VizyPlanVizyPlan

Legal

Privacy Policy

Last Updated: April 23, 2026 · Effective Date: April 23, 2026 · Version 1.4

1. Introduction

VizyPlan ("we," "us," or "our") provides a visual planning and routine management platform designed for parents, caregivers, and service provider professionals to support children's daily activities and therapeutic goals. Protecting your family's privacy is fundamental to our service.

This Privacy Policy explains how we collect, use, share, and protect information when you use the VizyPlan mobile application and web services (collectively, the "Service").

2. Parent-Controlled Platform

VizyPlan is designed as a parent and caregiver management tool. We want to be clear about how child information is handled:

  • Parents create and control all accounts: Only adults (parents, guardians, or authorized caregivers) can create VizyPlan accounts. Children do not have independent accounts.
  • No direct data collection from children: We do not collect any information directly from children. All data is entered by parents, guardians, or authorized caregivers.
  • Children don't have independent login: Children cannot log in to VizyPlan independently. The Service is accessed and managed exclusively by adult account holders.
  • Parents input all information: Any information about children (names, ages, preferences, photos, activities) is voluntarily provided by parents or authorized adult users, not by children themselves.

As the account holder, you maintain full control over what information you share about your family and can modify or delete it at any time.

3. Compliance Framework — Consumer vs. Healthcare Provider Use

VizyPlan operates under two distinct privacy and compliance frameworks:

Consumer/Parent Accounts

When used by parents for personal family organization, VizyPlan operates as a consumer application and is not subject to HIPAA requirements, as parents are not covered entities under HIPAA.

Healthcare Provider Accounts — Staged Rollout

Phase 1 (Current): Visual schedule creation and family collaboration. No Protected Health Information (PHI) processing during Phase 1.

Phase 2 (Q2 2026): Clinical documentation features with full HIPAA compliance. VizyPlan will serve as a Business Associate under HIPAA with executed Business Associate Agreements (BAAs) for all third-party services processing PHI.

Data Handling by Account Type

  • Consumer accounts: Standard privacy practices outlined in this policy
  • Provider Phase 1 accounts: Same as consumer accounts — no PHI processing
  • Provider Phase 2 accounts: HIPAA-compliant data handling with additional security controls, audit logging, and retention requirements

Important: During Phase 1, healthcare providers must not enter any PHI. Clinical documentation features will be available in Phase 2 with full HIPAA compliance.

4. Information We Collect

We collect only the information you voluntarily provide when using the Service:

Account Information

  • Email address (for account creation and authentication)
  • Password (encrypted and securely stored)
  • Parent/caregiver name

Child Profile Information (Optional)

  • Child's name or nickname
  • Age or age range
  • Preferences and interests
  • Photos (optional — you may use built-in avatars instead)

Activity and Routine Data

  • Daily schedules and routines
  • Activity completion status
  • Goals and progress tracking
  • Mood and emotion check-ins linked to activities
  • Custom activities and notes

Provider Collaboration (Optional)

  • Visual support creation and family collaboration tools
  • Non-clinical planning and communication

Provider Collaboration — Phase 2 Only (Q2 2026)

When Phase 2 launches with HIPAA compliance:

  • Session notes and clinical observations
  • Treatment goals and objectives
  • Progress documentation
  • IEP documents and educational records
  • Audio recordings of clinical meetings
  • AI-generated clinical summaries

Phase 2 data processing will be governed by executed Business Associate Agreements with all third-party AI services.

Community Forum (Optional)

  • Posts and comments you share in the community forum
  • Questions and interactions with VizyBoy AI assistant

Audio Recording Data — Personal Notes (Optional)

The meeting recording feature is designed for parents and caregivers to create personal notes and reference materials. This is similar to taking handwritten notes during a meeting. Recordings are stored in your private account for your own reference.

  • Audio recordings of meetings you choose to record
  • AI-generated transcriptions of your recordings
  • AI-generated meeting summaries and action items
  • Recording metadata (date, time, duration, meeting type)

Note: During Phase 1, this feature is available for parents' personal notes only. Provider clinical meeting transcription will be available in Phase 2 with HIPAA compliance.

Technical Information

  • Device type and operating system
  • App version and crash reports
  • Usage analytics for product improvement

We do not collect precise geolocation, financial payment data, biometric identifiers, or social security numbers.

5. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Personalize your family's routines and activities
  • Provide insights on emotional patterns related to activities
  • Enable collaboration with invited service providers
  • Send activity reminders and notifications (if enabled)
  • Improve app functionality and develop new features
  • Provide customer support
  • Communicate important updates about the Service
  • Ensure security and prevent fraud

All data processing is based on your consent, which you can withdraw at any time by deleting your account or contacting us.

6. AI Services and Data Processing

Phase 1 — Non-PHI Processing

Current AI features process only non-PHI data for visual content creation and general family organization.

Phase 2 — PHI Processing (in progress)

Clinical and PHI-bearing features are routed through AI services covered by signed Business Associate Agreements:

  • Amazon Web Services — Bedrock: Runs Anthropic Claude models for clinical note assistance, IEP analysis, and meeting summarization. AWS BAA is executed and covers Bedrock end-to-end.
  • AssemblyAI: Clinical meeting transcription with medical-domain optimization. BAA executed.

xAI image generation remains outside the BAA perimeter. We do not send PHI to xAI: image prompts are scrubbed of client names before dispatch, and reference photos are transmitted in-session only for the generation call.

