Privacy Policy

Last Updated: May 19, 2026

Definitions

For purposes of this privacy policy:

• "Extension" refers to the Autom8Task Chrome browser extension
• "We," "Us," "Our" refers to Autom8Task LLC, the developer and operator of this extension and its backend services
• "You," "User" refers to authorized clinic staff who install and use this extension
• "PHI" (Protected Health Information) means individually identifiable health information as defined under HIPAA
• "PII" (Personally Identifiable Information) means information that can identify an individual (names, phone numbers, email addresses, etc.)
• "RPA" (Robotic Process Automation) means software that automates repetitive tasks by programmatically interacting with other applications
• "Service Credentials" means the usernames and passwords you provide for the Axis and Carbon platforms so the extension can authenticate to those systems on your behalf
• "Operational Cache" means a short-lived, automatically-expiring server-side record kept only long enough to support an in-progress workflow (e.g. a 24-hour daily work list, a 30-minute async-job result, a 36-hour send-dedup hash) — not a database, archive, or analytics warehouse
• "Business Associate" means a person or entity that creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity, as defined in 45 CFR § 160.103
• "Transient Access" means temporary retrieval of data into memory for immediate display or processing, with no persistent storage
• "Third-Party Systems" refers to Axis and Carbon platforms, which are independent systems not owned or operated by this extension

1. Nature of Service: Robotic Process Automation

This extension functions as a browser-based automation tool that:

• Interacts with third-party systems (Axis practice management system and Carbon messaging platform) on behalf of authenticated clinic staff
• Automates repetitive tasks that staff would otherwise perform manually through those systems
• Displays data retrieved from third-party systems in a consolidated interface
• Facilitates staff workflows by reducing the number of clicks and screen transitions required to complete routine operations

Critical Disclaimers:

• We do not own, operate, or control the Axis practice management system or Carbon messaging platform
• We do not modify, alter, or change the underlying functionality of Axis or Carbon systems
• We do not maintain patient databases, archives, or analytics warehouses. Limited patient-related data may be held briefly in Operational Caches to support active workflows — these are described in Section 6 and are subject to short, automatic expiry
• All authoritative patient records remain within the Axis and Carbon systems; this extension provides programmatic access to data that authorized staff already have permission to view in those systems

2. Information Collected and Accessed

In the course of providing RPA functionality, the extension collects a limited set of authentication information and transiently accesses patient and operational data from third-party systems, as described below.

Authentication Information

• Google Identity: Your email address and basic profile (name, profile picture) via Google OAuth 2.0. Used to verify identity and to authorize access to Autom8Task backend endpoints. The Google access token is held by Chrome's identity service on your device and short-lived bearer tokens are sent over TLS to our backend with each authorized request.
• Service Credentials: The username and password you enter for the Axis and Carbon platforms during setup. These are transmitted over TLS to our backend and stored encrypted at rest (AWS KMS server-side encryption on DynamoDB), so the extension can authenticate to Axis and Carbon on your behalf. They are not stored in your browser's local storage. The Axis password is never exposed back to the extension at runtime; the Carbon password is supplied to the in-browser automation only in memory for the duration of an active automation run and is cleared when the run completes.
• Short-Lived Axis Tokens: Generated server-side from your stored Axis credentials and returned to the extension for the duration of an active task. The Carbon platform does not issue API tokens — see Section 5.

Patient Information (Accessed Transiently)

To perform automation tasks, the extension and its backend retrieve the following from Axis or Carbon on-demand and process it in memory for the duration of the task:

• Patient Names: Used to populate work lists, send confirmations, and personalize SMS content composed by staff
• Phone Numbers: Used to address SMS messages routed through the Carbon platform
• Contact IDs: Axis system identifiers used to correlate records and look up patient details
• Appointment / Visit Data: Used to determine renewal timing, visit-pattern eligibility, and other workflow-driving signals
• Clinical Metadata: Non-diagnostic fields such as loyalty status, visit frequency, opt-in flags, and product-type indicators

