Legal
Privacy Policy
Effective July 5, 2026 · Last updated July 5, 2026
This Privacy Policy explains how Recovery Companion, LLC (“Recovery Companion,” “we,” “us,” or “our”) collects, uses, discloses, and protects information through this website (recoverycompanion.app) and through the Recovery Companion mobile and web application (the “App”). Please read it together with our Terms of Service.
0. The short version
Recovery Companion is provided to patients by their treatment clinic (their “Clinic”), not sold directly to the public. Your Clinic is the HIPAA Covered Entity responsible for your care and your medical records; Recovery Companion acts as your Clinic's Business Associate under a signed Business Associate Agreement (“BAA”), and handles your Protected Health Information (“PHI”) only as your Clinic directs and as HIPAA allows. Journal and reflection entries you write in the App are private — your Clinic sees engagement and aggregate signals (like check-in streaks or medication confirmations), never the text of what you wrote. We never sell personal information, and we do not use your health information to serve you ads.
If you are a patient, your Clinic's own HIPAA Notice of Privacy Practices governs your medical records and generally controls where this Policy and that Notice overlap. This Policy fills in the details of how Recovery Companion, specifically, handles information — as the vendor your Clinic has chosen, not as your treatment provider.
1. Who this Policy covers, and the two ways you might encounter us
This Policy applies to two related but distinct things, and we try to be clear about which one a given section is talking about:
- This marketing website (recoverycompanion.app), which clinics, health systems, and treatment programs visit to learn about the App and request a demo. Visitors here are prospective business customers and members of the public — not patients, and no Protected Health Information is collected here.
- The App, used by patients enrolled by a Clinic, and by Clinic staff who view aggregate engagement data for their enrolled patients. Most of the information described in this Policy relates to the App.
2. Our role, your Clinic's role, and HIPAA
Your Clinic — the MAT/MOUD program, health system, or provider organization that enrolled you — is responsible for your medical care and is the HIPAA Covered Entity. Recovery Companion provides the App as a technology vendor to your Clinic and, with respect to any PHI we handle on your Clinic's behalf, acts as your Clinic's Business Associate under a signed BAA. That means:
- We may use and disclose PHI only as permitted by the BAA, by HIPAA, and by your Clinic's instructions — not for our own independent purposes.
- We apply the administrative, physical, and technical safeguards HIPAA's Security Rule requires of a Business Associate.
- If we become aware of a breach of unsecured PHI, we notify your Clinic without unreasonable delay so your Clinic can meet its own notification obligations to you and to regulators.
- Your Clinic's Notice of Privacy Practices — not this Policy — is the primary document describing your HIPAA rights (access, amendment, accounting of disclosures, and the right to file a complaint). Ask your Clinic for a copy, or contact us and we will point you to it.
3. Substance use disorder records — 42 CFR Part 2
Because Recovery Companion supports care for opioid use disorder, information that identifies you as having, or having had, a substance use disorder — including most information in the App — may be protected by the federal confidentiality regulations at 42 CFR Part 2, which are generally more protective than HIPAA alone. Under Part 2:
- We do not disclose information that would identify you as a patient with a substance use disorder, except with your written consent, under a limited set of regulatory exceptions (for example, a genuine medical emergency, or a court order meeting Part 2's specific requirements), or as otherwise permitted by Part 2 and its 2024 harmonization with HIPAA.
- Information disclosed under Part 2 carries a notice prohibiting further disclosure unless also permitted by Part 2 — anyone who receives it from us is expected to honor that same restriction.
- Part 2 information generally cannot be used to investigate or prosecute a patient in a criminal proceeding without a qualifying court order, even with a subpoena.
4. Information we collect
On this website
- Demo request form: name, professional role, clinic/organization name, email address, and — optionally — how your program is funded. We do not ask for, and you should not submit, any patient information through this form.
- Automatically collected data: standard web server and hosting logs (such as IP address, browser type, and pages visited), collected by our hosting infrastructure for security and reliability. We do not use third-party advertising trackers or sell any data collected on this website.
Through the App
- Account information your Clinic provides when enrolling you (such as your name or a Clinic-issued identifier, and contact information used for enrollment).
- Health-related information you enter, including daily check-ins (mood, cravings, and what may have set them off), medication-taken confirmations, guided reflection and journal entries, and meeting attendance you log.
- Care information your Clinic enters or connects, such as your medication regimen and dosing schedule, injection or appointment dates, and messages exchanged with your care team through the App. This information is set and controlled by your Clinic and your prescriber, not by us.
- Safety-feature usage, such as which harm-reduction resources you view (for example, naloxone location information) — used only to provide those features to you.
- Device and usage data, such as app version, general feature usage, and crash/error logs, used to keep the App working and to fix problems.
- Location information, only if and when you choose to use a location-based feature (like finding nearby naloxone or treatment resources). We do not track your location in the background.
What we don't do
- We do not sell personal information or PHI, ever, to anyone, for any reason.
- We do not run advertising, and we do not use App data to build ad profiles.
- We do not passively track your location outside of the features described above.
- We do not use the content of your journal or reflection entries to train general-purpose or public AI models.
