ADDISON'S DIARY
HIPAA Notice & Health Data Policy
Pribco LLC · addisonsdiary.com
Effective June 21, 2026 · Version 3.1 · USA Only
Addison’s Diary · HIPAA Notice & Health Data Policy · Pribco LLC
ADDISON’S DIARY
HIPAA Notice & Health Data Policy
Pribco LLC · addisonsdiary.com
| WHAT THIS POLICY MEANS IN PLAIN ENGLISH |
|---|
| Addison’s Diary is NOT a HIPAA-covered platform. |
| We are not a hospital, health plan, or healthcare clearinghouse. |
| The law that governs hospital health records does not technically apply to us. |
| But we know what you are sharing with our platform to communicate with your loved ones. |
| You are sharing care notes about a loved one. |
| You are sharing medication lists. |
| You are sharing health observations, schedules, and deeply personal family moments. |
| You may be downloading health related and medical information into our system for your loved ones to access. |
| We treat that information with the same level of protection |
| we would give to any clinical health record — because it deserves that. |
| This policy explains exactly what we do, what we don’t do, |
| what we have access to and do not have access to, |
| and what rights you have over the health-related information |
| you choose to share on this platform. |
| IN ANY MEDICAL EMERGENCY — CALL 911 IMMEDIATELY. |
|---|
| Addison’s Diary is NOT monitored. Notifications may be delayed or may fail to deliver. |
| NEVER use this platform to request emergency assistance. |
| If someone’s life is at risk — call 911 FIRST. Always. |
THIS PLATFORM IS NOT AN EMERGENCY SERVICE — IN ANY EMERGENCY, CALL 911 IMMEDIATELY
In any situation where someone’s life may be at risk — stop, call 911, and get real help on the way. Do not use any feature of this platform as a substitute for emergency services.
PREAMBLE — GOVERNING DOCUMENTS AND PRECEDENCE
Governing Documents
This HIPAA Notice and Health Data Policy is one of several legal instruments that govern your use of the Addison’s Diary platform. By accessing or using the Platform, you agree to be bound by each of the following documents, all incorporated herein by reference:
- Privacy Policy — governs the collection, use, storage, and disclosure of your personal information, including operator access controls, data retention, and legal process disclosures. Available at addisonsdiary.com/privacy.
- HIPAA Notice and Health Data Policy — this document. Governs our HIPAA status, health-related information handling, voluntary HIPAA-minded commitments, and your health data rights.
- Acceptable Use Policy — governs permitted and prohibited uses of the Platform. Available at addisonsdiary.com.
- Cookie Policy — explains the cookies and tracking technologies used, their purposes, and how you can manage your preferences. Available at addisonsdiary.com/cookies.
- Data Deletion and User Rights Policy — governs the complete account closure lifecycle, deletion timelines, and your rights to access, correct, delete, and port your personal data. Available at addisonsdiary.com.
- Terms of Use — governs your access, rights, obligations, prohibited conduct, account termination, and limitation of liability. Available at addisonsdiary.com/terms.
- Platform Disclaimer — governs the medical, regulatory, and liability disclaimers applicable to your use of the Platform. Available at addisonsdiary.com.
In the event of any conflict between these documents, the order of precedence is: Terms of Use, Acceptable Use Policy, Data Deletion and User Rights Policy, HIPAA Notice and Health Data Policy, Privacy Policy, then Cookie Policy.
Your Information Is Yours — You Control Who Sees It
Pribco LLC does not access, review, use, share, sell, or process the personal or sensitive information you enter into the Platform except to the limited extent strictly necessary to operate and deliver the service, or as required by applicable law, valid legal process, or mandatory reporting obligations. Disclosures to service providers are made under strict contractual restrictions for service delivery only and are not commercial sharing. We do not read your care journals, review your documents, or monitor your family messages. Your information is never sold, licensed, or shared with advertisers, insurers, employers, healthcare systems, or any third party for their independent use.
