Legal
Privacy Policy
Effective April 16, 2026
Larch is a credential tracker for clinicians — licenses, DEA registrations, board certifications, CE/CME credits, and the documents behind them. This policy explains what we collect, why we collect it, and how we handle it. We keep the rules plain because clinicians are tired of vendors who don’t.
Who we are
Larch is a software service operated by The Advanced Practice Network LLC, a Kentucky limited liability company. Contact us at support@larchhealth.com. For legal and compliance matters, write to legal@larchhealth.com.
What we collect
We collect the minimum data needed to track your credentials. That includes account basics (email, hashed password, session tokens), professional profile (full name, NPI, credential type, primary specialty, primary state), and the credential records themselves — license numbers, DEA registrations, state CSR/CDS numbers, board certifications, CE/CME logs, and the issue/expiration dates attached to each. You can also upload supporting documents (license PDFs, certificates, CME completion records); those are encrypted at rest and only you and accounts you explicitly invite can read them.
We do not collect or store patient information. Larch is for clinician credentials, not patient charts — if you find a place to enter PHI, we have a bug, and we’d like to hear about it.
We also collect routine technical data to keep the service running: IP addresses on authentication events, user-agent strings, and audit logs of reads and writes against your credential records.
How we use it
Everything we collect is used to operate the product: authenticate users, render your dashboard, compute state-specific CE/CME requirements, surface renewal alerts at 90, 60, 30, 14, and 7 days out, produce audit-ready exports for board renewals, and send transactional email (sign-in links, renewal reminders). We do not sell data. We do not share data with advertising networks. We do not build marketing profiles. If you opt in, we may show you relevant partner offers (state CME bundles, malpractice quotes, license-application services) and earn a referral fee — but that’s opt-in, never the default, and your underlying credential data stays with us.
Sub-processors
Larch relies on a small number of reputable vendors to run the service. Current sub-processors:
- Supabase — authentication, Postgres database, and object storage for uploaded documents. supabase.com/privacy
- Vercel — application hosting and edge network. vercel.com/legal/privacy-policy
- Resend — transactional email delivery. resend.com/legal/privacy-policy
We require each sub-processor to sign a Business Associate Agreement where applicable and to maintain security controls consistent with SOC 2 or equivalent.
Data retention
Credential records and uploaded documents are retained for as long as your account is active. When you close your account, we delete your data within thirty days unless a longer retention is required by law (some state CE/CME audit windows reach back six years, so we may keep an audit log of completion records that long if you ask). Audit logs of reads and writes against your records are retained for two years. Session logs and routine technical telemetry are retained for ninety days.
Your rights
You can export everything we hold about you in machine-readable format from your account settings, ask us to correct any of it, or ask us to delete your account entirely. Send written requests to legal@larchhealth.com. We respond within thirty days. California, Colorado, Virginia, and Connecticut residents have additional rights under their state privacy laws — we honor those, and the contact above is the right way to invoke them.
Contact
Questions about this policy, or about how your data is handled, go to support@larchhealth.com. Security reports and responsible-disclosure submissions go to security@larchhealth.com.
We may update this policy as the product evolves. Material changes will be announced by email to account owners at least fifteen days before they take effect.