RTCredBack to home

Legal

Privacy Policy

Effective April 27, 2026.

Plain-language summary. RTCred is for respiratory therapists and the departments that employ them. We track credentials — licenses, certifications, CEUs — not patient data. We collect what we need to show you your records and remind you before they expire. We share data only with vendors who help us run the service. We never sell your information. You can download or delete your data at any time.

1. Who we are

RTCred is a product of Data Care Solutions LLC, the operator of rtcred.com and its connected services (collectively, the "Service"). In this policy, "RTCred", "we", "us", and "our" refer to Data Care Solutions LLC. Questions about this policy can go to privacy@rtcred.com.

2. What we collect

2.1 Account information

  • Email address (used as your sign-in identifier).
  • Full name (appears on the Joint Commission compliance export).
  • State of practice (drives state-specific CEU rules).
  • Phone number (only if you opt into SMS reminders; verified via one-time code).
  • Role (therapist or department manager) and, for managers, the department you belong to.

2.2 Credential data you enter or upload

  • License, certification, and credential records (type, issuer, identifier, issue/expiration dates, notes).
  • Documents you choose to upload (photos of cards, PDF certificates, vaccination records, fit-test results).
  • CEU entries (course title, provider, hours, category, completion proof).

2.3 Usage and technical data

  • Device and browser information (user agent, IP address, approximate location based on IP).
  • Logs of actions you take inside the app (used for the audit trail required by Joint Commission and similar accreditors).
  • Cookies needed to keep you signed in and to remember your preferences.

2.4 What we do not collect

RTCred is not subject to HIPAA. We are not a covered entity and we are not a business associate of any covered entity. We do not collect, store, transmit, or process patient information or protected health information (PHI), and the Service is not designed for that purpose. The data we hold is staff credential information — licenses, certifications, fit-test results, and immunization records that you upload as part of your own employment file — not clinical data about patients.

3. How we use your information

  • To run the Service: show you your credentials, track expiration dates, generate compliance reports.
  • To send reminders by email and (if you opt in) SMS at 90, 60, 30, and 7 days before a credential expires.
  • To let your department manager (if you belong to one with an active subscription) see whether your credentials are current — but never the underlying documents themselves without your consent.
  • To keep the audit log required by accreditation bodies.
  • To respond to support requests.
  • To detect abuse and protect the Service.

We do not use your information to train AI models, sell advertising, or build profiles for resale.

4. Legal bases for processing

For users in jurisdictions that require this disclosure (such as the EEA, UK, and California), we process your information on the following bases: performance of the contract between you and us (running the Service), legitimate interest in operating and securing the Service, your consent (for SMS reminders specifically), and compliance with legal obligations.

5. Who we share information with (service providers)

We share information only with vendors who process it on our behalf and only as needed to run the Service. Each is a "service provider" under California law and a "processor" under comparable privacy laws, contractually bound to protect your data and use it only for the purposes we specify. Categories of personal information disclosed to each are noted inline below.

  • Supabase — database, authentication, file storage. Categories disclosed: account data, credential records, uploaded documents, audit logs. Hosted in the United States.
  • Vercel — application hosting and content delivery. Categories disclosed: usage and technical data (IP, user agent), in transit while you use the Service. Hosted in the United States.
  • Resend — sending transactional emails (sign-in links, expiration reminders, account notices). Categories disclosed: email address, name, credential type and expiration date as they appear in the email body.
  • Twilio — sending SMS reminders and verifying phone numbers, only when you opt in. Categories disclosed: mobile phone number, SMS message body, verification code metadata. Twilio also retains opt-in/opt-out timestamp evidence on our behalf.
  • Inngest — running scheduled background jobs (the daily expiration scan). Categories disclosed:internal record identifiers; no human-readable PII is sent to Inngest's payload by design.
  • Stripe — processing payments for department subscriptions. Categories disclosed: billing contact, last four digits of payment card, transaction amounts. Stripe handles full card data directly; we never see or store full card numbers.

If your department subscribes to RTCred, your manager and any designated assistant managers can see the metadata of your credentials (type, expiration, current/expiring/expired status) and whether reminders are being acknowledged. They cannot view documents you have not explicitly shared, and they lose access automatically when you leave the department.

We may also disclose information when legally required (subpoena, court order, law enforcement request) and will, where lawful, notify you before doing so. If we are ever acquired or merged, your information may transfer to the acquiring entity, but they will be bound by this policy or its successor.

6. SMS-specific terms

SMS reminders are entirely optional and disabled by default. You must verify your phone number and explicitly opt in from the Settings page before any SMS will be sent. By providing your phone number and opting into the SMS program, you consent to receive recurring credential-expiration reminders from RTCred at the phone number you provide.

