Privacy Policy
This policy describes what VisitLock, Inc. ("VisitLock," "we") collects, why, and what we do with it. We've tried to write it in plain English. The lawyer-grade version is available on request.
Who this policy applies to
This policy applies to people who visit visitlock.ai, agencies who use the VisitLock platform, home health aides who use the VisitLock app, payers and state Medicaid programs that integrate with us, and anyone who emails us.
What we collect
- From the website: standard server logs (IP address, browser, pages visited), and any information you give us in a form.
- From agencies and payers: business contact information, organization details, and operational data needed to run the platform — patient identifiers, visit metadata, claim metadata, EVV submission data.
- From aides using the app: name, employer, device identifier, GPS location during a visit (the geofence check, not continuous tracking), visit timestamps, and an on-device biometric template — see the next section.
What we do not collect
We do not collect or transmit biometric templates to our servers. The aide's face geometry is generated and stored exclusively in the secure enclave of the aide's own device. At every visit, the comparison happens on the device. Only a signed match score travels to our servers.
We do not sell, lease, or trade biometric data with any third party — because we don't have any to sell.
How we use what we collect
- To provide the VisitLock platform and its core verification, EVV, and reporting features.
- To detect fraud, anomalies, and program-integrity issues for our agency and payer customers.
- To comply with our legal obligations, including HIPAA, state Medicaid program requirements, and audit obligations.
- To improve the platform — using aggregated, de-identified analytics, never individual aide data.
HIPAA and Business Associate Agreements
VisitLock acts as a Business Associate to its covered-entity customers under HIPAA. A Business Associate Agreement (BAA) is in place with every customer that handles Protected Health Information through our platform. We follow the Privacy Rule and the Security Rule.
BIPA, CUBI, and other biometric privacy regimes
VisitLock is designed to comply with the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act, and Washington HB 1493. Our consent flow at aide enrollment includes written notice, written consent, and a written retention and destruction policy as required by these statutes.
Sub-processors
We use a small list of cloud and operational sub-processors. The current list is available on request and includes Amazon Web Services (US-region only), Cloudflare (CDN and DDoS protection), Twilio (SMS), and Postmark (transactional email). Any change to this list is communicated to customers under contract.
How long we keep things
Visit records: as long as our customer requires, up to seven years (Medicaid audit window). Aide enrollment records: until the aide's employer terminates the enrollment, then deleted within 90 days. Marketing and prospect records: until you ask us to delete them.
Your rights
If you're a California, Colorado, Connecticut, Delaware, Texas, Utah, Virginia, or other state-with-a-privacy-law resident, you have the right to access, delete, correct, and port your personal information. Email privacy@visitlock.ai and we will route the request to the right team.
If you're a covered individual served by an agency that uses VisitLock, your privacy rights are protected by HIPAA and your state's Medicaid program rules. Requests should go through the agency or the state Medicaid program in the first instance, but we will assist where appropriate.
Security
Encryption at rest (AES-256), encryption in transit (TLS 1.3), data residency in U.S. AWS regions, multi-region replication, and a published breach response plan. Detailed information is in our Trust Pack, available under NDA. See Security.
Contact
Privacy office: privacy@visitlock.ai
Mailing address: VisitLock, Inc., 400 N Tampa St., Tampa, FL 33602.