Privacy Policy
Angles of Recovery Care LLC (a Massachusetts limited liability company) · Effective May 1, 2026 · Last updated July 6, 2026
1. Who we are
Angles of Recovery Care LLC, a Massachusetts limited liability company ("AORC," "we," "us," or "our") operates the AORC web application at app.anglesofrecoverycare.com, the marketing site at anglesofrecoverycare.com, and the staff portal at admin.anglesofrecoverycare.com — where authorized staff of AORC and of participating treatment centers and recovery programs manage users and review scoped member data and crisis flags (together, the "Service"). AORC is a digital wellness application that supports individuals in recovery from substance use, behavioral health concerns, and gambling. AORC is not a healthcare provider, is not a substitute for medical or psychiatric care, and does not provide diagnosis or treatment. If you are in crisis, call or text 988 or call 911. The 988 Suicide & Crisis Lifeline is always accessible in the Service, including before you sign in.
Questions about this policy: ethan@anglesofrecoverycare.com
2. Individual members and program members
You can use AORC in one of two ways, and your privacy posture differs in one important way between them:
- Individual (direct) members sign up on their own. No treatment center, program, or outside organization can see your journals, check-ins, or reflections, and no program is notified of anything you write — including crisis flags (see §7 for exactly who is notified in that case). The service providers listed in §8 process your data only on our behalf, under contract, to run the Service — they are not given your data for their own purposes.
- Program members enroll through a treatment center, recovery program, or other organization (for example, with a coupon or group code). Authorized staff of that organization can view your scoped data as described in §8, and receive the privacy-safe crisis notifications described in §7.
HIPAA. When a HIPAA-covered treatment center uses AORC for its patients, AORC acts as a service provider to that center. We have a signed Business Associate Agreement (BAA) with AWS covering the HIPAA-eligible AWS services we use (including AWS Bedrock). BAAs with Supabase, Vercel, and Sentry will be executed before any HIPAA-covered customer onboards. AORC does not claim to be "HIPAA certified" — no such certification exists — and this policy does not make your individual account a HIPAA-covered relationship.
42 CFR Part 2. Some treatment programs are federally regulated substance-use-disorder programs subject to 42 CFR Part 2. Records that identify you as a patient of such a program carry heightened federal confidentiality protections. Where AORC serves a Part 2 program, we do so under a qualified service organization arrangement, and we do not use or disclose Part 2-protected records except as that regulation permits. We will not use or disclose Part 2-protected records in any civil, criminal, administrative, or legislative proceeding against you without your written consent or a court order that meets the requirements of 42 CFR Part 2. Every disclosure described elsewhere in this policy — including to a successor entity (§8) or in response to legal process (§8) — applies to Part 2-protected records only to the extent 42 CFR Part 2 allows.
3. Information we collect
Information you give us directly:
- Account info: name, email address, password, date of birth, gender (optional)
- Phone number (optional) — only if you opt in to SMS notifications via phone verification — together with your SMS consent record
- Wellness check-in responses (mood, anxiety, cravings, motivation, etc., on a 1–5 scale). You can check in more than once a day; each check-in is stored as its own entry
- Journal entries you write
- Reflections you save after completing exercises
- Subscription and billing information (processed by Stripe — we do not store full card numbers)
- Your precise device location — only if you grant your browser’s location permission when you use the optional "Find Local Resources" feature. Your coordinates and the resource category you pick (for example, treatment, meetings, or sober living) are used to run that one search (see §8) and are not saved to your profile
Information collected automatically:
- Device and usage data: browser type, operating system, IP address, pages viewed, features used, timestamps
- First-party feature-usage events stored in our own database (which screens and features you use, so we can improve the Service)
- How you found us: if you arrive from a marketing link, the campaign parameters attached to that link (such as utm_source and ad-click identifiers) are stored with your account and mirrored into our payment processor’s records so we can measure which campaigns work. These parameters are never combined with your health information
- Browser storage (local and session storage) and similar technologies for authentication and app caches
Information from third parties:
- Authentication tokens from Supabase (our backend provider)
- Payment confirmation from Stripe
- Aggregate page-view analytics from Vercel Analytics (first-party; see §13)
- Crash and error data from Sentry (identifiers, request contents, and free text are stripped or redacted before error events are sent; session replay is disabled)
4. Your consent to collect health data
Your check-ins, journal entries, reflections, and crisis flags are health-related information ("consumer health data" under some state laws). We ask for your opt-in consent to collect and process this information to provide the Service — a one-time checkbox when you create an account, or, for accounts created before this consent flow launched, a one-time in-app consent notice the next time you sign in. We do not collect consumer health data beyond what is necessary to provide the Service without asking you separately, and we do not share your consumer health data with third parties for their own purposes without your separate consent. You can withdraw your consent at any time by deleting your account or emailing ethan@anglesofrecoverycare.com; withdrawal stops future collection and triggers the deletion process in §9.