1. Our HIPAA Status — Stated Plainly and Honestly
What HIPAA Is
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary US federal law governing the privacy and security of health information. HIPAA’s Privacy Rule and Security Rule apply to “covered entities” — healthcare providers, health plans, and healthcare clearinghouses — and their “business associates,” meaning companies that handle protected health information on behalf of those covered entities.
Pribco LLC Is Not a Covered Entity
Pribco LLC is a technology company that operates a family organizational platform. We are not:
- A healthcare provider
- A health plan or health insurance company
- A healthcare clearinghouse
- A business associate acting on behalf of any covered entity
| Pribco LLC is NOT a HIPAA-covered entity. |
|---|
| Addison’s Diary is NOT a HIPAA-compliant platform. |
| Addison’s Diary has NOT been independently certified or audited for HIPAA compliance. |
| The information you enter into Addison’s Diary is personal family information. |
| Information in Addison’s Diary is not treated as HIPAA “Protected Health Information” (PHI) |
| unless and until Pribco acts as, or on behalf of, a covered entity or business associate |
| in a manner that brings the data within HIPAA. |
| The correct and accurate description of our posture is: HIPAA-ADJACENT. |
| We will never describe this platform as “HIPAA-compliant” or “HIPAA-certified.” |
| Anyone who tells you otherwise about Addison’s Diary is incorrect. |
What “HIPAA-Adjacent” Means
HIPAA-adjacent means we are not legally required to comply with HIPAA, but we have chosen to build our platform with HIPAA-minded practices because:
- The information families share on Addison’s Diary is deeply sensitive — care notes, medication lists, health observations, end-of-life documents
- We believe families deserve the same level of protection for their personal health information regardless of whether the law technically requires it
- We have implemented HIPAA-minded security practices appropriate for the sensitive information families share on this platform
2. What Health-Related Information We Handle
Addison’s Diary handles the following categories of health-related personal information, only to the extent voluntarily entered by users:
Clinical Reference Information
- Medication names, doses, frequencies, and administration schedules
- Medication log entries: who administered each dose and when
- Medication refill dates and prescribing physician information
- At-home care task records: bed rotation, wound care, oral hygiene, feeding, repositioning, and similar non-clinical care activities
- At-home care completion logs: who performed each task and when
- Care journal entries: observations about a loved one’s mood, pain level, lucidity, appetite, and daily condition
- Appointment records: upcoming medical appointments, provider names, and care notes
- Medical team contact information: physicians, specialists, pharmacists, and care agencies
Personal and Administrative Health Information
- Patient profile information: name, date of birth, current care setting, known allergies
- Document Vault contents: which may include advance directives, powers of attorney, living wills, DNR orders, insurance cards, Medicare/Medicaid identification, and recent laboratory results
- Care location and care setting: at home, hospice, rehabilitation, assisted living, hospital
- Caregiver schedule and shift information: who is responsible for care at what times
What We Do Not Handle
Addison’s Diary does not receive or handle anything from third-party healthcare providers unless you as the user make the decision to upload such information. If you upload clinical data of any kind, you acknowledge that you have the legal right to share such data — either as the patient yourself or because you hold a medical power of attorney authorizing you to do so.
- Electronic health records (EHR) or clinical records from any healthcare provider
- Lab results, imaging, or diagnostic data transmitted from a clinical system
- Insurance claims data or explanation of benefits records
- Billing records from any healthcare provider
- Any data transmitted from a clinical device, monitoring system, or hospital information system
Important clarification: All health-related information in Addison’s Diary is entered by family members and personal non-licensed caregivers — not transmitted from clinical, hospital, emergency care, or pharmaceutical systems and not reviewed or verified by any licensed medical professional. It is personal family coordination information you and your loved ones enter only, not a clinical record entered by a licensed healthcare provider.
For purposes of processing, recipients, and detailed retention periods for each category described in this section, see Privacy Policy Sections 2 (Information We Collect), 3 (How We Use Your Information), 4 (Third-Party Service Providers), and 7 (Data Retention and Deletion) at addisonsdiary.com/privacy.