Communication Content

• Outbound Messages: SMS content composed by staff and submitted to the Carbon platform for delivery
• Message Templates: Pre-configured text snippets for common clinic communications (no patient-specific content)

Operational Metrics

• Aggregated Performance Metrics: Clinic-level operational data (counts, save rates, queue volumes) used for reporting — no patient identifiers
• Queue Data: Real-time clinic flow and wait-time information retrieved from Axis

Data Flow Model: Patient PHI and PII accessed by this extension are retrieved on-demand from Axis or Carbon, processed transiently to perform the workflow, and not retained — with the narrow exceptions described in Section 6 (24-hour daily work-list cache, 30-minute async-job hand-off buffer, 36-hour one-way hashed send-dedup records, hashed non-identifying activity counts). We do not build patient databases, archives, analytics warehouses, or any system that retains identifiable patient information for long-term use.

3. How Information Is Processed

The extension and its backend process information solely to enable RPA functionality:

• Authentication Verification: Confirm user identity and authorization to access clinic systems
• Automated Form Interaction: Programmatically interact with Axis and Carbon web interfaces to perform tasks on behalf of staff
• Data Retrieval: Query Axis APIs (and automate the Carbon web interface) to fetch information for display
• Workflow Orchestration: Execute multi-step processes (e.g., retrieve patient record from Axis → compose message → send via Carbon) without manual navigation
• Interface Enhancement: Inject additional UI elements into Axis and Carbon pages to surface relevant information and actions
• Report Generation: Aggregate and visualize operational metrics retrieved from backend analytics — reports show clinic-level counts and rates, not patient-level detail

Processing Limitations:

• Patient data is transmitted only to the authorized systems involved in the workflow: Axis, Carbon, and the Autom8Task backend that orchestrates the automation
• Identifiable patient data is not retained beyond the disclosed Operational Caches (Section 6)
• No machine learning models or algorithms are applied to identifiable patient data; product-recommendation AI receives only anonymized visit patterns (Section 4)
• No data mining, profiling, or secondary use of patient information occurs

We Explicitly Do NOT:

• Maintain patient databases, archives, or analytics warehouses
• Retain identifiable PHI or PII beyond the short, automatic expiries set out in Section 6
• Sell, license, or disclose patient information to any third parties
• Use patient data for marketing, advertising, or purposes unrelated to clinic operations
• Modify or alter patient records within Axis or Carbon systems
• Override or bypass security controls implemented by Axis or Carbon

4. Artificial Intelligence for Product Recommendations

This extension uses third-party artificial intelligence services (OpenAI and Anthropic Claude) to provide product suggestions that match patient visit patterns and affordability.

What the AI Does

The AI analyzes non-identifiable visit patterns — such as how frequently patients visit and their travel distance to the clinic — to suggest products that align with their usage patterns and accessibility. This helps staff recommend packages that fit each patient's circumstances, whether they're new patients establishing care or existing patients with established visit routines.

Privacy Protection

• No PHI Transmitted: Patient names, phone numbers, addresses, and other personally identifiable information are never sent to AI services
• Pattern Data Only: AI receives only anonymized visit frequency and distance patterns (e.g., "weekly visitor, 5-mile travel radius")
• No Storage: AI providers do not store or retain the anonymized data after generating recommendations
• No Training: Patient information is never used to train AI models

How Staff Use AI Recommendations

• AI suggestions are advisory only — staff have full discretion to accept, reject, or modify recommendations
• Recommendations are operational suggestions to improve service, not clinical or medical advice
• Staff remain responsible for ensuring suggestions align with patient needs and professional judgment
• The AI feature can be disabled in extension settings

Third-Party AI Services

• OpenAI Privacy Policy: https://openai.com/privacy
• Anthropic Privacy Policy: https://www.anthropic.com/privacy

Disclaimer: AI recommendations are provided "as is" without warranties of accuracy or suitability. The extension developer is not liable for outcomes resulting from AI-suggested products.