5. How we use your information
We use your information to:
- Provide, maintain, and improve the Service
- Personalize exercise recommendations using AI via AWS Bedrock (Claude). For recommendations we send only de-identified data — your numeric check-in scores and group context — never your name, contact information, free-text entries, or account ID
- Track your progress and streaks
- Send transactional emails (account confirmations, password resets, billing receipts)
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Conduct aggregated, de-identified research to improve recovery outcomes — only with your separate opt-in consent. If you never opt in, your data is not used for research
We do not sell your personal data. We also do not:
- Share identifiable wellness data with advertisers or data brokers
- Share, sell, rent, or lease your phone number to third parties. SMS opt-in data (your phone number, consent timestamp, message history) is used solely to deliver the wellness, crisis-support, and verification messages you requested — never for marketing, advertising, affiliate programs, or lead generation
- Use your journal entries, check-in responses, or reflections to train AI models that serve other users
- Read your journal entries except (a) when you explicitly request support, (b) when required by law, (c) when our crisis-detection safety net processes content as described in §7, or (d) when authorized staff at a treatment center or program you enrolled through review your data as described in §8
6. Legal bases (for users in the EU/UK)
We process your data based on:
- Performance of a contract (delivering the Service you signed up for)
- Your consent (for collecting health data (§4), research use (§5), SMS (see our Terms of Service, Section 16), and other optional processing)
- Legitimate interests (security, fraud prevention, improving the Service)
- Legal obligation (responding to lawful requests)
7. Crisis-detection safety net
When you save a journal entry, exercise reflection, or check-in, AORC screens it for signs of a crisis (suicidal ideation, self-harm, or imminent risk). This works in layers:
- On your device first. The app runs a check locally in your browser. That local check itself does not send your text anywhere. If it matches, we show you a modal with crisis resources (988, Crisis Text Line, 911).
- AI backstop. If the local check does not match and your entry is more than a few words long — roughly 20 characters, or roughly 10 characters for short written check-in answers — the text of that entry, which may contain identifiable information depending on what you wrote, is securely sent to our AI provider, AWS Bedrock (Claude), to catch crisis language the simple check may miss. AWS Bedrock is HIPAA-eligible and covered by our signed Business Associate Agreement. The classification service does not log or store your text.
- The crisis record. If any layer flags a crisis signal — or our safety check cannot complete or cannot confidently rule one out, so a human should look — we record a crisis event in our database. That crisis record includes a short excerpt of the flagged entry (up to about 200 characters) so that authorized staff reviewing the flag in our staff portal can understand it. This excerpt is the only entry text retained by the safety net, and it is visible only inside the authentication-gated staff portal — it is never included in any notification.