Important: Users should not upload clinical EHR extracts, raw hospital records, or data transmitted directly from a covered healthcare entity’s system. Any future clinical integrations will be subject to separate terms, updated notices, and Business Associate Agreements as applicable.
3. Our Health Data Commitments
Although we are not legally required to comply with HIPAA, we have made the following voluntary commitments regarding health-related information on our platform. These commitments are binding on Pribco LLC and its employees.
3.1 We Will Not Sell Health-Related Information
| We do not sell your health-related information. This prohibition applies regardless of |
|---|
| whether the information is individually identifiable and covers all commercial sales, |
| licenses, rentals, and transfers to data brokers, advertising platforms, and marketing companies. |
| We may disclose health-related information if required by law, or in |
| connection with a merger or acquisition with prior notice to users. We will not disclose |
| for advertising, data-broker, or other commercial purposes. |
| Disclosures to service providers (AWS, Stripe, Postmark, Twilio) are made |
| under strict contractual restrictions solely to deliver the service and are not sales |
| or commercial sharing. |
| The prohibition on selling health-related information is absolute and permanent. |
| It applies regardless of whether the information is individually identifiable. |
| It applies in all circumstances except as required by law, or |
| in connection with a corporate transaction with notice to users. |
3.2 Our Services Are Not Intended to Share Health Information with Healthcare Entities
Pribco LLC will not share, disclose, or transmit health-related information entered into Addison’s Diary with:
- Any healthcare provider, physician practice, hospital, or health system
- Any health insurance company, Medicare or Medicaid administrator, or health plan
- Any pharmaceutical company or pharmacy benefit manager
- Any home health agency, hospice organization, or skilled nursing facility
- Any employer for employment-related purposes
- Any data broker, advertising platform, or marketing company
- Any research institution, without your express written consent
Notwithstanding the commitments above, Pribco LLC may disclose health-related information without prior consent where required by valid legal process, to prevent or investigate a crime, to protect the safety of any person where actual information comes to our attention raising such issue, or in connection with a merger, acquisition, or asset sale of Pribco LLC — in which case we will provide prior notice to users and ensure the prohibition on selling for advertising or data-broker purposes is preserved as a binding commitment on any successor. We will never sell or share health-related information for advertising, behavioral profiling, or commercial data-broker purposes under any circumstances. Our policies prohibit you from using the platform to share your health-related information directly with your health professionals.
3.3 We Will Never Use Health Information for Advertising
Pribco LLC does not and will not use health-related information entered into Addison’s Diary to build advertising profiles, target advertisements, or infer sensitive characteristics about users for commercial purposes.
Addison’s Diary uses the Meta Pixel (and Conversions API) and Google Analytics 4 (GA4) on the public landing page for marketing and analytics purposes. These tools are architecturally restricted to public pages before sign-up. Google reCAPTCHA and Rewardful are not currently active but may be used in the future with notice. None of these tools load inside the authenticated app, and no health or care information is ever transmitted to Meta or Google via any path — pixel events, Conversions API payloads, page URLs, custom parameters, or email content. This is enforced by architecture, not merely by policy.
