://whatsnext.health/help

Legal Requests

Legal email: legal@whatsnext.health
Subpoenas/legal requests: Please send to legal@whatsnext.health with sufficient notice

Thank you for trusting WhatsNext with your information. We are committed to protecting your privacy and being transparent about our practices.

Privacy Policy