Privacy & Security Policy

Privacy Policy

Eye2Automation (“we,” “us,” or “our”) builds healthcare workflow software, including multiple Chrome browser extensions and related web services. Protecting the confidentiality, integrity, and availability of information—especially data processed in clinical and practice environments—is central to how we design, operate, and support our products.

This Privacy Policy comprehensively describes what information we collect, how we collect and use it, where it is stored, who we share it with, and what security measures we apply. It applies to all Eye2Automation websites, Chrome Web Store listings, browser extensions, APIs, and customer support channels. It is intended to satisfy the Chrome Web Store User Data Policy, Disclosure Requirements, Handling Requirements, and Limited Use policies.

Security first Encryption in transit, access controls, and least-privilege design by default.
Data minimization We collect only what is necessary for features you use and actions you take.
No data sales We do not sell personal information or use extension data for advertising.
Transparency Clear disclosures in this policy, store listings, and in-product interfaces.
Effective: May 16, 2026 Last updated: May 16, 2026 support@eye2automation.com (214) 509-8683

1. Scope & roles

1.1 What this policy covers

This policy applies to all products and services offered under the Eye2Automation brand, including:

  • All Chrome browser extensions published by Eye2Automation in the Chrome Web Store (current and future versions)
  • Websites, landing pages, knowledge bases, and documentation we operate
  • Backend APIs, authentication services, logging systems, and dashboards used to deliver extension functionality
  • Customer onboarding, implementation, technical support, and sales communications

Each extension’s Chrome Web Store listing and in-product interface describe the specific features that extension provides. This policy describes data practices common across our platform and the categories of data any extension may process when you use its features.

1.2 Who this policy is for

Our services are intended for authorized staff of healthcare practices and related organizations. Accounts are typically provisioned by your practice administrator. If you use our extensions on behalf of your employer, your practice’s policies and agreements with us may also apply.

1.3 Controller and processor roles

For website inquiries and direct relationships with Eye2Automation, we act as a data controller for the information you provide to us. For patient and clinical workflow data processed through extensions on behalf of a healthcare practice, we generally act as a data processor (or “service provider” under U.S. state privacy laws), processing data only on the practice’s instructions and as described in our customer agreements and, where applicable, Business Associate Agreements (BAAs).

2. Privacy & security principles

Our approach to user data is guided by the following commitments:

  • Purpose limitation — Data is collected and used only to deliver, secure, maintain, and improve the specific features you or your practice enable.
  • Data minimization — We limit collection to fields and scopes required for each action. We do not request broader browser permissions than necessary for the feature described in the store listing.
  • Storage limitation — Data is retained only for as long as needed for operations, security, auditing, and legal obligations, then deleted or anonymized according to our retention schedule.
  • Integrity and confidentiality — We apply technical and organizational safeguards designed to prevent unauthorized access, alteration, or disclosure.
  • Accountability — We maintain policies, access controls, and vendor management practices aligned with healthcare and enterprise expectations.
  • User control — You initiate substantive data transfers (e.g., sending a document, logging a workflow action). Extensions do not silently exfiltrate unrelated browsing data.
  • No secondary exploitation — We do not sell personal information, license it to data brokers, use it for interest-based advertising, or determine creditworthiness.

3. Information we collect

The categories below describe information that may be collected depending on which Eye2Automation products your practice uses and which actions you take. Not every category applies to every extension or every user session.

Category Examples Typical source
Identity & account data Practice-assigned username; password (transmitted for authentication, not stored in plain text in extensions); internal user ID; display name; role or location assignments; session tokens and expiry You (login); our authentication services
Practice configuration Enabled features; allowed office locations; integration endpoints; feature flags; license or entitlement metadata Our servers; your administrator
Patient & clinical workflow data Patient identifiers; names; dates of birth or age where shown; appointment or encounter context; insurance or eligibility fields; workflow selections (status codes, technician assignments, document types) EHR or practice system pages in your active, authenticated session (DOM/content you are viewing)
Documents & media PDF or image content; filenames; document categories; rendered pages captured when you trigger send, fax, download, or automation actions Your explicit action in the browser
Communications metadata Recipient email or fax numbers you enter; subject lines; message body text you type; delivery status; timestamps; audit logs of sends You; transmission services you route through
Contacts & directories Saved recipient emails, display names, or contact lists you store for convenience within a product You; our servers (if sync enabled)
Device & technical data Extension version; browser type; error diagnostics; API request metadata; IP address and TLS logs on our infrastructure Automatic (operational necessity)
Website & support data Name, email, phone, practice name, inquiry content, chat messages, support ticket history You (forms, email, chat)

3.1 Sensitive and regulated information

Because our products integrate with healthcare workflows, information processed may include protected health information (PHI) under HIPAA (U.S.) and comparable protected categories in other jurisdictions. We treat such data with heightened safeguards as described in Sections 10 and 11.

