Privacy Policy

Last updated: March 3, 2026

Kill the Clipboard ("we", "us", or "the Service") is a web-based tool that helps healthcare organizations receive patient health records by scanning SMART Health Link QR codes. We are committed to protecting the privacy of all users and the health data processed through our Service.

1. Information We Process

Kill the Clipboard processes the following types of information:

• Health record data: When a QR code is scanned, the Service retrieves FHIR health data bundles and PDF documents from the SMART Health Link. This data is processed transiently to route it to the destination configured by the subscribing organization.
• Organization account information: Organization name, URL slug, and hashed administrator/staff passwords.
• OAuth tokens: Encrypted refresh tokens for connected services (Google Drive, OneDrive, Box, Gmail, Microsoft Outlook) are stored to maintain authorized connections on behalf of each organization.

2. How We Use Information

We use the information solely to provide the Service:

• To scan and decode SMART Health Link QR codes
• To route extracted health data to the destination configured by the organization (Google Drive, OneDrive, Box, email, FHIR server, or API endpoint)
• To authenticate organization administrators and staff
• To send email on behalf of the organization using their connected Gmail or Microsoft account

3. Data Storage and Retention

• Health record data is not permanently stored by the Service. Scanned health data is processed in memory and routed to the organization's configured destination. It is not retained on our servers after delivery.
• Organization configuration data (names, settings, OAuth tokens) is stored in an encrypted database on our infrastructure for as long as the organization maintains an active account.
• OAuth tokens are stored securely and used only to maintain connections to third-party services on behalf of each organization. Tokens can be revoked at any time by the organization administrator.

4. Third-Party Services

When an organization connects a third-party service, we access only the minimum permissions required:

• Google Drive: Permission to create files and folders in a designated Drive folder.
• Gmail: Permission to send email on behalf of the connected Google account. We do not read, modify, or delete any existing emails.
• Microsoft OneDrive: Permission to create files and folders in OneDrive.
• Microsoft Outlook: Permission to send email on behalf of the connected Microsoft account. We do not read, modify, or delete any existing emails.
• Box: Permission to upload files to Box.

Each organization independently authorizes these connections using their own credentials. We do not share tokens or data between organizations.

5. Data Sharing

We do not sell, rent, or share personal health information with any third parties. Health data is only transmitted to the destination explicitly configured by the subscribing organization.

6. Security

We implement appropriate technical and organizational measures to protect the data processed by the Service, including:

• HTTPS encryption for all data in transit
• Hashed passwords using bcrypt
• HMAC-based session token authentication
• Isolated per-organization data storage and configuration
• OAuth 2.0 for all third-party service connections

7. HIPAA Considerations

Kill the Clipboard is designed to support HIPAA-compliant workflows. When organizations use their own Gmail or Microsoft 365 accounts to send health records, the email is transmitted through their own HIPAA-compliant infrastructure. Organizations are responsible for ensuring that their configured email accounts and destinations comply with their own HIPAA obligations and Business Associate Agreements.

8. Your Rights

Organization administrators can:

• Disconnect any third-party service at any time, revoking our access
• Change or delete their organization account
• Contact us to request deletion of all associated data

9. Use of Google API Data

Kill the Clipboard's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request access to the Google API scopes necessary to provide the Service (Drive file creation and Gmail sending)
• We do not use Google user data for advertising or any purpose unrelated to the Service
• We do not transfer Google user data to third parties except as necessary to provide the Service
• We do not allow humans to read Google user data unless with affirmative user consent, for security purposes, or to comply with applicable law

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at agleason@russellstreetventures.com.