5. How we use information
- To provide, maintain, secure, and improve the App and this website.
- To generate the aggregate, non-identifying engagement signals your Clinic's care team can see (see Section 6 — this is deliberately limited).
- To respond to demo requests and communicate with prospective Clinic customers.
- To surface safety and harm-reduction resources at moments the App is designed to recognize as higher-risk.
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To comply with our legal obligations, including under HIPAA, Part 2, and our BAAs.
Any AI-assisted feature in the App (for example, prompts that help guide a reflection) operates under confidentiality obligations at least as protective as this Policy. It is used to help you reflect — not to build an advertising profile, and not to feed unrelated, general-purpose AI products.
6. What your Clinic can and cannot see
This is the promise the rest of our website makes, spelled out precisely: your Clinic's care team sees engagement and aggregate signals — things like whether a check-in happened, medication-taken confirmations, meeting attendance counts, and streaks. Your Clinic's care team does not see the verbatim text of your journal entries, reflection answers, or free-text notes, except in one of these limited circumstances:
- You explicitly choose to share a specific entry with your care team.
- You use an in-App feature to directly message your care team, which is not private journaling and is designed to be seen by them.
- There is a genuine safety emergency (for example, content indicating imminent risk of serious harm), consistent with the medical-emergency exceptions in HIPAA and 42 CFR Part 2.
- Disclosure is required by law, such as a qualifying court order under Part 2.
7. Other parties we share information with
- Service providers (subprocessors): companies that host our infrastructure, send transactional email, or provide error monitoring, under contracts that include confidentiality obligations and, where PHI is involved, our own BAA obligations flowed down to them.
- Your Clinic: as described in Section 6.
- Legal and safety exceptions: when required by law, to respond to a valid legal process (subject to Part 2's heightened court-order requirement for substance use disorder records), or to protect the safety of any person.
- Business transfers: if Recovery Companion is involved in a merger, acquisition, or sale of assets, PHI would only transfer to a successor that agrees to honor our existing BAAs and this Policy (or provides equivalent protection), as HIPAA and Part 2 require.
- Aggregated, de-identified data: we may use data that has been de-identified consistent with HIPAA's de-identification standard for research or product improvement; de-identified data is not PHI and cannot reasonably be used to identify you.
8. Data security
We encrypt data in transit (TLS) and at rest, restrict access to PHI to personnel and systems that need it to do their jobs, and require confidentiality commitments from our team and subprocessors. No system is perfectly secure; if a breach of unsecured PHI occurs, we will notify your Clinic without unreasonable delay so it can meet its notification obligations under the HIPAA Breach Notification Rule and applicable state law.
9. Data retention
We retain information for as long as your Clinic's account with us is active and as needed to provide the App, plus any additional period required by law, by our BAA with your Clinic, or for legitimate business purposes such as security and dispute resolution. When a BAA ends, we return or destroy PHI as that agreement specifies, unless law requires us to retain it longer.
10. Your rights and choices
If you are a patient: your primary rights under HIPAA — to access, request amendment of, or request an accounting of disclosures of your PHI — are exercised through your Clinic, since your Clinic is the Covered Entity that maintains your medical record. Contact your Clinic first. We will support your Clinic in fulfilling those requests with respect to data we hold as its Business Associate.
If you are a website visitor (for example, submitting the demo request form), you can ask us to access, correct, or delete the information you submitted, or opt out of further communications, by emailing hello@recoverycompanion.app. If you are a California resident or a resident of another state with a comprehensive privacy law, you may have additional statutory rights (such as the right to know, delete, or opt out of the sale or sharing of personal information); we do not sell or share personal information as those terms are defined under such laws, and you can still reach us at the email above to exercise applicable rights.
11. Children's privacy
This website is not directed to children and we do not knowingly collect personal information from children under 13 through it. The App may be used by adolescent patients as part of a Clinic's treatment program; in that case, enrollment, consent, and any parental/guardian involvement are governed by your Clinic's policies and applicable state law regarding minors' consent to substance use disorder treatment, and we process that information solely as your Clinic directs under our BAA.
12. Emergencies
Recovery Companion is a recovery-support tool. It is not a substitute for medical care or emergency services, and safety features in the App (such as surfacing naloxone information or crisis line numbers) are supplemental resources, not a monitored emergency response system. If you are in danger, call 911. If you are in crisis, call or text 988 (Suicide & Crisis Lifeline) or call the SAMHSA National Helpline at 1-800-662-4357.
13. Where information is processed
We store and process information in the United States. If you access the App or this website from outside the United States, your information will be transferred to and processed in the United States, where privacy laws may differ from those of your country.
14. Changes to this Policy
We may update this Policy from time to time. If we make a material change, we will update the effective date above and, where required by our BAA or law, notify your Clinic. Your continued use of the App or this website after a change becomes effective constitutes acceptance of the updated Policy.
15. Contact us
Questions about this Policy can be sent to hello@recoverycompanion.app. If your question concerns your own medical records or PHI, please contact your Clinic directly first — they are best positioned to act on requests about your care.
See also our Terms of Service.