AFH Network

Privacy Policy

Last updated: June 17, 2026

1.Introduction

AFH Network ("we," "us," or "our") operates an online platform at afhnetwork.com for Adult Family Home (AFH) owners, caregivers, and employees in Washington State. Our platform has two parts on a single account: (1) a public course marketplace where anyone can browse, buy, and complete training courses and earn certificates; and (2) a subscription-based operations suite for AFH owners — including the Medication Administration Record (MAR), the Negotiated Care Plan (NCP) Generator, the Compliance Assistant, and the Task Tracker — plus seat-based tools for owners to manage their employees and assign training.

This Privacy Policy explains what personal information — and, for the owner operations tools, what resident health information — we collect, how we use it, who we share it with, how long we keep it, and your rights regarding your data. Because owners use our tools to record information about the residents in their care, this policy also describes our role as a service provider (and business associate) handling that information on the owner's behalf (see Section 3).

By creating an account or using our platform, you agree to this Privacy Policy. If you do not agree, please do not use our services.

2.Information We Collect

2.1 Information you provide directly

  • Account information: First name, last name, email address, and password (stored as a bcrypt hash — we never store plain-text passwords). Optionally: phone number and profile photo (avatar).
  • Business information (owners only): Business name, seat count, and your employee roster (employee names and email addresses you add to seats).
  • Payment and subscription information: Billing address (city, state, ZIP, country) collected at checkout, and — for owner subscriptions — your plan, billing cycle (monthly/annual), renewal date, subscription status (for example trialing, active, past due, or canceled), invoices, and the tax data Stripe calculates for your purchases. We do not store credit card numbers — all payment data is handled by Stripe (see Section 5).
  • Contact form submissions: Name, email, phone (optional), subject, and message content.
  • Course progress: Lesson completions, quiz attempts and results, and last accessed timestamps.
  • Owner operations data: If you subscribe to the owner tools, the information you enter into them — resident records and medication details in the MAR, care-plan documents you upload to the NCP Generator, your questions and saved history in the Compliance Assistant, and staff, training, assessment, evacuation-drill, and HR-form records in the Task Tracker. Resident health information is described separately in Section 3.

2.2 Information collected automatically

  • Device and browser data: Browser type, operating system, IP address, and device identifiers — used for Two-Factor Authentication trusted device recognition and security logging.
  • Usage data: Pages visited, course player interactions, and session duration.
  • Cookie and localStorage data: See Section 6 for full details.

2.3 Information from third parties

  • Google OAuth: If you sign in with Google, we receive your name, email address, and Google account ID. We do not receive your Google password.

3.Protected Health Information & Resident Data

The owner operations tools let an Adult Family Home record and manage information about the residents in its care. Some of this is health information about an identifiable individual — referred to in this policy as Protected Health Information (PHI). We process this information on behalf of the AFH owner who entered it, not for our own purposes. We do not sell it, use it for advertising, or use it to train artificial-intelligence models.

3.1 What the MAR stores

When an owner uses the Medication Administration Record, the following resident and medication details may be stored:

  • Resident details: name, date of birth, sex, allergies, diagnosis, diet, internal record number, and an emergency contact name and phone number.
  • Medication details: medication name, strength, route, directions, schedule and PRN (as-needed) information, prescriber name and phone, pharmacy name and phone, and prescription number.
  • Administration records: each scheduled or as-needed dose marked as Given, Refused, Missed, Held, or Not Applicable, with the reason for any non-administration and the staff initials of the person who recorded it.

3.2 What the NCP Generator processes

The Negotiated Care Plan Generator lets an owner upload a resident's Long-Term Care assessment document (.doc, .docx, or .pdf) to draft a Washington Negotiated Care Plan. Uploaded files are sent directly from your browser to a private Microsoft Azure storage container (they do not pass through our main application servers), read once by Azure's document-intelligence and AI services to produce the draft, and deleted from that storage after processing. The uploaded source document is not stored in our main database. The finished care-plan draft is returned to your browser for you to review, edit, and download.

3.3 Our role and your responsibilities as an owner

For resident data entered into the owner tools, the AFH owner is the controller of the information (the party that decides what is collected and why), and AFH Network is a service provider and business associate that processes it on the owner's instructions. As an owner, you are responsible for: collecting and entering resident information lawfully and only with proper authority; keeping it accurate and up to date; restricting access within your organization to staff who need it; and meeting your own obligations under Washington law and Adult Family Home regulations. You should not upload or enter resident PHI unless you have a lawful basis to do so.

