Security, Privacy & Compliance

Where compassion meets confidentiality

Our Promise

Renidy was built for families and professionals navigating life's most sensitive moments. We understand that privacy isn't optional — it's essential.

Every message, call, and document shared through Renidy is protected by advanced encryption, strict access controls, and the same security principles trusted in healthcare systems.

HIPAA-Compliant Communication

Renidy provides secure storage for personal and end-of-life planning documents. While files are protected using enterprise-grade encryption (AES-256 at rest, TLS 1.2+ in transit) under AWS security standards, Renidy is not a covered entity under HIPAA.

Users are responsible for controlling access and sharing permissions.

Documents stored in Renidy are for informational and planning purposes only and are not transmitted to healthcare providers unless explicitly shared by the user.

Renidy's chat, voice, and video features operate within a HIPAA-compliant environment that meets or exceeds the U.S. HIPAA Security and Privacy Rules.

These tools are designed specifically to protect personal and health-related information shared between families, doulas, and professionals.

Safeguards include:

  • End-to-end encryption for chat, voice, and video
  • AES-256 encryption at rest and TLS 1.2+ encryption in transit
  • Role-based access with multi-factor authentication
  • Audit logging and automatic data retention limits
  • Continuous vulnerability testing and 24/7 monitoring
  • Optional Business Associate Agreements (BAAs) for qualifying professional partners

This environment undergoes annual HIPAA reviews, ensuring compliance with the highest standards for safeguarding Protected Health Information (PHI).

Document Sharing & PHI Protection

Files shared within Renidy's HIPAA-compliant communication tools (for example, uploaded during a chat or video session) are protected under the same HIPAA controls — encrypted, access-restricted, and auditable.

Files or forms uploaded outside of that environment — such as through Renidy's general document vault or planning workspace — are still encrypted and stored securely in ISO 27001- and SOC 2-aligned systems, but they are not part of the HIPAA-audited perimeter.

HIPAA Notice:

Renidy's communication tools (chat, voice, video, and in-session file sharing) operate within a HIPAA-compliant environment audited annually for Security and Privacy Rule adherence.

Files uploaded elsewhere in the platform are secured and encrypted under ISO 27001 and SOC 2 standards but are not part of the HIPAA-audited system.

Security Framework

Renidy's infrastructure follows a layered security and compliance framework aligned with:

  • ISO 27001 – information-security management
  • SOC 2 Type II – operational and data-handling controls
  • GDPR, CCPA, and PIPEDA – global privacy compliance
  • AES-256 encryption at rest / TLS 1.2+ encryption in transit
  • U.S.-based data centers with continuous backup and redundancy
  • Business-continuity and disaster-recovery plans tested twice annually

Every system is built with privacy by design — separating production and test environments, applying least-privilege access, and monitoring for anomalies 24/7.

Renidy Secure Communication Compliance

Renidy's in-platform chat, voice, and video system is built with healthcare-grade security and global data protection standards. Every exchange between families and professionals within this feature is protected under HIPAA, GDPR, and CCPA requirements—ensuring confidentiality, privacy, and compliance at all times.

Healthcare-Grade Encryption

All in-app messages, voice calls, and video sessions are encrypted in transit and at rest using AES-256 and TLS 1.2+ standards.

This ensures that every conversation remains private and inaccessible to unauthorized parties.

Example:

When a family sends a message or joins a video session with their doula inside Renidy, that interaction is encrypted end-to-end within the platform.

HIPAA Compliance

Renidy's communication tools meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) for handling personal health information (PHI).

Conversations, video calls, and file exchanges shared within the Renidy communication feature are HIPAA-compliant and fully encrypted.

Example:

A doula discussing care preferences or emotional support via a Renidy video call remains in a protected, HIPAA-compliant space.

Not covered: If a user downloads or emails a document outside the Renidy communication feature, that action is not under HIPAA protection.

GDPR Compliance

Renidy's communication system aligns with the General Data Protection Regulation (GDPR) to safeguard personal data for EU users.

Users retain the right to access, delete, or export their communication data securely within Renidy.

Example:

A user may request deletion of their chat or call history directly within Renidy.

Not covered: Screenshots or data copied and sent outside the Renidy chat environment are no longer under GDPR protection.

CCPA Compliance

Renidy upholds the California Consumer Privacy Act (CCPA) for users in the United States.

