How we protect your data

PHI-safe by design — here's exactly how it works

Last updated: March 2026

Pediatric therapy practices handle sensitive information about children and families every day. We built Senvvo from the ground up with a single guiding principle: collect only what's necessary, keep it only as long as needed, and never store what you don't need.

The short version

Parent names and contact details are never stored in our database
Screener responses are never stored in identifiable form
Chat message content is never stored
Results links expire after 48 hours
All analytics are aggregated and de-identified

How the screener works

When a parent completes your screener:

Step 1

Parent answers questions

Responses are held in the browser session only. Nothing is written to our database at this point.

Step 2

Parent submits contact form

Name, email, and phone are used to send two emails:

Results email to the parent with their tokenized link
Notification email to your practice with the results summary

After these emails are sent, the contact information is discarded. It is never written to our database.

Step 3

What we store

We store only:

A randomized token linked to the screener result (expires 48 hours)
The age range selected (e.g. "18–24 months")
Domain-level scores (e.g. "3 of 6 milestones met") — no individual question responses
A timestamp

Never stored

Parent name
Email address
Phone number
Child's name or date of birth
Individual question responses
Chat message content
Any identifying information

What we store

Random session / result token
Age range (e.g. "2–3 years")
Domain scores (aggregated)
Timestamp
Anonymous session events

How the chat assistant works

Message content is processed in real time to generate a response and is never written to our database.

We store only anonymized session events:

Session started (random session ID, no identity)
Message sent (count only, no content)
Contact requested (topic tag if available, no personal details)

Your analytics dashboard shows conversation volumes, top topics, and contact rates — all derived from these anonymized events. No individual conversation is identifiable or retrievable.

No free-text fields

Senvvo does not store open-ended notes or comments that could contain patient identifiers or health information. Every data point we collect is structured — a dropdown value, a count, or a timestamp. This is intentional: uncontrolled text fields are one of the most common ways PHI enters systems that weren't designed to handle it.

Priority list families are identified by color, emoji, and optional short practice-defined labels only. During CSV import, columns containing personal information (names, emails, phone numbers, addresses) are automatically detected and skipped. Dates of birth are converted to age ranges and not stored.

Your analytics dashboard

Everything you see in your dashboard is aggregated across all families. When you see "Communication & Feeding was the top concern domain this month," that reflects a count of screener submissions — not a list of families. There is no way to drill down to an individual parent or child from your analytics.

Infrastructure security

All data transmitted over HTTPS/TLS encryption
Database hosted on Supabase with row-level security
Application hosted on Vercel with SOC 2 compliant infrastructure
Role-based access — practice managers see only their own practice data
No cross-practice data sharing or visibility

A note on HIPAA

Senvvo is designed to minimize PHI processing. Because we do not persistently store parent names, contact details, or health information, many of the standard HIPAA obligations that apply to systems storing PHI do not apply to Senvvo in the traditional sense.

That said, we take compliance seriously. Practices with specific BAA requirements should contact us at hello@senvvo.care — we are happy to discuss your compliance needs.

Questions?

If you have questions about how we handle data, contact us at hello@senvvo.care. We'll respond within one business day.