3.4 Security of resident data

Resident data is protected with the safeguards described in Section 10, including encryption in transit (HTTPS) and at rest, access limited to the owning account, server-side feature gating, "not found" responses (rather than "forbidden") on any attempt to reach another account's data, audit logging of changes, and a practice of keeping resident identifiers out of web addresses and application logs.

3.5 Retention and deletion of resident data

Medication records and their archives, and the audit log of changes to them, are retained for seven (7) years to align with Washington Adult Family Home record-keeping requirements (WAC 388-76). Because of these requirements, resident PHI is not automatically erased simply because an owner deletes their account; we retain it for the required period and then delete it, or return or delete it earlier on the owner's lawful instruction, subject to our legal obligations. Specific retention periods are summarized in Section 7.

3.6 HIPAA & Business Associate Agreement

Where an AFH owner is a HIPAA covered entity, AFH Network acts as a business associate with respect to resident PHI handled through the owner tools, and will enter into a Business Associate Agreement (BAA) with the owner on request. The Microsoft Azure services used by the NCP Generator and Compliance Assistant (document intelligence, AI, and blob storage) are operated under a Microsoft Azure Business Associate Agreement, and our database provider offers a corresponding agreement for data stored at rest. We commit to using and disclosing PHI only as permitted by the applicable BAA and this policy, to safeguarding it, and to notifying the owner of any breach of unsecured PHI as required by law.

4.How We Use Your Information

We use your personal information to:

  • Create and manage your account
  • Provide access to purchased and assigned courses
  • Track your course progress and quiz results
  • Process payments and issue refunds via Stripe
  • Manage owner subscriptions — start free trials, bill recurring plans, apply upgrades and downgrades, retry failed payments, and restore access after an outstanding balance is paid
  • Provide the owner operations tools (MAR, NCP Generator, Compliance Assistant, Task Tracker) and process resident information on the owner's behalf as described in Section 3
  • Send subscription and account lifecycle emails — for example trial reminders, invoices and receipts, payment-failure and past-due notices, plan-change confirmations, and renewal reminders
  • Send transactional emails (account verification, password resets, 2FA codes, purchase confirmations, course assignments, seat request notifications)
  • Respond to contact form submissions and support requests
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations
  • Improve our platform and course content

We do not sell your personal information to third parties. We do not use your data for targeted advertising.

5.Third-Party Services

We share data with the following third-party service providers who process data on our behalf:

ServicePurposeData SharedPrivacy Policy
StripePayment processingBilling address, email, Stripe customer IDstripe.com/privacy
ResendTransactional email deliveryEmail address, name, email contentresend.com/legal/privacy-policy
CloudinaryProfile photo and media storageUploaded images and audio filescloudinary.com/privacy
Google OAuthOptional sign-in methodName, email, Google IDpolicies.google.com/privacy
MongoDB AtlasDatabase hostingAll account and course data (encrypted at rest)mongodb.com/legal/privacy-policy
Azure Document IntelligenceReading uploaded care-plan documents in the NCP GeneratorUploaded care-plan document content (resident PHI), read once and not retained by usmicrosoft.com/privacy
Azure OpenAIDrafting Negotiated Care Plans and answering Compliance Assistant questionsCare-plan document content and compliance questions; processed under Microsoft's terms and not used to train Microsoft or OpenAI modelsmicrosoft.com/privacy
Azure Blob StorageTemporary private storage of uploaded care-plan documentsUploaded care-plan files, held in a private container via a short-lived access link and deleted immediately after processingmicrosoft.com/privacy
Microsoft Azure (hosting)Application hostingServer access logs, IP addressesmicrosoft.com/privacy

These providers are contractually bound to protect your data and may not use it for their own purposes beyond what is necessary to provide their service.

6.Cookies and Local Storage

We use cookies and browser localStorage to operate and improve AFH Network.

6.1 Types of storage we use

CategoryRequiredPurposeExamples
EssentialYes — always onAuthentication (JWT token cookie), security, session managementtoken (JWT), two_factor_pending, device_trust
FunctionalOptionalRemembering your preferences such as dark/light themetheme (localStorage)
AnalyticsOptionalUnderstanding how the platform is used (not yet implemented)Future: anonymized page view data

6.2 Managing your cookie preferences

You can manage your cookie preferences at any time using the Cookie Settings link in the footer of every page. Rejecting non-essential cookies will not prevent you from using the platform — only the Essential cookies are required for login and security.

Note: Essential cookies (authentication tokens) cannot be disabled as they are required to keep you logged in and protect your account.