This includes full transparency around communication data, the right to deletion, and assurance that no communication data is sold or shared with third parties.

Example:

A California resident can view and manage their chat and call records securely through Renidy.

Not covered: Once communication data leaves the Renidy environment (e.g., shared externally), it is no longer under CCPA coverage.

Data Residency and Control

All chat and call data is hosted in secure, compliant data centers within the United States, Ireland, or India, depending on user region.

Backups occur every 15 minutes, and all data remains encrypted during storage and transfer.

Example:

A U.S. family's chat records stay within U.S. servers to maintain jurisdictional compliance.

Not covered: Forwarding or re-hosting data outside Renidy's communication tool voids regional protections.

Clear Boundary of Compliance

Renidy's HIPAA, GDPR, and CCPA compliance applies exclusively to data shared within the in-platform communication tool—including chat, voice, and video.

Any data exported, downloaded, or transmitted outside Renidy (such as via email or external storage) is outside the scope of Renidy's compliance coverage.

Protected by healthcare-grade encryption and global compliance standards — HIPAA, GDPR, and CCPA.

Google Calendar Integration & Data Handling

Renidy offers Google Calendar integration to help doulas (healthcare providers) manage their availability and prevent scheduling conflicts. This section explains how we access, use, store, and protect your Google Calendar data.

Data Accessed

When you connect your Google Calendar to Renidy, we request access to:

  • Calendar Events: Read access to your calendar events, including:

    • Event titles and descriptions
    • Start and end times
    • Event locations
    • Event status (confirmed, tentative, cancelled)
    • Event IDs

  • Calendar List: Read access to identify your primary calendar

OAuth Scopes Used:

  • https://www.googleapis.com/auth/calendar - To read calendar events and identify busy times
  • https://www.googleapis.com/auth/calendar.events - To create calendar events when appointments are booked

You control access: You can connect or disconnect your Google Calendar at any time through your account settings. Disconnecting immediately revokes all calendar access.

Data Usage

Renidy uses your Google Calendar data exclusively for the following purposes:

1. Availability Management

  • We sync your Google Calendar events to identify when you're unavailable
  • This prevents double-booking by automatically blocking unavailable time slots
  • Calendar events are transformed into availability blocks in our system
  • Sync occurs automatically every 5 minutes to keep availability up-to-date

2. Appointment Scheduling

  • When clients view your availability, we check your Google Calendar in real-time
  • We exclude times when you have calendar events to show only truly available slots
  • This ensures clients can only book appointments when you're actually free

3. Calendar Event Creation

  • When a client books an appointment with you, we automatically create a corresponding event in your Google Calendar
  • The event includes appointment details: title, description, time, and location
  • This helps you see all appointments in one place (your Google Calendar)
  • If an appointment is rescheduled or cancelled, we update or delete the corresponding calendar event

4. Calendar Sync

  • We maintain a background sync process that runs every 5 minutes
  • This keeps your Renidy availability in sync with your Google Calendar
  • Old availability blocks are automatically removed when calendar events are deleted

Data Processing:

  • All calendar data processing occurs server-side only
  • No calendar data is stored in browser cookies or local storage
  • We only use event metadata (times, titles) to determine availability
  • Full event content is not stored in our database

Data Sharing

No Third-Party Sharing:

  • Your Google Calendar data is NOT shared with any third parties
  • Calendar data is used exclusively within the Renidy platform
  • We do not sell, rent, or provide calendar data to external services
  • Calendar data is not used for advertising or marketing purposes

Internal Use Only:

  • Calendar data is only accessible to:
    • You (the authenticated user who connected their calendar)
    • The Renidy platform for availability calculation and appointment scheduling
    • Clients viewing your availability (they only see busy/available status, not event details)

Data Flow:

  1. You grant calendar access via Google OAuth
  2. Renidy fetches calendar events via Google Calendar API
  3. Events are processed to determine availability
  4. Availability information (busy/available) is shown to clients
  5. No raw calendar data is exposed to clients or third parties

Compliance:

  • All calendar data handling complies with HIPAA, GDPR, and CCPA requirements
  • Calendar data is treated as sensitive personal information
  • Access is restricted to necessary operations only

Data Storage & Protection

Storage Location:

