Blythe, Inc. (“Blythe,” “we,” “us,” or “our”) provides a reputation and review-management platform for independent healthcare practices. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to getblythe.com, app.getblythe.com, and any related Blythe-operated surfaces (collectively, the “Service”).

Blythe is designed to be HIPAA-aware. When a healthcare practice (a “Practice”) uses the Service to handle Protected Health Information (“PHI”) on behalf of its patients, Blythe acts as a Business Associate under a separate Business Associate Agreement (“BAA”). The terms of that BAA control the handling of PHI and supersede anything in this policy that conflicts with it.

1. Information we collect

1.1 Information practices give us directly

When a Practice signs up for the Service or invites team members, we collect contact details (name, work email, role), authentication identifiers from our identity provider (Clerk), payment details handled by our payment processor (Stripe — we do not store full card numbers), and information needed to connect third-party integrations (e.g., Google Business Profile OAuth tokens, which are stored encrypted in Google Secret Manager rather than in our database).

1.2 Information about patients (when applicable)

When a Practice uses the Service to send review requests, we process limited patient contact information the Practice provides — typically a first name, a phone number or email address, an appointment timestamp, and the visit type or provider. Where this information constitutes PHI, it is encrypted at the application layer using Google Cloud KMS before it is stored, and access is logged in an audit trail. Blythe does not collect medical-record content, diagnoses, or treatment notes from Practices through the Service.

1.3 Public review content

The Service ingests publicly posted reviews from third-party platforms (Google, Yelp, Facebook, Healthgrades, Vitals, and similar) and the responses Practices publish to those platforms. This content is already public; we associate it with the relevant Practice account so it can be replied to and reported on.

1.4 Information collected automatically

Like most web applications, the Service automatically collects technical information when you visit or use it: IP address, browser type and version, device and OS information, the pages you view, the actions you take, and timestamps. We use this information for security, debugging, and to understand how the Service is being used.

1.5 Cookies and similar technologies

We use first-party cookies and similar technologies for authenticated sessions (via Clerk), security (CSRF protection), and limited product analytics. We do not use cookies for cross-site advertising, and we do not sell information to ad networks. You can disable cookies in your browser; some parts of the Service will not function without them.

2. How we use information

We use the information we collect to:

• Provide, operate, secure, and improve the Service.
• Authenticate users and protect Practice accounts from unauthorized access.
• Send the review requests, reminders, and replies that Practices ask us to send on their behalf.
• Respond to customer support requests and communicate operational updates.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with applicable legal obligations and enforce our agreements.
• With a Practice’s consent or instruction, train per-Practice voice models that help draft responses in that Practice’s tone. Voice models are scoped to a single Practice and are never trained on data from other Practices.

Blythe does not use PHI for advertising, marketing to third parties, or training general-purpose AI models. We do not sell personal information.

3. SMS communications

Some plans include SMS-based review requests sent on a Practice’s behalf. The Practice is responsible for obtaining each patient’s prior express written consent to receive these messages, and for honoring opt-outs. When SMS is enabled:

• Patients receive at most one (1) review-request message per visit, sent up to four hours after the appointment.
• Reply STOP at any time to opt out. Reply HELP for support information. We honor opt-outs immediately and maintain a record of consent and opt-out status for at least three (3) years.
• Message and data rates may apply, depending on the carrier and plan.
• Messages are sent via Twilio over A2P 10DLC infrastructure. Carriers may filter or delay messages; we don’t guarantee delivery.
• We do not share mobile opt-in data, phone numbers, or consent records with third parties for marketing purposes.

4. How we share information

We share information only in these circumstances:

4.1 With a Practice’s authorized users

Information you submit to the Service is visible to other authorized users of the same Practice account. The Practice administrator controls who has access.