3.2 What we do not collect

  • We do not build cross-site browsing profiles or collect general web history unrelated to permitted host domains required for a feature.
  • We do not collect payment card numbers or bank credentials through our extensions.
  • We do not publicly post authentication secrets, passwords, or financial account numbers.
  • We do not use keystroke logging, screen recording, or microphone/camera access unless a specific product clearly discloses and requires it for a user-facing feature (none of our standard clinical extensions do so by default).

4. How we collect information

4.1 Direct input

Information you type or select: login credentials, recipient addresses, message content, settings, contact forms, and support correspondence.

4.2 Page context (with your session)

Content scripts may read elements visible on web pages you have opened in an authenticated EHR or practice system session—only on host domains declared in that extension’s permissions and only to power user-facing features (e.g., pre-filling a recipient, identifying the active patient context, rendering an action button). We do not operate hidden background scraping of unrelated sites.

4.3 Browser platform APIs

Extensions use Chrome extension APIs such as chrome.storage (local or sync, as declared), messaging between extension components, and—where permitted—tab, scripting, download, or notification APIs strictly for the workflows described in each listing.

4.4 Our secure services

When you authenticate or invoke a server-backed feature, data is sent to Eye2Automation-operated or contracted infrastructure over encrypted connections, as described in Sections 7–10.

4.5 Service providers

Limited technical metadata is processed by hosting, email, analytics, or communication vendors supporting our websites and infrastructure, under contractual confidentiality and security obligations.

5. How we use information

We use collected information exclusively for the following purposes:

  1. Service delivery — Authenticate users; enforce practice-level rules (e.g., location restrictions); execute sends, faxes, automations, verifications, or logging actions you initiate; display dashboards and history your practice configures.
  2. Integration routing — Transmit data to practice-configured endpoints (e.g., secure APIs, email or fax gateways, spreadsheet or workflow connectors) necessary to complete the action you requested.
  3. Security operations — Detect abuse, brute-force attempts, anomalous API usage, and policy violations; investigate incidents; maintain audit trails.
  4. Reliability & improvement — Monitor uptime; diagnose defects; develop fixes (preferring aggregated or de-identified data where feasible).
  5. Customer support — Respond to tickets and implementation requests when you or your administrator contacts us.
  6. Legal & compliance — Comply with law, regulation, subpoenas, and contractual obligations; enforce our terms.
  7. Business communications — For website inquiries: schedule demos, provide quotes, and send service-related notices (not third-party marketing lists).

We will never: sell personal information; use extension-derived data for targeted advertising; share data with data brokers; or use PHI for purposes unrelated to providing our services to your practice.

7. Sharing & disclosure

We share information only in the circumstances below. We do not share personal information with third parties for their independent marketing.

7.1 At your direction

When you perform an action (send, fax, sync, log, verify, etc.), data flows to the systems required to complete that action—including practice-controlled email, fax, EHR, or cloud endpoints configured for your organization.

7.2 Service providers (processors)

Infrastructure, hosting, monitoring, and communication vendors that process data on our behalf under written agreements requiring confidentiality, security measures, and use limitations consistent with this policy.

7.3 Within your organization

Other authorized users at your practice may see shared logs, dashboards, or configuration according to roles your administrator defines.

7.4 Legal, safety, and rights

When required by law or when we reasonably believe disclosure is necessary to protect users, the public, or Eye2Automation from harm, fraud, or illegal activity.

7.5 Business transfers

In connection with a merger, acquisition, or asset sale, subject to confidentiality and notice requirements where legally mandated.