5. Third-Party System Interactions

As a browser-based RPA tool, this extension facilitates communication between your browser and the following third-party systems:

Systems of Record (Not Owned or Operated by This Extension)

• Axis Practice Management System (axis.thejoint.com)
  • Owned and operated by The Joint Corp
  • Repository of all patient records, appointment data, and clinical information
  • Subject to The Joint Chiropractic's privacy policy at https://www.thejoint.com/privacy-policy
  • Axis controls who is authorized to access a clinic's data. A user can only retrieve a clinic's records through this extension if The Joint has granted them valid Axis credentials for that clinic — the extension inherits Axis's authorization model and does not grant, modify, or substitute for it
• Carbon Messaging Platform (carbon.biz)
  • Third-party SMS communication platform operated by Over The Top Solutions
  • Responsible for message delivery, carrier relationships, and telecommunications compliance
  • Subject to its own privacy policy at https://advantage.overthetop.com/PrivacyPolicy.aspx
  • Carbon does not expose a public API. The extension submits messages by automating the carbon.biz web interface in your browser using your saved Carbon credentials — the same way a staff member would type and click manually

Extension Backend Services

• Autom8Task Backend APIs (*.execute-api.us-east-1.amazonaws.com) — AWS-hosted Lambda + DynamoDB services that:
  • Verify Google identity and authorize requests
  • Hold your Axis and Carbon Service Credentials encrypted at rest, and use them server-side to authenticate to those platforms on your behalf
  • Orchestrate long-running workflows (renewal scans, daily work-list computation) that exceed the browser's practical execution time
  • Maintain the short-lived Operational Caches and hashed records described in Section 6
  • Aggregate clinic-level operational metrics for reporting (no patient-level retention)
• Google OAuth: *.googleapis.com and oauth2.googleapis.com
  • Used exclusively for staff authentication
  • Subject to Google's privacy policy

Data Transmission Security

• All communication occurs over TLS-encrypted HTTPS connections (TLS 1.2 or higher)
• Service Credentials are encrypted at rest using AWS KMS-managed keys; authentication tokens are short-lived and bound to the user's Google identity
• Identifiable patient data transmitted to the Autom8Task backend is processed transiently to perform the workflow and is not retained except as described in Section 6

Legal Relationship to Third-Party Systems

This extension operates as a technical intermediary that automates interactions with Axis and Carbon on behalf of authorized users. The extension developer:

• Has no ownership interest in Axis or Carbon platforms
• Has no ability to access, modify, or control data stored in those systems independently of an authorized user's credentials
• Cannot grant or revoke user permissions within those systems
• Is not responsible for the privacy practices, data security, or regulatory compliance of those platforms
• Acts as a Business Associate of the covered-entity clinic with respect to the limited PHI handled in the course of automation (see Section 10)

6. Data Storage and Retention

Patient Information — No Long-Term Storage

The extension and its backend do not maintain patient databases, archives, or analytics warehouses. Patient data accessed during a workflow is:

• Retrieved on-demand from Axis or Carbon when needed for an active workflow
• Held in memory only for the duration of the task
• Discarded when the workflow completes or the browser closes — with the narrow Operational Cache exceptions below

Backend Storage — Service Credentials

• What: Your Axis and Carbon usernames and passwords
• Where: Encrypted at rest in an Amazon DynamoDB table (AWS KMS server-side encryption), in the AWS us-east-1 region
• Why: So the backend can authenticate to Axis and Carbon on your behalf, and so the Carbon password can be supplied (in memory only, server-fetched on demand) to the in-browser automation that signs you into carbon.biz
• Retention: Held while your account is active. Deleted on explicit request (sign-out from the extension's Credentials page triggers a backend delete; you can also email support to revoke)

Backend Storage — Operational Caches (short-lived, automatic expiry)

