Privacy Policy

1. Overview

ARFA, Applied Resources for Facility Automation, is operated by Arfa McClain, based in Lawrenceville, Georgia. ARFA provides operational automation services to independent healthcare practices (the "Practices"), including voice receptionist services, missed-call recovery, dashboard categorization, and EHR synchronization workflows.

This Privacy Policy describes the information we collect through arfaconsults.com (the "Site") and through workflows that ARFA builds and operates on behalf of the Practices that engage us. It also describes how we use that information, who we share it with, and your choices.

2. Information we collect

From visitors to arfaconsults.com

• Contact information you submit voluntarily, including your email address (and any other fields you choose to fill in) when you use the workflow-leak-review form or otherwise reach out.
• Standard web analytics: IP address, browser type, pages viewed, time on page, referring URL. Used to understand how the Site is used and to fix problems. Aggregated, not used for advertising.
• Cookies: minimal first-party cookies for basic site functionality. No third-party advertising or cross-site tracking cookies.

From patients who interact with ARFA-built workflows at a partner practice

When you call, text, fill out a form, or otherwise interact with a healthcare practice that has engaged ARFA, the workflows we built and operate on that practice's behalf may collect:

• Your name, date of birth, phone number, and email address (for verification and contact purposes).
• The content of your interaction, voice transcripts, SMS message content, the reason for your call.
• Limited Protected Health Information (PHI) necessary to perform the workflow, for example, the medication name in a refill request, or the appointment type in a booking.
• Metadata: timestamps, call duration, the staff member who handled the interaction.

This information is collected by ARFA as a Business Associate of the practice you are contacting. The practice, not ARFA, is the entity responsible to you under HIPAA for how this information is used.

3. How we use information

Information from Site visitors

• To respond to your inquiry (workflow leak review, demo request, general contact).
• To improve the Site and ARFA's services.
• To send you the response you requested. We do not subscribe you to a marketing newsletter without your express opt-in.

Information from patients interacting with partner-practice workflows

• To perform the workflow the practice has authorized, book your appointment, log your refill request, route your callback, send your appointment confirmation, etc.
• To maintain a complete audit log of who accessed what information, when, and for what purpose, as required by HIPAA and the Business Associate Agreement with the practice.
• To return information to the practice's existing systems (their EHR, their scheduler, their dashboard).

We do not use patient PHI to train AI models. We do not sell, lease, or share patient information for marketing purposes. We do not use patient information for any purpose outside the workflow the practice has authorized.

4. SMS / messaging policy

ARFA-operated workflows on behalf of partner practices may send SMS messages, including:

• Appointment booking confirmations.
• Missed-call recovery messages ("Hi, we missed your call, here is how to book").
• Appointment reminders (24-48 hours before scheduled appointments).
• Refill status updates.

How we obtain consent

You provide consent to receive SMS messages in one of the following ways:

• By calling a practice that uses an ARFA workflow and providing your phone number for follow-up. The voice agent confirms verbally that you are okay receiving an SMS confirmation.
• By submitting your phone number on a practice's booking form or contact form that includes consent language.
• By replying with affirmative consent to an initial outreach.

Message frequency

Message frequency varies. A typical patient relationship results in 2-4 messages per month (appointment confirmation, reminder, optional follow-up). Practices may configure higher frequencies (such as no-show recovery or care plan check-ins) where clinically appropriate.

How to opt out

You can opt out of SMS messages at any time by replying STOP to any message. You will receive one confirmation message confirming you have been unsubscribed, and you will receive no further SMS messages from that practice's ARFA-operated workflow.

To re-subscribe, reply START to the same number. To get help, reply HELP to receive contact information for support.

Carrier disclaimer

Message and data rates may apply. ARFA and the partner practice are not responsible for any charges imposed by your mobile carrier. SMS delivery is not guaranteed and may be affected by your carrier, signal availability, or other factors outside our control.

Categories of messages we will not send

• Marketing or promotional content unrelated to the practice's clinical or operational services.
• Affiliate, gambling, cannabis, firearms, or any SHAFT-restricted content.
• Messages on behalf of any third party other than the partner practice you contacted.

5. How information is stored and protected

• Encryption in transit: All web traffic uses HTTPS / TLS 1.2+. All API calls between ARFA workflow components use authenticated, encrypted connections.
• Encryption at rest: Patient data is stored on encrypted disks within a private network. Database access is restricted to authenticated services with the minimum permissions required.
• Access control: Only Arfa McClain (the operator) and explicitly authorized practice staff can access patient data. Every access is logged.
• Audit logging: Every read or write of patient information is logged with timestamp, user, the specific row accessed, and the purpose. Logs are retained for a minimum of six years per HIPAA requirements.
• Network isolation: Patient databases are not exposed to the public internet. They are accessible only from within the ARFA private network.

6. HIPAA & Business Associate Agreements

ARFA acts as a HIPAA Business Associate for each healthcare practice it serves. Before any real patient data is processed for a practice, ARFA executes a Business Associate Agreement (BAA) with that practice.

In addition, ARFA maintains BAAs with every upstream tool that touches patient data in our workflows, including:

• The production language model provider (signed)
• The voice gateway provider (signed)
• The SMS gateway provider (signed)
• The intake / scheduling system provider (signed)
• The compute host (signed before any production patient data is processed)

Tools without a BAA, including standard public LLM APIs and open-routing LLM aggregators, are never used in ARFA workflows that touch patient data. They are not on the path. They never see patient information.

7. Who we share information with

From Site visitors

We do not share or sell information collected through the Site with third parties for marketing purposes. We may share Site visitor information with:

• Service providers we use to operate the Site (hosting, analytics) under appropriate data protection terms.
• Law enforcement if required by valid legal process.

From patients in partner-practice workflows

Patient information is shared only with:

• The partner practice that you contacted (the data controller).
• Tools in ARFA's workflow stack that are covered by Business Associate Agreements and that are necessary to perform the workflow (such as the EHR or scheduling system the practice has chosen to use).
• Law enforcement or regulators if required by valid legal process or by HIPAA's breach notification rules.

We do not share patient information with advertisers, data brokers, or any third party for marketing or profiling.

8. Your rights and choices

If you are a Site visitor

• You can email arfa.consults@gmail.com at any time to request a copy of the information we have about you, request correction, or request deletion.
• You can opt out of any ARFA email at any time by replying with "unsubscribe."

If you are a patient at a partner practice

Your rights under HIPAA, including the right to access, amend, and request restrictions on your PHI, are exercised through the practice you are a patient of, not through ARFA directly. ARFA will support every reasonable request from the practice in fulfilling these rights.

9. Retention

• Site contact-form submissions: retained for two years from the date of last contact, then deleted.
• Audit logs for patient interactions: retained for a minimum of six years per HIPAA.
• Patient PHI processed for partner practices: retained according to that practice's record retention policy and the applicable BAA, not by ARFA's discretion.

10. Children's information

The Site is not directed to children under 13 and we do not knowingly collect information from children under 13 through the Site. Patient information for minors may be processed in the course of a practice's workflows; in those cases, the practice (not ARFA) is responsible for obtaining appropriate parental consent.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service offerings, or applicable law. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will provide reasonable notice (such as a banner on the Site or an email to known contacts) before the change takes effect.

12. Contact

Questions about this policy, requests to exercise your rights, or any other privacy-related matter can be sent to:

Arfa McClain
ARFA, Applied Resources for Facility Automation
Lawrenceville, Georgia, USA
Email: arfa.consults@gmail.com