3.4 Minimum Necessary Access
Inspired by HIPAA’s “minimum necessary” standard, Pribco LLC limits access to health-related information as follows:
- Family members see only what the account administrator has granted them permission to see, using granular per-section, per-member permission controls enforced server-side
- Pribco LLC’s operators have no routine access to your care journal entries, medication records, messages, or document vault contents
- Operator access to care content requires a deliberate, separately authenticated “break-glass” step using a dedicated MFA-protected role
- Every use of the break-glass access role is automatically recorded in a tamper-evident AWS CloudTrail audit log
- Operator tools (the admin console) are technically blocked from accessing family health content — the admin Lambda has no IAM permission to read the FamilyData table or access the S3 file storage bucket. Patient profile information (date of birth, blood type, physician, insurance, power of attorney, allergies, and related medical detail) is stored in FamilyData and is therefore covered by the same IAM restriction
3.5 Immutable Audit Trail for Medical Information
Inspired by HIPAA’s audit control requirements, Addison’s Diary maintains an append-only, immutable log of all medication administration and care task activity:
- Every medication dose marked as given or missed creates a permanent, timestamped log entry
- Every at-home care task completion creates a permanent, timestamped log entry
- Log entries cannot be deleted or overwritten by any user — including operators
- Corrections are handled by appending a new correction row that preserves the original entry alongside the correction, the correcting user’s identity, and the correction note
- Operators have no ability to edit, delete, or modify medication or care logs under any circumstance — this is enforced both at the UI level and independently at the Lambda/API level using a JWT issuer guard
3.6 We Will Notify You of Unauthorized Access
In the event of a security incident that results in unauthorized access to health-related information in your account, Pribco LLC will:
- Notify you by email at the address associated with your account without undue delay and as promptly as practicable given the circumstances
- Describe the nature of the incident, the categories of information involved, and the steps we have taken in response
- Provide guidance on steps you can take to protect yourself
- Report the incident to appropriate authorities as required by applicable federal and state law, including applicable state breach notification statutes which impose specific notification deadlines. Where state law requires notification to a state regulator, we will comply with those requirements.
This breach notification commitment is anchored to the FTC Health Breach Notification Rule (16 CFR Part 318), which applies to vendors of personal health records and related entities that are not covered by HIPAA. Addison’s Diary follows the FTC Rule’s requirements for notifying affected users, the FTC, and in some cases the media, in the event of a breach of unsecured personal health record information. Other laws may also apply depending on the nature of the breach and the location of affected users, including the Washington My Health My Data Act and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). Pribco LLC will comply with all applicable federal and state breach notification requirements.
4. Technical Security Measures for Health Information
The following technical controls protect health-related information on Addison’s Diary. These controls are drawn from or inspired by the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguard categories.
Encryption
- All data is encrypted in transit using industry-standard TLS/HTTPS — there is no unencrypted connection path to the platform
- All data is encrypted at rest using AWS-managed encryption keys for both DynamoDB (the database) and S3 (file storage)
- Encryption applies to every table, every file, and every database record — including all health-related information
Access Controls and Authentication
- Two-factor authentication (2FA) is required for every user account — email-based 2FA for family users, authenticator-app MFA for operators
- Every request to the platform must carry a valid, cryptographically signed Cognito JWT token issued to the requesting user
- API Gateway enforces authentication before any application code runs — unauthenticated requests are rejected at the door
- Per-family data isolation is enforced server-side: the familyDataApi Lambda derives the caller’s family from their verified login token — the caller cannot claim access to another family’s data
- Per-section, per-member permissions are enforced server-side for every read and write operation
- Medical log write routes include an additional JWT issuer guard that structurally prevents operator-pool sessions from writing to family health records — independent of all other permission checks
Audit Controls
- AWS CloudTrail records every administrative action in the AWS account — including any use of the break-glass role to access care data — to a tamper-evident log
- The medication and care task log is append-only and immutable — creating a permanent audit trail of all care activity
- Operator access to the admin console is authenticated with MFA and every action is attributable to a specific named individual
- The Terms of Use acceptance record — including the typed electronic signature and timestamp — is retained for at least 7 years under WORM Object Lock (S3 archive, governance-mode retention) in a dedicated store separate from all care data
File and Document Security
- Documents and photos are stored in a private Amazon S3 bucket — not a publicly accessible location
- The browser is never given standing access to the storage bucket
- Every file access uses a short-lived, single-file presigned URL — permission for exactly one file for a limited time window
- When a family account is deleted, every file in the family’s S3 storage prefix is permanently and irreversibly purged
Data Minimization and Retention
- We collect only the information users choose to enter — we do not acquire health information from external sources
- When a family account is deleted, all health-related information is permanently purged — including care journals, medication records, care logs, documents, and photos
- The account closure lifecycle provides a 30-day grace period with three warning emails (Days 1, 23, and 29) and a deletion confirmation email on Day 30, giving families time to recover accidentally closed accounts
- After permanent deletion, no health-related data is retained — only the legal Terms acceptance record (retained for at least 7 years under WORM Object Lock), which contains no health information
The controls described in this section represent our current implemented posture. See Section 8 for current known limitations and gaps.