• Daily Work-List Cache (Winback, Pack Booster):
  • What: The day's computed list of patients eligible for a specific outreach campaign, generated by a backend scan
  • Why: So clinic staff on different computers — sharing the same clinic credentials — can pick up the same computed list without re-running a multi-minute scan
  • Access: Only retrievable by a user whose Service Credentials authenticate them to the same clinic in Axis. Access is bounded by The Joint's authorization model, not by anything Autom8Task decides
  • Retention: Automatically deleted after 24 hours via DynamoDB TTL
• Renewal Radar Job Result:
  • What: The result of an async patient-renewal scan, held briefly to bridge the server-side worker and the client browser
  • Retention: Deleted immediately when the authorized caller retrieves it; a 30-minute TTL backstop applies for results that are never fetched
• Send-Dedup Hash Records:
  • What: One-way HMAC-SHA256 hashes of (phone + name) for each SMS sent today, plus the channel, the sending clinic, and a timestamp. No readable phone number, name, or contact ID is stored.
  • Why: Prevents the same patient from being texted twice in a day across clinics, staff, and campaigns (atomic claim at send time)
  • Retention: Automatically deleted after 36 hours via DynamoDB TTL
• Patient 360 Activity Counts:
  • What: Per-clinic activity rows used to compute the Usage Report. The patient identifier is stored as a one-way hash; patient names and recommendation scripts are not stored. Only plan transitions, timestamps, and counts are retained
  • Why: Enables clinic-level usage and save-rate reporting without retaining identifiable patient information
  • Retention: Held while your account is active to support trend reporting; the report itself returns aggregates only, never patient detail

Service Credentials and the four Operational Cache categories above are the only persistent server-side stores operated by Autom8Task that touch patient-derived data. There are no other patient databases, archives, logs, or analytics systems.

Local (Browser) Storage

The extension stores the following non-credential data locally in your browser using Chrome's storage API:

• User Preferences: Interface settings, test-mode flags, scheduled-run preferences, feature toggles
• Message Templates: Pre-configured text snippets for common communications (no patient-specific information)
• Workflow Caches: The current day's computed work list and short-lived patient-history snapshots used to render the active interface. These are device-only, never transmitted to Autom8Task as patient archives, and cleared when the extension is uninstalled or browser data is wiped
• Service Credentials are NOT stored in your browser. They live only on the encrypted backend; the Carbon password is held briefly in volatile memory (cleared on browser close) only during an active automation run

Retention Policy Summary

• Patient databases / archives: None — not maintained
• Daily Work-List Cache: 24 hours, automatic
• Renewal Radar Result: Until fetched, with a 30-minute backstop
• Send-Dedup Hashes (no patient identifiers): 36 hours, automatic
• Patient 360 Activity (hashed): While account active
• Service Credentials (encrypted): While account active, deleted on revocation
• Google Identity Tokens: Held by Chrome's identity service; expire per Google policy (typically ~1 hour for access tokens)
• Local Browser Data: Until you clear browser data or uninstall the extension

Data Deletion

You can have data deleted by:

• Clearing credentials from the extension's Credentials page (triggers a backend delete of your Service Credentials)
• Logging out of the extension (clears local session state)
• Clearing Chrome browser data for this extension (removes local preferences and caches)
• Uninstalling the extension (removes all locally stored data)
• Contacting info@autom8task.com to request full backend deletion of your account and any associated hashed activity records

7. Chrome Permissions Explained

This extension requires the following Chrome permissions to provide RPA functionality. Each permission is necessary for specific automation capabilities:

• identity — Authenticate users via Google OAuth 2.0 to verify authorization to access clinic systems
• storage — Store non-credential data locally (user preferences, message templates, workflow caches)
• tabs — Detect when users navigate to Axis or Carbon pages so the extension can inject RPA interface elements and orchestrate the automation
• sidePanel — Display the unified tool interface in Chrome's side panel for persistent access during workflows
• downloads — Enable export of operational reports and run logs to the user's local file system
• alarms — Schedule periodic background tasks (e.g., refresh wait-time data, run scheduled SMS jobs)
• notifications — Alert users about time-sensitive clinic events or workflow completions

Host Permissions (Domains Accessed)

The extension requests permission to interact with the following domains:

• axis.thejoint.com — Axis practice management system (patient data source)
• carbon.biz — Carbon messaging platform (SMS delivery; UI-automation target)
• *.execute-api.us-east-1.amazonaws.com — Autom8Task backend APIs (authentication, credential storage, workflow orchestration, aggregate reporting)
• *.googleapis.com and oauth2.googleapis.com — Google OAuth authentication services

Scope Limitation: The extension only accesses these specific domains and cannot read or modify data from any other websites you visit.