8. Third parties & subprocessors

Eye2Automation uses a controlled ecosystem of third-party services. The table below describes categories of recipients—not an exhaustive list of every vendor—because specific providers may vary by feature, practice configuration, and product version.

Category Types of data involved Why they receive it Safeguards
Cloud infrastructure & API hosting Authentication payloads, workflow records, logs, configuration, metadata from API calls Operate secure backends, authentication, and extension APIs Contractual DPAs/BAAs where required; TLS; access logging; vendor security review
Practice-configured delivery systems Documents, recipient addresses, subjects, message bodies, patient names or IDs as included in sends Deliver email, fax, or messages through systems your practice controls (e.g., workspace email automation, fax APIs) Transmission only on user action; governed by your practice’s agreements with those providers
EHR & practice software platforms Data already present in your session; no sale of data to the EHR vendor by Eye2Automation Extensions interact with pages you open while logged into your EHR Host permissions limited to declared domains; no collection outside user-facing features
Integration & eligibility partners Patient demographics or insurance identifiers when a practice enables a specific integration Optional features such as benefits lookup or quoting, only when enabled Feature-gated; minimum necessary fields; contractual restrictions on use
Website & support tools Contact form fields, chat content, support emails Respond to sales and support inquiries on our public website Separate from clinical extension backends where feasible; vendor confidentiality terms
Content delivery & fonts IP address, browser metadata when loading static assets on our website Deliver CSS, fonts, and scripts for marketing pages No access to extension clinical payloads; standard CDN logging

A detailed subprocessor list for enterprise customers is available upon request at support@eye2automation.com. We notify customers of material subprocessor changes as provided in applicable agreements.

9. Storage, location & retention

9.1 Where data is stored

  • On your device — Session tokens, preferences, temporary workflow state, and encrypted credential blobs in browser extension storage until logout, expiry, uninstall, or manual clear.
  • On our servers — Account linkage, audit logs, saved contacts, workflow tables, and configuration in U.S.-based or contractually specified regions operated by our hosting providers.
  • On practice-controlled systems — Mailboxes, fax logs, spreadsheets, or EHR records remain under your practice’s control and retention policies.

9.2 Retention periods

Data type Typical retention
Browser session / local extension state Until logout, session timeout (as configured per product), uninstall, or manual clear
Authentication & account records Duration of active subscription plus period required for audit, tax, or legal hold
Transactional logs (sends, workflow events) As required for practice operations and contractual audit periods, then deleted or archived
Support & sales inquiries Typically up to 24 months unless longer retention is required by law or ongoing relationship
Security & infrastructure logs Limited retention aligned to security monitoring needs (often 30–90 days for raw logs, longer for aggregated metrics)

9.3 Deletion

Practice administrators or authorized users may request deletion of server-side account data by contacting support@eye2automation.com. Local extension data can be removed immediately via logout, clearing extension/site data in Chrome settings, or uninstalling the extension. Deletion may be delayed where law requires retention or where data exists in practice-controlled systems outside our direct control.

10. Security program

Security is a design requirement, not an afterthought. We implement layered administrative, technical, and physical safeguards appropriate to the sensitivity of healthcare and personal data processed through our platform.

10.1 Technical safeguards

  • Encryption in transit — Personal and sensitive user data transmitted between extensions, browsers, and our services uses HTTPS/TLS (modern protocols). Unencrypted transmission of sensitive user data is prohibited by our development standards.
  • Encryption at rest — Server-side data is stored on infrastructure with encryption at rest provided by our cloud hosts; additional application-layer protection is applied to credentials and secrets.
  • Authentication & authorization — Server-backed actions require valid practice credentials; optional location or role restrictions; session timeouts; invalidation on logout.
  • Secrets management — API keys, service credentials, and integration secrets are not embedded in client-distributed extension packages where avoidable; they are managed server-side or per-practice configuration.
  • Network security — API endpoints are protected by access controls, rate limiting where appropriate, and monitoring for abuse.
  • Secure development — Code review, dependency awareness, and separation between production and non-production environments.
  • Local storage protection — Sensitive session material stored in the browser is obfuscated or encrypted using extension-side techniques; passwords are not stored in plain text locally.