5. Operator Access Policy — Health Data Carve-Out
Pribco LLC has established a formal Data Access Policy governing how the platform’s two operators (co-founders) may access health-related family information. The following rules apply:
| OPERATOR ACCESS RULES FOR HEALTH-RELATED INFORMATION |
|---|
| DEFAULT: Operators CANNOT access family health information. |
| The admin console is technically blocked from the FamilyData table and |
| the S3 file storage — including patient profile information, care journals, |
| medications, messages, photos, and vault documents. This is an IAM-level restriction. |
| EXCEPTION: Operators may access health information ONLY by: |
| 1. Deliberately switching into the separate, MFA-protected FamilyDataAccess role |
| 2. The switch is immediately recorded in the AWS CloudTrail audit log |
| 3. Access is read-only — operators cannot modify health records under any circumstances |
| 4. Use is limited to: investigating a reported security incident, providing support |
| at a user’s explicit request, or complying with a valid legal obligation |
| PROHIBITED AT ALL TIMES — EVEN FOR OPERATORS: |
| • Writing to, editing, or deleting medication or care log entries |
| • Accessing health data for any commercial, research, or marketing purpose |
| • Accessing health data out of curiosity or without a documented legitimate reason |
| The Data Access Policy is a written internal document signed by both founders. |
| Violations of the Data Access Policy are treated as serious policy breaches. |
| Honest disclosure: Because the founders own the underlying AWS account, no purely |
| technical control can make it strictly impossible for them to access family health data — |
| an account owner can always re-grant their own access. The Data Access Policy and |
| CloudTrail audit logging are the practical controls that make any such access deliberate, |
| documented, and accountable. See Section 8 for full transparency on this limitation. |
Break-Glass Access Governance Controls
Any use of the break-glass FamilyDataAccess role is governed by the following controls: (1) dual-authorization — a second founder must be aware of or approve any non-emergency break-glass activation; (2) documented ticket — the reason for access must be written into the system before the role switch is approved; (3) post-event review — every break-glass event is reviewed after the fact against the documented reason and any discrepancy is treated as a policy breach. All access is read-only and permanently logged in AWS CloudTrail. These governance controls apply in addition to the technical IAM restrictions described above.
6. Third-Party Service Providers — Health Data
Addison’s Diary uses the following third-party service providers that may process health-related information as part of delivering the service. Each provider is contractually bound to protect your information and may not use it for any purpose other than providing services to Pribco LLC.
Amazon Web Services (AWS)
Role: Cloud infrastructure, database, file storage, authentication, and serverless computing.
Health data processed: AWS DynamoDB stores all family care content including medication records, care journals, and care logs. AWS S3 stores all uploaded files including Document Vault contents. AWS Cognito manages authentication.
HIPAA status: AWS is eligible to sign a HIPAA Business Associate Agreement (BAA) and offers HIPAA-eligible services including DynamoDB, S3, and Cognito. Pribco LLC has not yet signed a BAA with AWS.
Postmark (Wildbit LLC)
Role: Transactional email delivery — invitations, care alerts, medication reminders, SOS notifications, and account lifecycle emails.
Health data processed: Postmark processes email content including notification messages. Per our platform design, email alert text may contain patient names but never includes medication names, or medical details — only a notification that activity has occurred and a prompt to sign in. This is a deliberate HIPAA-aware design choice. Privacy: postmarkapp.com/privacy
Twilio Inc.
Role: SMS text message delivery for SOS alerts, “I’m OK” wellness check-in notifications, and two-factor authentication (MFA) codes.