8. Security Measures and Access Controls

Authentication and Authorization

• Google OAuth: Extension access requires valid Google OAuth authentication; the backend verifies the access token on every privileged request
• Inherited Clinic Authorization: Access to a given clinic's data is gated by valid Axis credentials for that clinic. The Joint controls who has those credentials — Autom8Task does not grant, issue, or substitute for clinic-level authorization
• Session Management: Google access tokens are short-lived; the extension automatically re-authenticates as needed
• Subscription Gate: Backend endpoints additionally verify that the requesting account has an active subscription, providing an independent layer of access control

Service Credential Handling

• Encrypted at Rest: Your Axis and Carbon usernames and passwords are stored encrypted at rest using AWS KMS server-side encryption on DynamoDB
• Not Stored in the Browser: Service Credentials are not placed in chrome.storage.local or any other on-device persistent storage. The Carbon password is fetched on demand from the backend into volatile in-memory session storage solely for the duration of one carbon.biz login, then cleared
• Axis Password Server-Bound: The Axis password is never returned to the browser at all. The backend uses it server-side to mint short-lived Axis tokens that the extension uses for the duration of a task
• Encryption in Transit: All credential transmission occurs over HTTPS (TLS 1.2 or higher)

Data Transmission Security

• TLS Encryption: All data transmission occurs over HTTPS with TLS 1.2 or higher
• Certificate Validation: Extension validates SSL certificates for all third-party connections
• One-Way Hashing: Patient identifiers used for dedup are hashed with HMAC-SHA256 before being stored. The hashing salt is held server-side and never exposed to the client

Third-Party Service Isolation

• No External Analytics: Extension does not integrate Google Analytics, Facebook Pixel, or any third-party tracking services
• No Advertising Networks: No connections to ad platforms or data brokers
• No Telemetry Beyond Operational Metrics: Usage data sent to the Autom8Task backend is limited to the operational records described in Section 6

Limitations and Disclaimers

While this extension implements security best practices, users must understand:

• Browser Security Dependency: Extension security relies on Chrome's security model; users must keep Chrome updated
• Device Security Responsibility: Users are responsible for securing their devices (screen locks, antivirus, OS updates)
• Credential Protection: Users must not share their Google, Axis, or Carbon credentials with unauthorized parties
• Network Security: Users should not access the extension over untrusted or public Wi-Fi networks when handling PHI
• Third-Party System Security: The extension cannot enhance or override security measures implemented by Axis or Carbon; those systems' security postures are independent

9. User Rights and Controls

As an extension user, you retain the following rights and controls:

Access Controls

• Revoke Extension Access: Log out at any time to immediately terminate the session
• Revoke OAuth Authorization: Remove Google authentication via your Google Account settings
• Delete Service Credentials: Use the extension's Credentials page "Clear" action to delete your stored Axis and Carbon credentials from the backend
• Disable Specific Features: Selectively disable extension features through the settings interface
• Uninstall Extension: Complete removal via Chrome's extension management interface deletes all locally stored data

Data Access Rights

• Audit Logs: Contact your clinic administrator to review which patient records you have accessed through Axis and Carbon systems (maintained by those platforms, not this extension)
• PHI Access Records: Request patient access logs from Axis system administrators (this extension does not maintain independent patient-level access logs)
• Backend Data Inquiry: Email info@autom8task.com to request information about, or deletion of, any backend records associated with your account

Correction and Deletion

• No Patient Records to Correct: Since the extension does not maintain patient records, patient-data correction must be performed in Axis or Carbon systems directly
• Service Credentials: Update via the Credentials page; the backend overwrites the encrypted row on save
• Local Data Deletion: Clear browser storage or uninstall the extension to remove preferences and caches
• Backend Account Deletion: Email info@autom8task.com to request deletion of your Service Credentials and any hashed Patient 360 activity records associated with your account

Limitation of Access

Important: This extension's access is bounded by your existing permissions in Axis and Carbon. If you believe you have inappropriate access to patient data, contact your clinic administrator to review your role-based permissions in those systems.