10.2 Organizational safeguards

  • Least-privilege access — Personnel access to production systems and customer data is granted on a need-to-know basis and revoked upon role change or termination.
  • Workforce confidentiality — Staff and contractors with data access are subject to confidentiality obligations and security training appropriate to their role.
  • Vendor management — Subprocessors are evaluated for security posture and bound by contractual data protection terms.
  • Change management — Production changes follow controlled release practices to reduce risk of unintended data exposure.

10.3 Monitoring, incident response & resilience

  • Logging & monitoring — Infrastructure and application logs support detection of anomalies, authentication failures, and service disruptions.
  • Incident response — We maintain procedures to investigate suspected breaches, contain impact, notify affected customers as required by law and contract, and remediate root causes.
  • Backup & recovery — Critical server data is backed up according to operational schedules to support continuity.

10.4 Compliance alignment

Our security and privacy practices are designed to support healthcare customers, including alignment with HIPAA requirements where we act as a Business Associate, and with SOC 2–style control objectives for security, availability, and confidentiality. Specific certifications and BAAs are provided under commercial agreements.

10.5 Your security responsibilities

  • Maintain strong, unique practice credentials and restrict account sharing.
  • Lock workstations and log out of shared computers.
  • Install extension updates promptly.
  • Report suspected compromise immediately to support@eye2automation.com.

No security program eliminates all risk. If you believe your account or device has been compromised, contact us immediately and rotate credentials per your practice’s security policy.

11. Browser extension permissions

Eye2Automation publishes multiple Chrome extensions. Each declares only the permissions required for its documented features. Permissions may differ between products. The authoritative list for any installed extension appears in the Chrome Web Store listing and Chrome’s extension management UI (chrome://extensions). Below we explain permission categories that may appear across our product line.

11.1 Standard permissions (API permissions)

Permission Why it may be requested Data impact
storage Persist login session, user preferences, feature toggles, and short-lived workflow state on your device Local only until cleared or expired; may include encrypted session blobs
activeTab Interact with the tab you are currently using when you click the extension or an in-page action button Access limited to user gesture–associated tab; narrower than broad host access where used
tabs Open, focus, or coordinate auxiliary tabs (e.g., launching a linked clinical application window) Tab URLs and IDs for workflow coordination only
scripting Inject approved scripts to render UI, capture documents, or trigger print/export helpers you request Page content on permitted hosts during active workflows
downloads Save generated PDFs or exports to your device when you use download features Files you choose to download; filename metadata
notifications Display completion or error notices for long-running tasks you start Minimal metadata in notification text; no unrelated tracking
sidePanel Provide a dedicated panel UI alongside permitted sites (e.g., telephony or messaging assistants) Data you enter in the panel; context from coordinated tabs as disclosed
cookies (where declared) Maintain session compatibility with authenticated web applications you already use Session cookies on declared hosts only; not used for cross-site ad tracking

11.2 Host permissions

Host permissions restrict which websites an extension may access. Across our products, host access is limited to domains such as:

  • Electronic health record & practice systems — Domains where you are already logged in (e.g., cloud EHR portals) to read on-screen context and render workflow controls.
  • Eye2Automation API endpoints — Secure HTTPS domains operated by us for authentication, logging, and configuration.
  • Practice integration endpoints — HTTPS URLs for email automation, fax APIs, spreadsheets, or third-party services your administrator configures.
  • Telephony or messaging platforms — Where a product integrates with a voice or SMS platform you use, limited to that vendor’s domains.
  • Local or file resources — In rare products, file:// access supports offline document workflows explicitly described in the listing.

We follow Chrome’s minimum permission principle: extensions must not request access broader than necessary for existing features. Optional permissions, when used, are requested at runtime only when you enable the related capability.

11.3 Content scripts & web-accessible resources

Content scripts may run on declared hosts to display buttons, modals, or helpers. Web-accessible resources (e.g., PDF workers, signing libraries) are exposed only to pages matching declared patterns and only to support documented features—not to track unrelated browsing.

11.4 Permission changes on update

If an update requires new permissions, Chrome prompts you to accept or disable the extension. We document material permission changes in release notes and store listings where practicable.

12. Healthcare & regulated data

Our platform is built for healthcare and adjacent regulated environments. Information processed may constitute PHI under the U.S. Health Insurance Portability and Accountability Act (HIPAA) and similar laws globally.