Health data processed: Twilio Inc. processes SMS message content on our behalf. Per our platform design, SMS text bodies may contain patient names but never include medication names, diagnoses, or any other identifiable health information — only a notification that activity has occurred and a sign-in prompt. This content-minimization design is consistent with HIPAA-aware SMS practices and is enforced at the application level. Privacy: twilio.com/legal/privacy
Stripe, Inc.
Role: Subscription payment processing.
Health data processed: Stripe does not process health-related information. Stripe processes only billing and payment data. Privacy: stripe.com/privacy
Data Processing Agreements and Content-Minimization Controls
Each service provider listed above is engaged under contractual terms that include confidentiality obligations, data security requirements, restrictions on subprocessing, and a prohibition on using your information for any purpose other than delivering services to Pribco LLC. Pribco LLC will execute a HIPAA Business Associate Agreement (BAA) with AWS if and when it enters into any institutional health system partnership or any arrangement that would make Pribco LLC a business associate under HIPAA. Email and SMS alert templates are reviewed internally to confirm no patient identifiers, medication names, or health details are included — alerts may contain patient names but no medication names, diagnoses, or medical details — only a notification that activity has occurred and a prompt to sign in to the platform.
7. Your Health Data Rights
Regardless of HIPAA’s technical applicability to our platform, Pribco LLC voluntarily extends the following rights — inspired by HIPAA’s Privacy Rule — to all users with respect to health-related information in their accounts:
Right to Access
You have the right to access all health-related information in your Addison’s Diary account at any time through the platform. You may also request a summary or export of your account data by contacting support@addisonsdiary.com.
Right to Correct
You have the right to correct inaccurate health-related information in your account. Most information can be corrected directly within the platform. For medication and care log corrections, the account administrator may submit a correction through the Log tab — corrections are appended as new immutable records alongside the original entry.
Right to Delete
You have the right to request deletion of your account and all associated health-related information. See the Addison’s Diary Data Deletion and User Rights Policy for full details. Health-related information is permanently and irreversibly deleted when a family account is purged. Email support@addisonsdiary.com to initiate deletion.
Important limitation: deleting your Addison’s Diary account removes your data from Pribco LLC’s systems but does not automatically remove data that has already been shared with third-party service providers under their own retention obligations. Specifically:
(a) Google Analytics 4 — anonymised usage event data sent to Google Analytics before your deletion request persists in Google’s systems under Google’s own data retention settings. Pribco LLC cannot unilaterally delete this data. To manage Google’s retention of your data, visit myaccount.google.com/data-and-privacy.
(b) Meta (Facebook Pixel and Conversions API) — advertising event data sent to Meta before your deletion request persists in Meta’s systems under Meta’s own data policies. Pribco LLC cannot unilaterally delete this data. To manage Meta’s retention of your data, visit facebook.com/help/contact/394964830801766.
(c) Stripe (web billing) and Apple (iOS billing via RevenueCat) — billing and transaction records are retained by Stripe and Apple under their own legal and tax obligations, independent of your deletion request. These records are not health data. Stripe’s retention is governed by applicable financial and tax law (typically 7 years). To manage your Stripe data, visit stripe.com/privacy. Apple iOS billing records are governed by Apple’s privacy policy at apple.com/legal/privacy.
Pribco LLC has no ability to override the data retention practices of these third-party providers. The data persistence described above applies only to data already transmitted before your deletion request — it does not affect the deletion of your health and care data from Pribco LLC’s own systems, which is permanent and irreversible.
Right to Know How Your Information Is Used
You have the right to know how Pribco LLC uses health-related information in your account. This policy, together with the Addison’s Diary Privacy Policy, provides that information. If you have questions not addressed here, contact privacyandlegal@pribco.com.
Right to Restrict Sharing Within Your Account
The account administrator has full control over who in the family can see what, using granular per-section, per-member permission controls. You can restrict any family member’s access to any section — including medications, care journal, document vault, and care logs — at any time from the Settings and Admin page.
Right to Be Notified of Unauthorized Access
As described in Section 3.6, Pribco LLC will notify you by email if we become aware of unauthorized access to health-related information in your account.