10. Regulatory Compliance and Legal Framework

HIPAA Compliance Framework

This extension is designed to support HIPAA-compliant workflows when used by covered entities. Compliance obligations are distributed across multiple parties:

Covered Entity Responsibilities (Clinic Employer)

• Designate authorized users and grant appropriate access levels in Axis and Carbon
• Provide workforce training on HIPAA privacy and security rules
• Implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
• Execute Business Associate Agreements with Axis, Carbon, Autom8Task, and other service providers that handle PHI
• Conduct risk assessments and implement breach notification procedures

Business Associate Responsibilities (Autom8Task)

• Implement technical safeguards (encryption in transit and at rest, access controls, audit logging) to protect PHI during the limited backend processing and Operational-Cache retention described in Section 6
• Use PHI only to perform the contracted automation services — no secondary use, marketing, sale, or disclosure beyond authorized uses
• Honor short, automatic retention limits for Operational Caches and delete Service Credentials and account data on covered-entity request
• Notify covered-entity clients of any confirmed Security Incident or Breach as required by the HIPAA Breach Notification Rule and applicable Business Associate Agreement terms
• Make commercially reasonable efforts to mitigate any known harmful effect of an unauthorized use or disclosure
• Maintain subcontractor (e.g., AWS) agreements that include equivalent safeguards

User Responsibilities (Clinic Staff)

• Minimum Necessary Rule: Access only the PHI required to perform job functions
• Credential Security: Protect login credentials and authentication tokens from unauthorized access
• Device Security: Use the extension only on secure, employer-managed devices
• Physical Safeguards: Ensure screens are not visible to unauthorized individuals when displaying PHI
• Logout Procedures: Log out of the extension when leaving a workstation unattended
• Incident Reporting: Report suspected security incidents or privacy breaches to the clinic administrator immediately

Legal Disclaimers

• No Warranty: Extension is provided "as is" without warranties of any kind, express or implied, except as expressly provided in any applicable Business Associate Agreement or commercial contract
• Limitation of Liability: Autom8Task is not liable for data breaches, privacy violations, or compliance failures occurring within Axis, Carbon, or other third-party systems
• Jurisdictional Compliance: Users are responsible for ensuring their use of this extension complies with applicable state privacy laws (e.g., CCPA, state health-privacy statutes)

Business Associate Agreements

Autom8Task acknowledges that, with respect to the limited PHI it receives and the Operational Caches described in Section 6, it acts as a Business Associate of the covered-entity clinic. We will execute a Business Associate Agreement (BAA) with any covered entity that requires one. The BAA scope covers:

• Permitted uses and disclosures (RPA functionality only)
• Safeguards for PHI in transit and at rest, including encryption and access controls
• Reporting of any Security Incident or Breach
• Subcontractor obligations (notably AWS as our hosting provider)
• Return or destruction of PHI on termination, to the extent feasible given the short Operational-Cache retention model

To request a BAA, contact info@autom8task.com.

11. Changes to This Privacy Policy

We reserve the right to modify this privacy policy as the extension evolves, regulatory requirements change, or our RPA capabilities expand. Changes will be communicated through:

• In-Extension Notifications: Material changes will trigger a notification on next launch
• Version Updates: The "Last Updated" date at the top of this page will reflect the most recent revision
• Clinic Administrator Communications: Significant changes affecting HIPAA compliance or data handling will be communicated to clinic administrators with covered-entity contracts

Material Changes: If we introduce features that would result in new categories of PHI retention, new disclosures to third parties, or any change to our Business Associate posture, we will:

• Update this policy and notify covered-entity clients before enabling such features
• Provide users an opportunity to opt out or discontinue use
• Comply with applicable notice requirements under HIPAA and state privacy laws

Continued Use: By continuing to use the extension after policy changes are posted, you acknowledge and agree to the updated terms. If you do not agree to changes, discontinue use and uninstall the extension.