  • OAuth Tokens: Stored in encrypted database fields:
    • Access tokens and refresh tokens are encrypted at rest using AES-256
    • Tokens are stored securely and never exposed in logs or error messages
  • Database: PostgreSQL with encryption at rest
  • Data Centers: United States, Ireland, or India (depending on your region)

Encryption:

  • In Transit: All API calls to Google Calendar API use TLS 1.2+ encryption
  • At Rest: OAuth tokens are encrypted using AES-256 encryption
  • Token Security: Tokens are stored in secure, encrypted database fields

Access Controls:

  • Authentication Required: All calendar operations require a valid user session
  • Authorization: You can only access your own calendar data
  • API Security: Google OAuth tokens are validated before each API call
  • Token Refresh: Access tokens are automatically refreshed when expired

Security Measures:

  • OAuth tokens are stored securely and used only for authorized calendar operations
  • Refresh tokens are stored securely and used only for token renewal
  • All API requests include proper authentication headers
  • Error handling does not expose sensitive token information
  • Security monitoring and intrusion detection are in place

Infrastructure:

  • Secure cloud infrastructure with automated backups
  • Managed PostgreSQL database with encryption at rest
  • Security monitoring and intrusion detection
  • Compliance with SOC 2 and ISO 27001 controls

Data Retention & Deletion

OAuth Tokens:

  • Retention: Tokens are retained as long as your account is active and your calendar is connected
  • Expiration: Access tokens expire automatically (typically after 1 hour) and are refreshed as needed
  • Refresh Tokens: Retained until you disconnect your calendar or revoke access

Calendar Event Data:

  • Availability Blocks: Created from calendar events and stored as availability overrides
  • Automatic Cleanup: Availability blocks are automatically removed when:
    • The corresponding calendar event is deleted from your Google Calendar
    • The event time has passed
    • You disconnect your calendar

Appointment Calendar Events:

  • Retention: Google Calendar events created for appointments remain in your Google Calendar
  • Deletion: When an appointment is cancelled, the corresponding Google Calendar event is deleted
  • User Control: You can delete events directly from your Google Calendar at any time

How to Delete Your Calendar Data:

Option 1: Disconnect Calendar (Immediate)

  • Navigate to Settings → Google Calendar → Disconnect
  • This immediately:
    • Revokes OAuth tokens with Google
    • Deletes all stored tokens from our database
    • Stops calendar sync
    • Removes all availability blocks created from your calendar

Option 2: Revoke Access via Google

  • Go to your Google Account settings → Security → Third-party apps
  • Revoke access for Renidy
  • This invalidates tokens immediately
  • Our system will detect the revoked access and mark your calendar as disconnected

Option 3: Delete Your Account

  • When you delete your Renidy account:
    • All OAuth tokens are deleted
    • All availability blocks are deleted
    • Appointment calendar events remain in your Google Calendar (you control these)

Data Deletion Requests:

  • Contact us at [email protected] to request deletion of all calendar-related data
  • We will verify your identity and delete all calendar data within 30 days
  • You will receive a confirmation email when deletion is complete

Compliance:

  • GDPR: You have the right to erasure - you can request deletion of all calendar data
  • CCPA: California residents have the right to deletion of their calendar data
  • HIPAA: Data retention follows healthcare data retention policies

Training & Oversight

All Renidy team members complete background screening (where permitted by law) and receive annual security and HIPAA awareness training.

Every employee signs confidentiality and acceptable-use agreements, ensuring that your information remains protected at every level of our operations.

Transparency and Partnership

Professionals handling PHI can request a Business Associate Agreement (BAA) as part of their onboarding or subscription.

Families and users can request details about Renidy's privacy, security, and compliance framework at any time by contacting [email protected].

In Summary

  • HIPAA-Compliant: Chat, voice, video, and in-session file sharing (with optional BAA)
  • Secure & Encrypted: All other Renidy features under ISO 27001 / SOC 2 controls
  • Google Calendar Integration: Secure, encrypted calendar sync with no third-party sharing
  • Audited: Annual HIPAA review and continuous security testing
  • User Control: You can disconnect Google Calendar or delete your data at any time

Renidy gives families and care professionals peace of mind that every conversation, call, shared file, and calendar integration is handled with dignity, discretion, and industry-grade protection.

Questions about our privacy practices?

Contact us at [email protected]