Privacy Policy

Effective Date: February 12, 2026

1. Introduction

BookWise ("we," "our," or "the Service") is a financial management platform for mental health providers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

BookWise is operated by BookWise, LLC. We are committed to protecting your privacy and complying with the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address and name via Google OAuth authentication
Subscription Information: Payment details processed by Stripe for BookWise subscription billing
Category Preferences: Custom financial categories you create for transaction organization

2.2 Information Collected Automatically

Usage Data: Application interactions logged via AWS CloudWatch for performance and security monitoring
Session Data: Temporary session identifiers for application functionality

2.3 Information from Third Parties

Bank Transactions: Financial transaction data synchronized through Plaid from your linked bank accounts

3. How We Store Your Data

Data Type	Storage Location	Your Control
Financial Data	YOUR Google Sheets	Full ownership and access
Receipts	YOUR Google Drive	Full ownership and access
Cached Data	AWS (encrypted)	Deleted on account closure
OAuth Tokens	AWS Secrets Manager	Revocable via Google
Subscription Info	Stripe	Managed via billing portal

4. Third-Party Services

4.1 Amazon Web Services (AWS)

Our application infrastructure is hosted on AWS. We have signed a Business Associate Agreement (BAA) with AWS. All data at rest is encrypted using AES-256 encryption. AWS maintains SOC 2 Type II, ISO 27001, and HIPAA compliance certifications.

4.2 Google Workspace/Cloud Identity

Your financial data is stored in your own Google Sheets and receipts are stored in your Google Drive within your Google Workspace account. BookWise has signed a Business Associate Agreement with Google Workspace/Cloud Identity for its Cloud Platform project and application services (signed February 12, 2026). BookWise accesses your data via OAuth 2.0 - you can revoke access at any time through your Google Account settings.

Your Responsibility: If you use BookWise for healthcare-related finances, you must use Google Workspace (not free Gmail) and sign your own Business Associate Agreement with Google for your Workspace account where your financial data is stored.

4.3 Plaid

Bank transaction data is synchronized through Plaid, a financial data aggregator. Plaid is regulated as a financial institution under the Gramm-Leach-Bliley Act (GLBA) rather than as a HIPAA Business Associate. Plaid maintains SOC 2 Type II, ISO 27001, and ISO 27701 certifications.

Privacy Note: Bank transactions may occasionally contain patient-identifiable information (e.g., check deposits showing patient names). For enhanced privacy, we recommend accepting payments through methods that do not include patient names in bank transaction records, such as credit card payments or EHR payment processors.

4.4 Stripe

Stripe processes BookWise subscription payments only. No patient or healthcare information flows through Stripe. Your payment information is handled directly by Stripe and is subject to their Privacy Policy.

5. HIPAA Compliance

BookWise is designed to support HIPAA compliance for healthcare providers managing their practice finances:

We have signed a Business Associate Agreement with AWS
We have signed a Business Associate Agreement with Google Workspace/Cloud Identity
All data at rest is encrypted using AES-256 encryption
All data in transit is protected by TLS 1.2 or higher
Access controls ensure only authenticated users access their data
Audit logs are maintained for authentication, data access, and modification events

Your Responsibility: If you store Protected Health Information (PHI) in your Google Sheets, you are responsible for maintaining a Google Workspace account with a BAA signed with Google for your own account.

6. Your Rights and Choices

Access: Your financial data is stored in your own Google Sheets - you have direct access at all times
Portability: Export your data directly from Google Sheets in any format
Deletion: Cancel your subscription and revoke OAuth access; cached data will be deleted
Revoke Bank Access: Disconnect Plaid at any time through the app or via Plaid Portal

7. Data Retention

Google Sheets Data: Retained indefinitely in your Google account until you delete it
AWS Cached Data: Retained while your subscription is active; deleted within 30 days of account closure
Audit Logs: Retained for a minimum of 6 years per HIPAA requirements (§164.530(j)). Active logs maintained in encrypted application storage; older entries archived to encrypted S3 storage with lifecycle management.

8. Security Measures

We implement industry-standard security measures to protect your information:

Encryption at rest (AES-256 via sodium library)
Encryption in transit (TLS 1.2+)
AWS Secrets Manager for credential storage
Google OAuth 2.0 for authentication (no password storage)
Serverless architecture (ephemeral containers)
Annual security risk assessments

9. Contact Information

For questions about this Privacy Policy or to exercise your rights, contact:

BookWise, LLC
Email: [email protected]
Website: https://bookwise.software

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Effective Date" above. Your continued use of BookWise after changes constitutes acceptance of the updated policy.