ReziScoreHome

ReziScore Privacy Policy

Effective date: June 17, 2026 Last updated: June 17, 2026 Operating entity: Golden Health Services LLC ("we," "us," or "our"), the company that owns and operates the ReziScore service ("ReziScore" or the "Service") Contact: info@reziscore.com


1. Who we are and what this policy covers

ReziScore is a software-as-a-service application that digitizes the Maryland Resident Assessment Tool (Form 4506) and the Level of Care Scoring Tool under COMAR 10.07.14, for use by assisted-living facilities and their workforce. We provide the Service to facility organizations (our "Customers"), whose authorized staff ("Users") use it to assess and place residents.

This Privacy Policy explains how we handle:

  • Account and website data - information about the Users and Customers who access the Service, and visitors to our website; and
  • A description of how we handle Protected Health Information (PHI) about residents, which we process only on behalf of, and under the direction of, our Customers.

Our role under HIPAA

For PHI, ReziScore acts as a Business Associate (45 CFR Part 160 and Part 164). Each Customer is the Covered Entity (or another Business Associate) and is responsible for its own Notice of Privacy Practices and for its relationship with residents. Our handling of resident PHI is governed by the Business Associate Agreement (BAA) executed between ReziScore and each Customer - not by this Privacy Policy. Where the BAA and this Privacy Policy conflict as to PHI, the BAA controls.

This Privacy Policy is not a HIPAA Notice of Privacy Practices. Residents who want to exercise rights over their health information (access, amendment, accounting of disclosures, etc.) should contact the facility that maintains their records.

2. Information we collect

a. About Users (facility workforce members)

DataWhy we collect it
Email addressAuthentication, password reset, and transactional notifications
Display nameUser interface and audit-log attribution
Password (stored only as a bcrypt hash - never in plaintext)Authentication
Session activity timestampsEnforcing the HIPAA-aligned idle timeout
Failed-login and lockout stateBrute-force protection
IP address (transient)Rate limiting and audit context
Daily AI-extraction usage countsCost control on the extraction feature

b. About residents (PHI - processed on behalf of Customers)

When a Customer's User enters or uploads assessment information, we process resident PHI on the Customer's behalf, including: resident name, date of birth, and Social Security number; facility placement and status history; the full Form 4506 clinical assessment; uploaded documents (e.g., HCP forms, physician orders, lab results, care plans, immunization records); and audit-log records of access to that information.

c. Information cached on your device (offline support)

To keep the Service usable when connectivity drops, your browser may temporarily cache in-progress assessment drafts and recently viewed lists in local storage (IndexedDB). Full resident PHI is not cached for offline editing; stale cached views are read-only. Cached drafts are automatically purged after 7 days, and all local data is cleared on logout.

d. What we do not collect

We do not collect or use: location data (beyond transient IP for rate limiting), advertising or device identifiers, biometric data, behavioral/engagement analytics, or marketing data. We do not knowingly collect information from children - the Service is for facility workforce use only.

3. How we use information

We use account and website data to: provide, secure, and operate the Service; authenticate Users and prevent abuse; send transactional notifications (e.g., password resets, reassessment reminders, billing notices); maintain audit logs; provide support; and comply with our legal obligations. We process resident PHI solely to provide the Service to the Customer and as permitted by the applicable BAA. We do not sell personal information, and we do not use PHI for advertising or marketing.

4. How we share information (subprocessors)

We share data only with service providers that help us run the Service, under contract and (where PHI is involved) under a Business Associate Agreement:

SubprocessorWhat it receivesPurpose
NeonAll stored data, including PHIPrimary database (Postgres)
AWS (hosting, storage, AI, email infrastructure, logging)App data, including PHIHosting, file storage, AI extraction, email transport, logging
PauboxRecipient email address; bodies are PHI-minimized (opaque notifications + app links). The optional "share by email" feature attaches an assessment PDF, which is PHI.HIPAA-native transactional email
Anthropic (or AWS Bedrock)Health-care-provider form images submitted for extractionAI extraction of structured data from uploaded forms
SentryError reports with PHI actively scrubbed before transmissionError monitoring

We require a BAA with every subprocessor that may handle PHI. We do not share data with advertisers, marketing platforms, or third-party analytics vendors. We may disclose information if required by law, to protect our rights or the safety of others, or in connection with a merger or acquisition (subject to the same protections described here).

5. Security

We use administrative, technical, and physical safeguards designed to protect information, including: TLS encryption in transit; AES-256 encryption at rest (including field-level AES-256-GCM encryption of Social Security numbers); bcrypt password hashing; a 30-minute server-enforced idle timeout; rate limiting and account lockout; tamper-evident audit logging (HMAC-SHA256); and active scrubbing of PHI from error reports. No method of transmission or storage is perfectly secure, but we work to protect information consistent with the HIPAA Security Rule and applicable law.

6. Data retention and deletion

We retain account data for as long as a Customer's account is active and as needed to provide the Service. Resident PHI is retained, returned, or destroyed in accordance with the applicable BAA and the Customer's instructions, subject to legal retention requirements. On account termination, we return or delete PHI as the BAA requires. Audit logs may be retained as required by HIPAA and our retention policy.

7. Your choices and rights

  • Users may review and update their account profile, change their password, and contact us at info@reziscore.com with questions or requests.
  • Residents and their representatives should direct requests regarding health information to the facility that maintains the records; the facility, as Covered Entity, handles such requests and may direct us to act accordingly.
  • Depending on your jurisdiction (including Maryland), you may have additional rights regarding your personal information. Contact us to exercise any such rights; we will respond as required by applicable law.

8. Cookies and tracking

We use a single, strictly necessary, encrypted session cookie to keep you signed in and to enforce the idle timeout. We do not use advertising cookies, cross-site trackers, or third-party analytics. Because we do not track users across sites, we do not respond to browser "Do Not Track" signals differently.

9. Children's privacy

The Service is intended for facility workforce members and is not directed to children. We do not knowingly collect personal information from anyone under 18 as a User. (Resident records may relate to individuals of any age and are governed by the BAA and applicable law.)

10. International users

The Service is operated in the United States and intended for U.S.-based facilities. If you access it from outside the United States, you understand that your information will be processed in the United States.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice as required by law. Continued use of the Service after an update constitutes acceptance of the revised policy.

12. Maryland-specific notice

ReziScore operates from Maryland and handles information about Maryland residents. In addition to HIPAA, the Maryland Personal Information Protection Act (MPIPA) and the Maryland Confidentiality of Medical Records Act (MCMRA) may apply, including their breach-notification requirements and notification to the Maryland Attorney General. In the event of a breach of security affecting personal information, we will notify affected parties and regulators as required by applicable federal and Maryland law and by the applicable BAA.

13. Contact us

Golden Health Services LLC Attn: Privacy Officer 1745 Featherwood Street, Silver Spring, MD 20904 info@reziscore.com

Terms and Conditions · info@reziscore.com