  • Program name: RTCred credential expiration reminders.
  • Program description: Automated SMS reminders sent before a credential you are tracking in RTCred is set to expire, so you can renew it before it lapses.
  • Frequency: Up to four messages per credential per renewal cycle (sent at 90, 60, 30, and 7 days before expiration; SMS is sent only at the 30-day and 7-day thresholds, while email covers all four). For most therapists this works out to fewer than two SMS messages per month.
  • Sample message: "RTCred: Action soon — Arizona RT license expires May 15 (30d). Open vault: https://rtcred.com/app · Reply STOP to opt out."
  • Charges: Standard message and data rates may apply. SMS is sent through Twilio; the actual charge to you depends on your wireless carrier and plan, not on us.
  • HELP: Reply HELP to any RTCred SMS to receive support information, or contact hello@rtcred.com.
  • STOP / Opt out: Reply STOP (or END, CANCEL, UNSUBSCRIBE, QUIT) to any RTCred SMS to unsubscribe immediately. You will receive a one-time confirmation that you have been unsubscribed, and no further reminders will be sent. You can also turn SMS off any time in Settings → Reminders.
  • Carrier liability: Carriers are not liable for delayed or undelivered messages.
  • No third-party sharing. Mobile information and messaging consent are not shared with third parties or affiliates for marketing or promotional purposes at any time. SMS opt-in data, phone numbers, and message content are not sold, rented, or otherwise transferred for marketing.
  • Supported carriers: All major U.S. carriers including AT&T, T-Mobile, Verizon, and their MVNOs. Carriers may filter or delay messages outside our control.

Consent to receive SMS is not a condition of using RTCred. The Service's features, including email reminders, work without SMS. You may withdraw consent at any time without affecting your account.

7. How we protect your information

  • All data is encrypted in transit (TLS) and at rest.
  • Database access is gated by row-level security: every read of every record checks that you own it (or, for managers, that the record belongs to your department).
  • Uploaded documents are stored in a private bucket; download links are short-lived and signed.
  • Background jobs that need elevated access run with a separate service-role key, which never reaches the browser.
  • An audit log records who took what action and when, so departments can demonstrate compliance to accreditors.

No system is perfectly secure. If we ever discover a breach that affects you, we will notify you without undue delay and in accordance with applicable law.

8. How long we keep information

We retain personal information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods by category:

  • Account data (email, name, state, phone): for the life of your account. Deleted within 30 days of account closure.
  • Credential records and uploaded documents: for the life of your account, or until you delete the individual record. Deleted within 30 days of account closure.
  • SMS opt-in records and phone-verification timestamps: retained for the life of your account plus 4 years after opt-out, as required by TCPA litigation defense. The number itself is removed from active sending after STOP.
  • Audit logs: at least 6 years, to satisfy Joint Commission and similar accreditor lookback requirements, even if the underlying credential record has been deleted.
  • Billing records: 7 years, as generally required by U.S. tax law.
  • Reminder send history (when, channel, status): 2 years, for support and abuse-investigation purposes.
  • Server and security logs: 90 days.
  • Routine backups: 30 days; deletions propagate on that schedule.

9. Your rights

You can, at any time:

  • Sign in and view, edit, or delete any of your credentials and uploaded documents.
  • Export a copy of your data in a portable format. Email privacy@rtcred.com if you need a manual export.
  • Delete your entire account from the Settings page. Your therapist data leaves with you when you leave a department.
  • Opt out of any non-essential communication.

Depending on where you live, you may also have additional rights — access, correction, deletion, restriction, portability, objection, and the right to withdraw consent. We honor these requests for all users, regardless of jurisdiction.

9.1 California residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to:

  • Know the categories of personal information we collect, the sources, and the business purposes for collection (see Section 2 above).
  • Know the categories of personal information disclosed to service providers in the past 12 months (see Section 5 above; we disclose contact info, credential data, and usage data to the listed subprocessors as needed to provide the Service).
  • Access a portable copy of the personal information we hold about you.
  • Request correction of inaccurate personal information.
  • Request deletion of your personal information.
  • Limit use of sensitive personal information (we do not use sensitive PI for any purpose other than providing the Service).
  • Not be subject to discrimination for exercising these rights.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, so the rights to opt out of sale or sharing do not apply. We have not sold or shared personal information in the prior 12 months. Authorized agents may submit requests on your behalf with written authorization. Submit requests to privacy@rtcred.com; we will verify identity before fulfilling.

9.2 Automated decision-making (ADMT)

We do not use automated decision-making technology that produces legal or similarly significant effects about you. The reminder scheduler is rule-based on dates you enter; it does not evaluate, score, or profile you. We do not use your information to train AI or machine-learning models.

10. Children's privacy

RTCred is intended for licensed respiratory therapy professionals and the departments that employ them. The Service is not directed at and not knowingly used by anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

11. International users

RTCred is operated from and hosted in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. By using the Service you consent to that transfer.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post the updated policy here at least 14 days before it takes effect. The "Effective" date at the top of this page reflects the latest version.

13. Contact us

Privacy questions, data requests, or breach reports: privacy@rtcred.com. General support: hello@rtcred.com.