12. Contact Information

For questions, concerns, or requests related to this privacy policy or the extension's data practices:

Privacy and Compliance Inquiries

• Your Clinic Administrator: For questions about authorized use, access permissions, or clinic-specific policies
• The Joint Chiropractic Privacy Officer: For HIPAA-related questions or to exercise privacy rights regarding patient data in the Axis system
• Autom8Task Privacy / BAA Contact: info@autom8task.com

Security Incidents

If you suspect a security incident, privacy breach, or unauthorized access involving this extension:

• Immediate Action: Log out of the extension and report to your clinic administrator immediately
• Documentation: Note the date, time, and nature of the suspected incident
• Escalation: Your clinic administrator will coordinate with IT security and, if necessary, initiate breach notification procedures. Autom8Task will be notified per the applicable BAA terms

13. Scope, Limitations, and Third-Party Privacy Policies

This privacy policy applies exclusively to the Autom8Task Chrome Extension and its backend services, and describes only the data practices of this RPA tool.

What This Policy Covers

• Data accessed by the extension during RPA operations
• How the extension and its backend process information
• Authentication and Service Credential handling
• The limited Operational Caches and hashed activity records retained on the Autom8Task backend
• Non-credential data stored locally by the extension (preferences, templates, workflow caches)
• Security measures implemented by the extension and backend

What This Policy Does NOT Cover

• Axis Practice Management System: Data storage, retention, security practices, and privacy policies of Axis are governed by The Joint Corp's terms of service and privacy policy (https://www.thejoint.com/privacy-policy)
• Carbon Messaging Platform: SMS delivery, message retention, carrier relationships, and telecommunications compliance are governed by Over The Top Solutions' terms and privacy policy (https://advantage.overthetop.com/PrivacyPolicy.aspx)
• AI Service Providers: OpenAI and Anthropic data-handling practices are governed by their respective privacy policies
• The Joint Chiropractic Corporate Policies: Organizational privacy practices, workforce policies, and BAAs with service providers
• Google OAuth Services: Authentication services are governed by Google's privacy policy (https://policies.google.com/privacy)

Legal Boundaries and Disclaimers

Critical Limitation: This extension is a technical tool that automates interactions with third-party systems. It does not:

• Replace or supersede the privacy policies of Axis or Carbon
• Assume responsibility for data security practices of those platforms
• Grant, modify, or revoke user permissions within those systems
• Control how those platforms store, retain, or use patient data
• Provide legal or compliance advice regarding HIPAA obligations

User Responsibility for Multi-System Compliance

When using this extension, you are subject to multiple overlapping policies and legal obligations:

• This Extension's Privacy Policy (this document) — governs RPA functionality and Autom8Task backend
• The Joint Chiropractic Privacy Policy — governs Axis practice management system
• Over The Top Solutions Privacy Policy — governs Carbon SMS messaging and telecommunications
• OpenAI and Anthropic Privacy Policies — govern AI product recommendation services
• Employer Policies — clinic-specific HIPAA policies, acceptable use policies, and training requirements
• Professional Ethics — Healthcare professional standards and state licensing board requirements

In the event of conflicts between these policies, the most restrictive interpretation that ensures patient privacy and data security should prevail. Consult your clinic administrator if you are uncertain about compliance requirements.

Third-Party Privacy Policy Links

For comprehensive information about data practices of systems this extension interfaces with, consult:

• The Joint Chiropractic (Axis) Privacy Policy: https://www.thejoint.com/privacy-policy
• Over The Top Solutions (Carbon) Privacy Policy: https://advantage.overthetop.com/PrivacyPolicy.aspx
• OpenAI Privacy Policy: https://openai.com/privacy
• Anthropic Privacy Policy: https://www.anthropic.com/privacy
• Google Privacy Policy: https://policies.google.com/privacy