  • We process PHI only to provide services to covered entities and business associates under applicable agreements.
  • We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule where we are a Business Associate.
  • We enter into Business Associate Agreements (BAAs) with customers when required.
  • We do not use PHI for advertising, sale, or unrelated machine-learning training without explicit contractual authorization.
  • Workforce access to identifiable PHI in production systems is restricted, logged, and limited to support with appropriate authorization or legal permission.

Your practice remains the custodian of patient records in your EHR and mail systems. You are responsible for patient notices, consents, and use policies required under applicable healthcare and privacy laws.

13. Chrome Web Store Limited Use disclosure

Limited Use compliance: Eye2Automation’s use and transfer of information received from Google APIs and Chrome extension user data adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

  • Allowed use — Data accessed via Chrome permissions is used only to provide or improve the user-facing features described in each extension’s Chrome Web Store listing and interface.
  • Allowed transfer — Transfers to third parties occur only to provide or improve those features, comply with law, prevent abuse, or as part of a merger/acquisition with required notice and consent where applicable.
  • Prohibited advertising — No use or transfer for personalized, re-targeted, or interest-based advertising.
  • Prohibited human reading — Personnel do not read user content except with explicit consent for specific support cases, for aggregated/anonymized internal operations, for security investigations, or as required by law.
  • Web browsing activity — Not collected except as necessary for user-facing features on explicitly permitted domains while you interact with those features.
  • No sale — No sale to data brokers, ad platforms, or information resellers; no use for creditworthiness or lending decisions.

14. Your choices & rights

Depending on your location and role, you may have the following rights regarding personal information:

  • Access — Request a copy of account-linked information we hold.
  • Correction — Request correction of inaccurate account or contact details.
  • Deletion — Request deletion of server-side data, subject to legal and contractual retention limits.
  • Restriction / objection — Object to certain processing where provided by law.
  • Portability — Receive data in a structured, commonly used format where technically feasible.
  • Withdraw consent — Where processing is consent-based, withdraw consent without affecting prior lawful processing.

Submit requests to support@eye2automation.com. We may verify identity and coordinate with your practice administrator for workforce accounts. We respond within applicable legal timeframes (typically within 30 days).

14.1 U.S. state privacy rights

Residents of California, Colorado, Virginia, and other states with comprehensive privacy laws may have additional rights. We do not sell personal information as defined by the CCPA/CPRA. You may use an authorized agent where permitted by law.

14.2 EEA / UK (GDPR)

Where GDPR applies, you may lodge a complaint with your supervisory authority. Our legal bases are described in Section 6. International transfers use appropriate safeguards as described in Section 15.

15. Children’s privacy

Our services are not directed to individuals under 13 (or 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we will delete it promptly.

16. International transfers

Eye2Automation is based in the United States. Data may be processed in the U.S. and other countries where we or our subprocessors operate. We implement appropriate safeguards for cross-border transfers as required by applicable law, including standard contractual clauses or equivalent mechanisms where relevant.

17. Website, cookies & analytics

Our marketing websites may use:

  • Essential cookies — Required for basic site function.
  • Analytics — To understand aggregate traffic and improve content (configured to minimize identification where possible).
  • Embedded widgets — Such as live chat; governed by the widget provider’s policy when you interact with it.

Website form submissions are used to respond to your inquiry—not sold to marketers. You can control cookies through browser settings. We do not respond to “Do Not Track” signals in a uniform way across all browsers because no industry standard is universally adopted.

18. Automated decision-making

Our extensions do not make solely automated decisions with legal or similarly significant effects on individuals. Workflow suggestions or validations operate under user control and practice policy.

19. Policy changes

We may update this Privacy Policy to reflect product, legal, or security changes. The “Last updated” date at the top will change when we publish revisions. Material changes affecting extension data practices may be communicated via email to practice contacts, in-product notice, or Chrome Web Store update notes. Continued use after the effective date constitutes acceptance where permitted by law.

20. Contact & privacy requests

For privacy questions, security reports, subprocessor lists, data subject requests, or Chrome Web Store compliance:

Eye2Automation — Privacy & Security

support@eye2automation.com (214) 509-8683

Please include your practice name, product name (if known), and username (if applicable) so we can respond accurately. Security vulnerabilities should be reported responsibly to the same address with “Security” in the subject line.