How to Exercise These Rights
For the complete process for exercising access, correction, deletion, and portability rights — including identity verification steps, response timeframes, authorized agent procedures, and appeal mechanisms — see Privacy Policy Section 12 (Your Rights and Choices) at addisonsdiary.com/privacy and the Data Deletion and User Rights Policy at addisonsdiary.com.
Note on immutable log corrections: Medication administration logs and care task completion logs are append-only and cannot be deleted or overwritten. When you request a correction, a correction record is appended as a new row alongside the original — both the original and the correction remain. If you request data export, both the original entries and any correction records are included. If you request account deletion, all log entries (original and corrections) are permanently purged along with all other family data.
8. Important Limitations and Honest Disclosures
| THIS PLATFORM IS NOT INTENDED FOR CLINICAL USE. |
|---|
| Medication records, care journals, and care logs are family coordination tools only — |
| not clinical records. They must never be used as the authoritative record of a patient’s |
| care for any clinical, regulatory, or legal purpose. |
| For clinical records, consult the patient’s licensed healthcare providers. |
This Platform Is Not HIPAA-Certified
We want to be direct: Addison’s Diary has not undergone a formal HIPAA compliance audit or assessment by a qualified third-party reviewer. The security measures and commitments described in this policy reflect our genuine good-faith efforts to protect health-related information. They are not a substitute for formal HIPAA certification.
No Business Associate Agreement with AWS Yet
AWS offers HIPAA-eligible services and is willing to sign a Business Associate Agreement (BAA) with covered entities and business associates. Pribco LLC has not yet signed this agreement. Until it is signed, our technical relationship with AWS does not carry formal HIPAA contractual protections — though the underlying technical controls (encryption, access controls, audit logging) are consistent with HIPAA-eligible service standards.
Interim compensating controls: All AWS services in use (DynamoDB, S3, Cognito) are HIPAA-eligible. Encryption at rest and in transit is active. IAM access controls and CloudTrail audit logging are in place. The AWS BAA will be executed before any institutional health system partnership.
Owner Residual Access
Because Pribco LLC’s founders own the AWS account, no purely technical control can make it strictly impossible for them to access family health data. An account owner can always re-grant their own access. The Data Access Policy described in Section 5 and AWS CloudTrail audit logging are the practical controls that make such access deliberate, documented, and accountable — not accidental or casual. We state this honestly rather than implying a level of protection we cannot technically guarantee.
Both Operator Accounts Are Now Fully Hardened
The individual IAM login, MFA setup, and data carve-out policy for the second founder’s operator account was completed and verified on 2026-06-09. As of that date, the security posture described in this policy is fully implemented for both operators. Both accounts carry the DenyFamilyDataAccess IAM policy, MFA-gated break-glass access, and individual CloudTrail logging.
No Formal Penetration Test Has Been Conducted
Addison’s Diary has not yet undergone a formal third-party security audit or penetration test. The platform has been built with security-first practices by experienced developers, but has not been independently validated by a third-party security assessor.
Interim compensating controls: The platform has been built following AWS security best practices, uses a serverless architecture with no persistent compute exposure, employs JWT authentication enforced at API Gateway, and all data is encrypted at rest and in transit. These measures reduce risk while formal validation is pending.
9. Contact and Policy Updates
For questions about this policy or Pribco LLC’s health data practices, contact privacyandlegal@pribco.com.
Users will be notified of material changes to this policy by email and in-app notice before those changes take effect. The effective date at the top of this document will be updated at each revision.
10. Contact — Health Data and HIPAA Inquiries
Questions, concerns, or requests specifically related to health data, HIPAA, or this policy should be directed to:
Pribco LLC — Addison’s Diary
Health Data and HIPAA Inquiries: privacyandlegal@pribco.com
General Support: support@addisonsdiary.com
Website: addisonsdiary.com
If you are a healthcare organization, insurer, or institutional partner and have specific HIPAA or data security questions in connection with a potential partnership or integration, contact privacyandlegal@pribco.com with the subject line “Institutional Health Data Inquiry.”