7.Data Retention

We retain your data for the following periods:

Data TypeRetention Period
Account informationUntil you delete your account
Course progress recordsUntil you delete your account
Payment and order records7 years (required for tax and accounting compliance)
Subscription audit log (plan, billing, and access changes)7 years, then automatically deleted
MAR records, monthly MAR archives, and the MAR audit log (resident health information)7 years (Washington Adult Family Home record-keeping requirements, WAC 388-76); the audit log is automatically deleted after 7 years
NCP Generator uploads (care-plan documents)Deleted from temporary storage immediately after processing; not stored in our main database
Compliance Assistant saved historyUntil you delete the conversation or your account
Task Tracker records, HR forms, and former-employee recordsRetained while your account is active so you can meet record-keeping obligations; deleted on account deletion subject to legal requirements
Authentication challenge records (2FA, WebAuthn)Auto-deleted within 10–30 minutes via MongoDB TTL indexes

When you delete your account, your personal information and course progress are permanently deleted. However, some records cannot be deleted on request because the law requires us to keep them — including payment and order records, the subscription audit log, and resident medication records and their audit log, which are retained for the periods shown above. Resident health information is therefore not automatically purged when an owner deletes their account; it is retained for the required period and then deleted, or handled earlier on the owner's lawful instruction.

8.Your Rights

8.1 All users have the right to

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate information. You can update most information yourself from your Profile and Security settings.
  • Deletion: Request deletion of your account and personal data. You can do this yourself from Settings → Security → Delete Account.
  • Opt-out of marketing: You can unsubscribe from any marketing emails using the unsubscribe link. Note: transactional emails (receipts, security alerts, password resets) cannot be opted out of while your account is active.

8.2 California residents (CCPA rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: Request deletion of your personal information (subject to legal retention requirements).
  • Right to Opt-Out: We do not sell personal information. There is nothing to opt out of.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, use our contact form and note "CCPA Request" in your message. We will respond within 45 days.

8.3 Washington State (RCW 19.255)

Washington State law requires us to notify you if your personal information is involved in a data breach that creates a risk of harm. We will notify affected users without unreasonable delay and no later than 30 days after discovery of a qualifying breach.

8.4 Washington My Health My Data Act

Washington's My Health My Data Act (MHMDA) gives Washington consumers rights over "consumer health data." To the extent it applies to information we hold about you, you have the right to confirm whether we collect, share, or sell such data and to access it; to withdraw consent to its collection or sharing; and to have it deleted. We do not sell consumer health data, and we do not share it except with the service providers listed in Section 5 to operate the platform on your behalf.

Resident health information that an owner enters into the owner tools is handled on the owner's behalf (see Section 3); requests concerning a resident's information should be directed to the Adult Family Home that maintains the record. To exercise your own MHMDA rights, use our contact form.

8.5 Employees and residents whose data an owner enters

When an AFH owner adds an employee to a seat, or records staff information in the Task Tracker — including credential and license information such as background-check, fingerprint, TB-test, CPR/first-aid, food-handling, and HCA-license details — the owner is the controller of that information and AFH Network processes it on the owner's behalf. The same applies to resident information in the MAR and NCP Generator (see Section 3). If you are an employee or a resident (or a resident's representative) and want to access, correct, or delete information held about you, please contact the Adult Family Home that maintains the record; we will support that owner in responding. You may also contact us using our contact form and we will route your request appropriately.

9.Children's Privacy

AFH Network is intended for adults (18 years of age or older) working in or managing Adult Family Homes. We do not knowingly collect personal information from children under 13. If we discover we have inadvertently collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us using our contact form.

10.Data Security

We implement industry-standard security measures to protect your information:

  • Passwords are hashed using bcrypt with a salt factor of 12 — we cannot read your password
  • All data transmitted between your browser and our servers uses TLS encryption (HTTPS)
  • JWT authentication tokens are stored in httpOnly cookies (not accessible to JavaScript)
  • Two-factor authentication (2FA) and WebAuthn/biometric login are available for additional security
  • Payment data is handled exclusively by Stripe — we never see or store your card number
  • Our database provider encrypts all stored data at rest
  • Access to the owner tools is gated on the server, and any attempt to reach another account's data returns a "not found" response so that record identifiers are never leaked
  • Changes to resident medication records are written to a tamper-evident audit log, and we keep resident identifiers out of web addresses and application logs
  • Care-plan documents uploaded to the NCP Generator are stored in a private container via a short-lived access link and deleted immediately after processing

Despite these measures, no system is 100% secure. We encourage you to use a strong, unique password and enable 2FA on your account.

11.Contact Us

For privacy questions, data access requests, or to report a privacy concern:

We aim to respond to all privacy requests within 30 days.

12.Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify users by email. Continued use of AFH Network after changes are posted constitutes acceptance of the updated policy.