Privacy Policy
Effective Date: April 16, 2026
1. Introduction
TrayPilot ("the Application," "we," "us," or "our") is a sterile processing department (SPD) management platform developed by Matt Rodriguez for use by Palm Beach Surgical Center and affiliated healthcare facilities. This Privacy Policy explains how we collect, use, store, and protect information when you access or use TrayPilot.
By using TrayPilot, you agree to the practices described in this policy. If you do not agree, please discontinue use and contact your facility administrator.
2. Information We Collect
We collect the following categories of information to operate the Application:
| Account Information | Full name, email address, job role (SPD Tech, OR Nurse, Vendor Rep, SPD Supervisor, Admin), and hospital affiliation. |
| Tray & Instrument Data | Surgical tray names, instrument lists, processing stages, QR tag identifiers, sterilization records, and case assignments. |
| Photos & Attachments | Images of surgical trays and instruments uploaded by users during case documentation. |
| Usage Analytics | Page views, feature interactions, session duration, and error logs used to improve the Application. |
| Audit Events | Timestamped records of user actions (approvals, stage changes, preference card edits) for compliance and traceability. |
3. HIPAA Awareness & Healthcare Compliance
TrayPilot is designed for use within healthcare environments and handles data related to surgical procedures and patient care workflows. We are committed to supporting your facility's compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state healthcare privacy laws.
While TrayPilot focuses on instrument and tray logistics rather than direct patient records, we recognize that case data may be associated with patient care. All data handling practices are designed with healthcare-grade sensitivity in mind. Facility administrators are responsible for ensuring that TrayPilot is deployed within their HIPAA-compliant infrastructure and Business Associate Agreement (BAA) framework.
4. How We Use Your Information
We use collected information solely to:
- Authenticate users and enforce role-based access control.
- Display and manage surgical case queues, tray assignments, and processing stages.
- Generate QR tags and support tray check-in workflows.
- Maintain audit trails for regulatory and quality assurance purposes.
- Send in-app notifications relevant to your role and assigned cases.
- Improve Application performance and reliability through anonymized analytics.
5. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information to any third party. Data is shared only in the following limited circumstances:
- Within your facility: Data is visible to authorized users at your hospital based on their assigned role and vendor scope.
- Service providers: We use secure cloud infrastructure (including encrypted object storage) to operate the Application. These providers are contractually bound to protect your data and may not use it for their own purposes.
- Legal obligations: We may disclose data if required by law, court order, or to protect the rights and safety of users or the public.
6. Data Security
We take the security of your data seriously. TrayPilot employs the following safeguards:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using industry-standard AES-256 encryption.
- Authentication is handled via secure OAuth sessions with signed cookies.
- Role-based access control limits data visibility to authorized personnel only.
- Vendor representatives are scoped to their own facility's data exclusively.
- Audit logs record all significant actions for accountability and traceability.
No system is completely immune to security risks. We encourage users to use strong, unique passwords and to report any suspected security incidents to your facility administrator immediately.
7. Your Rights
Depending on your jurisdiction and facility policies, you may have the following rights regarding your personal data:
| Access | Request a copy of the personal data we hold about you. |
| Correction | Request correction of inaccurate or incomplete information in your account or records. |
| Deletion | Request deletion of your account and associated personal data, subject to legal retention requirements. |
| Portability | Request your data in a structured, machine-readable format where technically feasible. |
| Objection | Object to processing of your data for purposes beyond core Application functionality. |
To exercise any of these rights, contact your facility administrator or reach us directly at the email address listed in Section 9.
8. Data Retention
We retain account and operational data for as long as your facility's account is active or as required by applicable healthcare regulations. Audit logs are retained for a minimum of seven (7) years to support regulatory compliance. Upon account termination, personal data is deleted or anonymized within 90 days, except where longer retention is required by law.
9. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the Effective Date at the top of this page and, where appropriate, notify users through the Application. Your continued use of TrayPilot after any changes constitutes your acceptance of the updated policy.
© 2026 TrayPilot · Developed by Matt Rodriguez
Palm Beach Surgical Center · All rights reserved.