- Staff notification. When a crisis event is recorded, we notify the authorized staff who have subscribed to crisis alerts at the treatment center or recovery program you enrolled through (if any), and any AORC platform administrators who have subscribed, by email and, where they have opted in, SMS. Crisis-alert subscriptions are opt-in for staff; if no one has subscribed for your group, no alert is sent, but the crisis event is still recorded for review. The alert contains no member-identifying content and never any of your words. An email alert contains only: a severity tier (CRISIS or MONITOR), your group name, your organization or program name, an internal event ID that lets staff open the flag in our staff portal, and — for the most urgent tier only — a fixed, pre-written urgency label indicating that explicit self-harm language was detected (never the language itself). The rest of the email is fixed template text that says nothing about you. An SMS alert contains even less: the severity tier, your group name, and the event link. Alerts never contain your name, email, date of birth, journal or check-in text, scores, or any excerpt of what you wrote. Staff review the flag by signing in to admin.anglesofrecoverycare.com, which is authentication-gated and scoped to the members in their program by role and row-level database security; administrative actions taken there are logged.
If you did not enroll through a treatment center or program, no outside organization is notified. We still record the crisis event and run the AI backstop described above, and AORC’s own platform administrators who have subscribed to crisis alerts may receive the same privacy-safe alert (severity tier, group name, organization name, and event ID only — never your identity or text) so we can respond appropriately, in addition to showing you the on-device resources modal.
This safety net is automated. It is not continuous human monitoring and it is not an emergency response service. If you are in immediate danger, call or text 988 or call 911.
8. How we share your information
We share information only with:
- Service providers acting on our behalf under contract: Supabase (database and authentication), Stripe (payments only — never health information), Vercel (hosting and first-party analytics), AWS — including AWS Bedrock (Claude) for AI (de-identified exercise recommendations and, as described in §7, crisis-language classification), AWS SES (email delivery) and AWS SNS (SMS delivery) for crisis-notification and reminder messages, and other AWS infrastructure — Google Maps Platform (when you use the optional "Find Local Resources" feature, your device location and the resource category you choose are sent server-side to Google’s Places API to run the search — without your name, account identity, or any health information), and Sentry (error monitoring, with identifiers, request contents, and free text stripped or redacted before events are sent; session replay is disabled)
- Authorized staff at your treatment center, recovery program, or group — if you enrolled through them (for example with a coupon code or invitation), their authorized staff can view your check-in summaries, journal entries, and crisis flags through our staff portal at admin.anglesofrecoverycare.com. This access is limited by role and scoped to your program by row-level database security, and administrative actions taken in the portal are logged. They also receive the privacy-safe crisis notifications described in §7. You can end a program’s access at any time by leaving the group from your Profile page, or by emailing ethan@anglesofrecoverycare.com (this does not cancel a subscription you pay for yourself)
- AORC’s own staff and engineers — only as needed for support and incident response, subject to role-based access controls
- Legal authorities when required by valid legal process or to protect rights, safety, or property — subject, for Part 2-protected records, to the limits in §2
- A successor entity in the event of a merger, acquisition, or sale of assets (your data continues to be governed by this policy or one materially equivalent, and Part 2-protected records transfer only as 42 CFR Part 2 allows)
We never share for advertising, profiling, or third-party marketing, and we do not share your consumer health data with third parties for their own purposes without your separate consent.
HIPAA / Business Associate Agreements. We have a signed Business Associate Agreement (BAA) with AWS, covering AWS Bedrock and the other HIPAA-eligible AWS services we use. BAAs with Supabase, Vercel, and Sentry will be executed before our first HIPAA-covered (treatment-center) customer onboards. Stripe receives only payment data, not health information.
