IntakeBella
Legal Center/Data Policy

Data Policy.

March 15, 2026

1. Overview

IntakeBella processes sensitive healthcare data including Protected Health Information (PHI) on behalf of specialty and compounding pharmacies. This policy describes how we collect, store, process, retain, and protect data within the IntakeBella platform.

2. Data We Collect

  • Customer Data: Business name, contact information, subscription details, API keys
  • Patient Data (PHI): Names, dates of birth, insurance information, prescriptions, medical records submitted via fax, voice, forms, or API
  • Intake Documents: Faxes, scanned documents, form submissions, voice transcriptions
  • Usage Data: Login timestamps, feature usage, API call logs (no PHI in logs)

3. How We Process Data

Intake data flows through a 5-stage processing pipeline: Intake, Analyze, Assign, Organize, and Workflow. Each stage may involve automated classification, data extraction, benefits verification, and prior authorization preparation.

4. Data Storage & Encryption

  • At rest: AES-256-GCM encryption for all stored documents and PHI
  • In transit: TLS 1.2+ for all data transmission
  • Database: Cloudflare D1 (SQLite at the edge) with encryption at rest
  • Documents: Cloudflare R2 object storage with per-object encryption
  • Backups: Encrypted, stored in separate geographic region

5. Data Retention

  • Active accounts: Data retained for the duration of the subscription plus 90 days
  • Intake records: Retained per customer-configured retention policy (default: 10 years for HIPAA compliance)
  • Audit logs: Retained for minimum 6 years per HIPAA requirements
  • Account deletion: PHI purged within 30 days of account closure, audit logs retained per legal requirements

6. Data Isolation

Each customer's data is logically isolated at the database level. Customer A cannot access Customer B's records through any API, MCP, or dashboard interface. All queries are scoped by customer ID with enforcement at the middleware layer.

7. Third-Party Data Sharing

IntakeBella shares data only with:

  • Infrastructure providers (Cloudflare, Stripe) under signed DPAs
  • Clearinghouses (Availity) for benefits verification and prior authorization, under BAA
  • Email providers (Postmark) for transactional notifications only (no PHI in email)
  • Law enforcement when required by valid legal process

IntakeBella never sells, rents, or trades patient data.

8. Your Rights

Pharmacy customers can export their data at any time via the dashboard or API. Patients can request access to their data through their pharmacy. Data deletion requests are processed within 30 days.

9. Contact

For data-related inquiries, contact our Privacy Officer at privacy@intakebella.com.