Roomwell handles protected health information. We treat that as a serious responsibility, not a marketing line. Here's how.
All data is encrypted in transit (TLS 1.2+) and at rest. PHI fields are protected with row-level security policies that scope every read and write to the account that owns the record.
Even if a query somehow escaped the application layer, the database itself refuses to return data outside the practitioner's account. No cross-tenant access — ever.
We follow HIPAA technical safeguards: access control, audit logging, automatic logoff, integrity checks, and transmission security. We support a BAA on request for paid practitioners.
One-click CSV export of clients, appointments, SOAP notes, payments, and expenses. No lock-in. Cancel any time and take everything with you.
Application and database hosted in US regions. No background analytics SDKs running against client data.
Auto-confirm for online bookings is off by default. Email reminders are off until you turn them on. We don't share, sell, or train on your client data.