Legal

Privacy Policy

Effective May 6, 2026

Larch is a credential tracker for clinicians — licenses, DEA registrations, board certifications, CE/CME credits, and the documents behind them. This policy explains what we collect, why we collect it, and how we handle it. We keep the rules plain because clinicians are tired of vendors who don’t.

Who we are

Larch is a software service operated by Larch Health LLC, a Kentucky limited liability company. Contact us at support@larchhealth.com. For privacy, legal, or compliance matters, write to the same address with “Privacy Request” or “Legal” in the subject line.

What we collect

We collect the minimum data needed to track your credentials. That includes account basics (email, password hash and session tokens managed by our authentication vendor), professional profile (full name, NPI, credential type, subspecialty), and the credential records themselves — license labels and numbers, DEA registrations, state CSR/CDS numbers, board certifications, CE/CME logs, and the issue/expiration dates attached to each. You can also upload supporting documents (license PDFs, certificates, CME completion records); those are stored encrypted at rest in private storage that only you can read.

We do not collect or store patient information. Larch is for clinician credentials, not patient charts — if you find a place to enter PHI, we have a bug, and we’d like to hear about it.

We also collect routine technical data to keep the service running: IP addresses on authentication events, user-agent strings, and an internal audit log of write activity (creates, updates, deletes) against your credential records.

How we use it

Everything we collect is used to operate the product: authenticate users, render your dashboard, compute state-specific CE/CME requirements, surface renewal alerts at 90, 60, 30, 14, and 7 days out, and send transactional email (sign-in links, renewal reminders, account messages). We do not sell data. We do not share data with advertising networks. We do not build marketing profiles. We do not run affiliate or partner-referral monetization on your credential data.

Sub-processors

Larch relies on a small number of reputable vendors to run the service. Current sub-processors:

• Supabase — authentication, Postgres database, and object storage for uploaded documents. supabase.com/privacy
• Vercel — application hosting and edge network. vercel.com/legal/privacy-policy
• Resend — transactional email delivery. resend.com/legal/privacy-policy

Each sub-processor maintains independent security certifications (SOC 2 Type II or equivalent). Larch is a clinician credential tracker; we do not collect, process, or store patient health information, so we are not a HIPAA covered entity or business associate and Business Associate Agreements with these vendors are not required.

Data retention

Credential records and uploaded documents are retained for as long as your account is active. When you click Delete in your account settings the deletion runs immediately: every credential record, every uploaded document, your authentication record, and your profile are removed in the same request. Internal audit-log entries that record write activity on your data are kept after deletion with the actor identifier removed, so the historical record of what happened survives without identifying you. Session logs and routine technical telemetry (IP addresses on authentication events, user-agent strings) are retained for ninety days.

Your rights

You can download a JSON export of everything we hold about you, change your name, email, or NPI, or permanently delete your account — all from the Account screen inside the app. Need a correction we can’t make from there, or want to invoke a state-law privacy right? Email support@larchhealth.com with “Privacy Request” in the subject line. We respond within thirty days. Residents of states with comprehensive consumer-privacy laws (including California, Colorado, Connecticut, Virginia, Texas, Tennessee, Oregon, and others) have additional rights under those laws — we honor them, and the contact above is the right way to invoke them.

California residents — Notice at Collection

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the following Notice at Collection applies if you are a California resident.

Categories of personal information we collect: identifiers (name, email, NPI when supplied, IP address, user-agent strings); commercial information (subscription tier, payment- processor customer id — the card number itself never touches our servers); professional information (the credentials, documents, and CE entries you log into Larch); and internet/ electronic-network activity (request logs limited to authentication events). We do not knowingly collect biometric, geolocation, sensory, or sensitive-personal-information categories beyond what is enumerated here.

Sources: directly from you (when you sign up or enter data into the app); from Stripe (subscription and payment events); from the public NPPES registry (only when you choose to submit your NPI for enrichment).

Business and commercial purposes: providing the service you signed up for (storing your credentials, sending renewal alerts, hosting documents); processing your subscription payment via Stripe; security and fraud prevention; honoring legal obligations.

Sale or sharing: Larch does not sell, share for cross-context behavioral advertising, or otherwise monetize your personal information. Your California right to opt out of the sale or sharing of personal information has nothing to opt out of, because there is no sale or sharing happening.

Retention: see the Retention section above. Account data is retained while your account is active and for a defined period after deletion as described there.

How to invoke your CCPA/CPRA rights: email support@larchhealth.com with “California Privacy Request” in the subject line. We respond within forty-five days (extendable once by an additional forty-five days, with notice, per CCPA §1798.130). We do not discriminate against you for exercising any of these rights.

Contact

Questions about this policy, security reports, responsible- disclosure submissions, or anything else — everything goes to support@larchhealth.com. Use a descriptive subject line (“Security Report”, “Privacy Request”, etc.) to help us route quickly.

We may update this policy as the product evolves. Material changes will be announced by email to account owners at least fifteen days before they take effect.