Privacy Policy

Effective Date: November 2, 2025

Bipolar IN Order, operated by the Bipolar & Depression Outcomes Research Institute (BDORI), respects your privacy. This Privacy Policy explains how we handle information collected through our program website, app, and messaging services.

1. Information We Collect

We collect only the information you choose to provide when using the Bipolar IN Order program, such as your email address, phone number, and self-reported progress data. We do not collect personally identifiable information unless you voluntarily provide it.

2. How We Use Information

Information is used solely to support your participation in the Bipolar IN Order program, including:

• Sending lesson and check-in reminders (email or text message, if you opt in).
• Improving program quality and functionality.
• Generating anonymous, aggregated research data to advance understanding of mood management and recovery.

3. Sharing and Disclosure

We never sell or share your personal information. De-identified data may be used for research or statistical purposes. We may disclose limited information if required by law.

4. Messaging and Opt-In

Text and email reminders are sent only to users who explicitly opt in from within their Bipolar IN Order account settings. You may unsubscribe at any time from within the app or by replying STOP to any text message.

5. Data Security

HIPAA-compliant architecture: bcrypt password hashing, TOTP two-factor authentication, CSRF token rotation, PDO prepared statements, rate-limited login, Cloudflare Turnstile CAPTCHA. Config files stored outside the web root. Role-based access controls separate user, partner admin, and system admin capabilities. All authentication events and data access are audit-logged.

6. HIPAA Compliance

Bipolar IN Order maintains safeguards consistent with the Health Insurance Portability and Accountability Act (HIPAA) to protect your health information. HIPAA BAA signed with AWS. All PHI encrypted at rest and in transit.

All authentication events and PHI (protected health information) access are logged in a comprehensive audit trail. Data sharing access is tracked per-grantee. Admin impersonation is fully logged. The system supports data export for compliance requests.

We execute Business Associate Agreements (BAAs) with all covered entities and service providers that handle protected health information on our behalf. We do not use or disclose your health information except as described in this policy or as required by law.

7. Contact Us

For privacy questions, data requests, or concerns, please contact us.

By using our website or app, you agree to this Privacy Policy.