DoulaOS Back to home

Privacy Policy

Last updated: March 16, 2026
Your privacy, and the privacy of your clients' sensitive pregnancy data, is our absolute top priority. This policy explains what we collect and how we fiercely protect it.

1. Information Collection

We collect information necessary to provide you with the DoulaOS CRM services. This falls into two categories:

  • Doula (Practitioner) Data: Name, email address, practice details, billing information (processed securely via Stripe), and authentication credentials.
  • Client (Mama) Data: When doulas invite clients or enter records, we store names, emails, pregnancy milestones, appointment notes, uploaded health documents, and filled intake forms.

Note: DoulaOS acts as a "Data Processor" for Client Data. The Doula acts as the "Data Controller."

2. How We Use Your Data

We strictly do not sell your data or your clients' data. Ever.

We use the collected data exclusively to:

  • Operate, maintain, and provide the core functions of DoulaOS.
  • Process transactions and send related billing notices.
  • Send transactional communications (e.g., appointment reminders, new messages, magic login links).
  • Perform system audits, monitor application errors, and prevent fraudulent access.

3. Data Protection & Security

As a platform handling sensitive health-adjacent information, we employ strict isolation protocols to prevent unintended exposure:

  • Multi-Tenant Isolation: Data from one doula practice is strictly cordoned off from every other practice using robust database Row Level Security (RLS) policies.
  • Encryption: Data is encrypted at rest using AES-256 and encrypted in transit via forced HTTPS/TLS.
  • Document Privacy: Uploaded intake forms, contracts, and PDFs are securely partitioned and are not accessible to the public web.

For full details, please review our Security Page.

4. Third-Party Sharing

We strictly limit data sharing to vendor sub-processors necessary to run DoulaOS. These include:

  • Supabase: Our core database and authentication provider (ISO 27001 and SOC2 Type II Certified).
  • Stripe: Our payment gateway. DoulaOS never touches or stores raw credit card numbers.
  • Resend: Used exclusively for delivering transactional emails like appointment alerts and login links.
  • Vercel: For secure application hosting and edge routing.

5. Your Data Rights (GDPR & CCPA readiness)

Subject to your jurisdiction, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete data.
  • Erasure / Right to be Forgotten: You may delete your account at any time through the DoulaOS dashboard. Upon account deletion, all associated tenant data, client records, notes, and documents are cascaded and permanently destroyed from our production databases.

6. HIPAA Compliance Disclaimer

DoulaOS incorporates security best-practices standard in healthcare (encryption at rest/transit, audit logging, Row Level Security). However, at this time, DoulaOS does not issue Business Associate Agreements (BAAs) and is not formally certified as a HIPAA-compliant Covered Entity. Doulas are responsible for evaluating whether their local regulatory environment allows the use of standard encrypted SaaS platforms for their specific client records.

If you have privacy concerns or need to submit a data request, please contact us at privacy@doula-os.com.