All PHI processing includes:

  • HIPAA-compliant data handling under executed BAAs
  • Audit logging of PHI interactions
  • Data retention aligned with healthcare requirements
  • No use of PHI data for AI model training (contractually enforced)

Current AI Service Providers

VizyPlan uses the following AI services:

  • Amazon Web Services — Bedrock (Anthropic Claude models): Vizy Advocate, Vizy Copilot, Story Copilot, meeting summarization, provider assistant (BAA executed) — Privacy Policy
  • AssemblyAI: Meeting recording transcription (BAA executed) — Privacy Policy
  • xAI (Grok): Visual content generation — activity images, story illustrations. No BAA; client names are stripped from prompts before dispatch — Privacy Policy

7. Data Security

We take data security seriously and implement industry-standard protections:

  • All data transmission uses HTTPS/TLS encryption
  • Passwords are encrypted using industry-standard hashing algorithms
  • Data is hosted on Supabase, a SOC 2 Type II certified cloud provider
  • Access to user data is restricted to authorized personnel only
  • Regular security audits and updates are performed

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security but are committed to protecting your data using best practices.

8. Children's Privacy

VizyPlan is designed exclusively for parent and caregiver use. We do not knowingly collect personal information directly from children under 13 years of age.

  • Children cannot create accounts or use VizyPlan independently
  • All child-related information is entered by parents or authorized adults
  • Parents maintain full control over child profile data and can modify or delete it at any time
  • If we learn that a child has provided information directly without parental authorization, we will delete it immediately

If you believe a child has provided information to us without parental consent, please contact us immediately at info@vizyplan.com.

9. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal information. We only share data in the following circumstances:

With Your Consent

  • When you invite a service provider to collaborate, they gain access to relevant child profiles and activity data
  • When you share content or export data from the app

Third-Party Services

We work with trusted third-party service providers who assist in operating the Service. These providers are contractually required to protect your data and use it only for providing services to VizyPlan:

  • Supabase: Cloud hosting, database, and authentication services — Privacy Policy
  • Amazon Web Services — Bedrock: AI conversational features running Anthropic Claude models (Vizy Advocate, Vizy Copilot, Story Copilot, meeting analysis); HIPAA BAA executed — Privacy Policy
  • AssemblyAI: Audio transcription for meeting recordings; HIPAA BAA executed — Privacy Policy
  • xAI (Grok): AI image generation for visual content; client names are stripped from prompts before dispatch — Privacy Policy
  • Stripe: Payment processing (for subscription management) — Privacy Policy
  • Resend: Email delivery service — Privacy Policy
  • RevenueCat: Subscription management — Privacy Policy
  • Apple: In-App Purchases and App Store — Privacy Policy
  • Google Calendar: Calendar event sync (read-only, via OAuth) — Privacy Policy
  • Apple Calendar: On-device calendar event sync (data stays on device)
  • Meta (Facebook): Advertising measurement and attribution — Privacy Policy

Advertising and Tracking

We use device identifiers (such as Apple's IDFA) to measure the effectiveness of advertising campaigns through third-party services including Meta (Facebook). You will be prompted for permission before any tracking occurs via Apple's App Tracking Transparency framework. You may decline this request, and the app will continue to function normally without ad tracking.

Legal Requirements

  • To comply with legal obligations or valid legal requests
  • To protect VizyPlan's rights, property, or safety
  • To prevent fraud or security threats

10. Your Rights and Choices

You have the following rights regarding your data:

Access and Portability

  • Request a copy of your data in a portable format

Correction and Updates

  • Update your account information and child profiles at any time within the app

Deletion

  • Delete your account and all associated data through the app settings
  • Request account deletion by contacting us at info@vizyplan.com

How to delete your VizyPlan account

  1. Open the VizyPlan app.
  2. Tap Settings (gear icon, top-right).
  3. Scroll to Account → Delete Account.
  4. Confirm deletion.

What gets deleted: Your profile, child profiles, schedules, photos, recordings, mood entries, and subscription history.

Retention: Active data is deleted within 30 days. Encrypted backups are removed within 90 days. Billing records may be retained as required by tax law.

Can't access the app? Email support@vizyplan.com from the email on your account.

Communication Preferences

  • Control notification settings within the app
  • Opt out of marketing emails via unsubscribe links

Data deletion requests are processed within 30 days. Some information may be retained as required by law or for legitimate business purposes (e.g., billing records).

10A. Healthcare Provider Data Rights (Phase 2)

When Phase 2 launches, healthcare providers will have additional rights and obligations:

Provider Obligations

  • Ensure all required client/guardian consents are obtained before AI feature use
  • Comply with professional ethics codes (BACB, state licensing requirements)
  • Maintain documentation per applicable regulations (Medicaid, state audit requirements)

Enhanced Data Rights

  • Audit logs of all PHI access and processing
  • Detailed data lineage for AI-generated content
  • Extended retention periods per healthcare regulations
  • Breach notification procedures aligned with HIPAA requirements

Client/Guardian Rights

  • Access to all PHI processed through VizyPlan
  • Right to restrict AI processing of their child's data
  • Right to accounting of disclosures per HIPAA

11. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account:

  • Active data is deleted within 30 days
  • Backup copies are permanently removed within 90 days
  • Some records may be retained longer if required by law (e.g., financial records for tax purposes)

Healthcare Provider Accounts (Phase 2)

Provider account data will be retained per healthcare industry requirements:

  • Clinical documentation: 6–7 years post-service (per Medicaid requirements)
  • Audit logs: 6 years minimum
  • AI processing logs: 6 years for compliance verification
  • Client/guardian consent records: Duration of service plus 6 years

12. International Data Transfers

VizyPlan is operated in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated policy in the app with a new "Last Updated" date
  • Sending an email notification to your registered email address

Continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. The latest version is always available at vizyplan.com/privacy and within the app.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@vizyplan.com

Mailing Address:
VizyPlan
2470 South Dairy Ashford Rd., Suite #521
Houston, TX 77077
United States

15. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles. Any disputes arising from this Privacy Policy shall be resolved in the state or federal courts located in Delaware.