4.2 With service providers (subprocessors)

We use a small number of vendors to operate the Service. Each is contractually required to protect information consistent with this policy and, where applicable, with our BAA. Current subprocessors include:

• Google Cloud Platform — application hosting (Cloud Run), database (Cloud SQL), encryption (Cloud KMS), secrets (Secret Manager), and AI inference (Vertex AI). HIPAA-eligible under Google’s BAA.
• Clerk — authentication and identity. Stores email, name, and organization membership; HIPAA-aware where required.
• Stripe — billing and payments. Card details are handled by Stripe and never stored by Blythe.
• Twilio — SMS delivery. HIPAA-eligible under Twilio’s BAA on paid plans.
• SendGrid — transactional email delivery (review requests, account notifications).
• Sentry and PostHog — error tracking and product analytics. PHI is excluded from data sent to these services.

A current subprocessor list is available on request at hello@getblythe.com; we will provide reasonable notice of material changes.

4.3 For legal reasons

We may disclose information if we believe in good faith that it is required to comply with a valid legal process (subpoena, court order, regulatory request) or necessary to protect the rights, safety, or property of Blythe, our customers, or the public. Where the law allows, we will notify the affected Practice before disclosure.

4.4 In a business transfer

If Blythe is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will notify Practices in advance and the receiving party will be bound by this policy or a successor that is materially as protective.

5. How we secure information

• Application-layer encryption for PHI fields using Google Cloud KMS (envelope encryption with customer-managed keys).
• Encryption in transit (TLS 1.2+) for all connections to the Service.
• Encryption at rest for the database and storage layers.
• Per-Practice tenant isolation enforced by Postgres row-level security and an audited tenant-scoping helper that wraps every database query.
• Secrets (third-party tokens, webhook secrets) stored in Google Secret Manager, not in code or the database.
• Audit logging of PHI access; alerting on anomalous access patterns.
• Single sign-on, MFA, and SSO-aware session management via Clerk.

No system is perfect. If we discover a breach affecting your information, we will notify the Practice administrator without undue delay and, where required by law, the relevant regulators. Practice users are responsible for keeping their account credentials confidential.

6. Data retention

We retain information for as long as needed to provide the Service and meet our legal obligations. Specifically:

• Account and billing records: while the account is active and for up to seven (7) years after termination, to support audits, billing reconciliation, and tax obligations.
• Review and reply content: while the account is active. On termination, this content is deleted within 60 days, subject to a Practice request to export beforehand.
• SMS consent and opt-out records: retained for at least three (3) years following the last message, in compliance with TCPA recordkeeping expectations.
• Audit logs: retained for at least six (6) years for HIPAA compliance, even after account termination.
• Backup copies: deleted within 90 days of the underlying data being deleted.

7. Your choices and rights

Practices control most of the information in their account through the Settings area of the Service. You can also exercise the following rights, subject to verification of identity:

• Access — request a copy of personal information we hold about you.
• Correction — ask us to correct inaccurate information.
• Deletion — ask us to delete information, subject to retention obligations.
• Portability — request a machine-readable export of your information.
• Objection — object to certain processing or withdraw consent where consent is the legal basis.

To exercise any of these rights, email privacy@getblythe.com. For California residents, please see the “California privacy rights” section below. Patients should contact the Practice that holds their information directly; Practices are the data controllers for their patient records.

8. California privacy rights (CCPA / CPRA)

California residents have the right to know what personal information we collect and how we use it (described above), to request deletion or correction, to opt out of any sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising), and to be free from discrimination for exercising these rights. To submit a request, email privacy@getblythe.com. We will respond within the time required by law.

9. Children’s privacy

The Service is intended for use by adult representatives of healthcare Practices and their adult patients. We do not knowingly collect personal information directly from children under 13. If you believe a child under 13 has provided us with personal information, contact privacy@getblythe.com and we will delete it.

10. International users

The Service is operated from the United States and is intended for U.S. healthcare practices. If you access the Service from outside the U.S., your information will be transferred to and processed in the United States. We do not currently market the Service to residents of the European Economic Area, the United Kingdom, or Switzerland; if that changes, this policy will be updated to address those frameworks.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “last updated” date at the top and, for material changes, notify Practice administrators by email. Continued use of the Service after a change means you accept the updated policy.

12. Contact us

Questions about this policy or our privacy practices? Email privacy@getblythe.com or write to:

Blythe, Inc.
Attn: Privacy
[Mailing address — to be added]