9. Data retention
We keep your account data for as long as your account is active. When you delete your account (or withdraw consent under §4):
- Personal identifiers, journal entries, check-in responses, and reflections are deleted from our production systems within 30 days
- Copies may persist in encrypted backups for up to 7 days before being overwritten on the normal backup cycle; backups are used only for disaster recovery and are never used to restore a deleted account
- We instruct our processors to delete your data as part of the same process
- Aggregated, de-identified usage data may be retained for analytics and (with the consent described in §5) research
- Billing records are retained for 7 years to meet tax and accounting obligations
10. Your rights
You can, at any time:
- Access your data via your Profile page
- Correct inaccurate information via Profile settings, or by emailing us
- Delete your account and all associated personal data by emailing ethan@anglesofrecoverycare.com (or contacting support from your Profile page) — we will verify your identity and complete the deletion, including at our processors
- Export your data in a portable format by emailing ethan@anglesofrecoverycare.com
- Opt out of optional analytics by emailing ethan@anglesofrecoverycare.com
- Withdraw consent for any optional processing, including health-data collection (§4) and research (§5)
How to exercise these rights, and appeals. Email ethan@anglesofrecoverycare.com. We will verify your identity and respond within 45 days (extendable once by 45 days for complex requests; we will tell you if so). If we decline a request, we will explain why, and you may appeal by replying to our decision with the word "Appeal." We will respond to appeals within 45 days. If your appeal is denied, you may contact your state Attorney General (Connecticut residents: the Connecticut Attorney General).
California residents have CCPA/CPRA-style rights (right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information), which we honor voluntarily. We do not sell or share personal information as those terms are defined by the CCPA.
EU/UK residents: You have GDPR rights including access, rectification, erasure, restriction, portability, and objection. You may lodge complaints with your supervisory authority.
Washington, Nevada, and other consumer-health-data laws: see §11.
11. Consumer health data (Washington, Nevada, and similar laws)
Your check-ins, journal entries, reflections, crisis flags, and related information are "consumer health data." Our standalone Consumer Health Data Privacy Policy describes, for residents of Washington (My Health My Data Act), Nevada (SB 370), and other states with similar laws: the categories of consumer health data we collect, why, the sources, who can access it, the categories of processors we share it with, and how to exercise your rights. In short:
- We collect consumer health data only with your opt-in consent (§4) and only as needed to provide the Service
- We do not share consumer health data with third parties for their own purposes without your separate consent, and we never sell it
- You may access it, withdraw consent, and have it deleted — and deletion propagates to our processors (§9)
- We honor these requests through the channel and appeal process in §10
12. Security and breach notification
We use industry-standard safeguards: encryption in transit (HTTPS) and at rest, role-based access controls, row-level database security, logging of administrative actions, and regular security reviews. No system is 100% secure. If we discover a breach of security affecting your unsecured identifiable health information, we will notify you without unreasonable delay and no later than 60 days after discovery, and we will notify the Federal Trade Commission and other regulators (including the Massachusetts Attorney General) as required by law, including the FTC Health Breach Notification Rule. For records protected by 42 CFR Part 2, we honor the breach-notification duties that apply to those records.
13. Cookies, analytics & tracking
We use first-party browser storage (local and session storage) to keep you signed in, and the app stores some local caches (for example, your most recent check-in and journal drafts) in your browser. Our analytics are first-party: feature-usage events stored in our own database, and Vercel Analytics for aggregate page-view counts. We do not run third-party advertising trackers, advertising pixels, or ad-network integrations of any kind.
14. Children’s privacy
The Service is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18; if we learn that an account belongs to someone under 18, we will remove it. In particular, we do not knowingly collect personal information from children under 13, and if we learn we have, we will delete it promptly.
15. International users
AORC is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S.
16. Changes to this policy
We will notify you of material changes by email or in-app notice at least 14 days before the change takes effect. If a material change would expand how we collect, use, or share your health-related information, it will not apply to you until we have obtained your renewed opt-in consent. Corrections and clarifications that do not reduce your rights may take effect when posted, with the "Last updated" date above revised. Your continued use after the effective date constitutes acceptance of changes that do not require renewed consent.
17. Contact
Angles of Recovery Care LLC
(a Massachusetts limited liability company)
ethan@anglesofrecoverycare.com