Privacy Policy — X-Ray Mobile Texas

1. About X-Ray Mobile Texas

X-Ray Mobile Texas, Inc. ("XRMT," "we," "us," or "our") is a HIPAA-compliant mobile diagnostic imaging provider serving skilled nursing facilities, assisted living communities, hospice providers, hospitals, and other healthcare organizations across the greater Houston metropolitan area.

We have provided mobile X-ray, EKG, and diagnostic imaging services for over 14 years. We take the privacy and security of all information entrusted to us seriously — whether it belongs to our patients, our client facilities, or our business partners.

2. Scope of This Policy

This policy covers information collected and processed through XRMT's business operations and technology systems, including:

Our public-facing website at houstonmobilexray.com
Our internal operations platform at internal.houstonmobilexray.com
SMS and MMS communications through our business phone systems
Sales, marketing, and client relationship management activities
Financial and operational reporting systems

Notice Regarding Protected Health Information (PHI) Patient health information is governed by HIPAA and covered under our separate Notice of Privacy Practices, which is provided to patients at the time of service. This privacy policy addresses business operations data only. PHI is never stored in, processed by, or accessible through the systems described in this policy.

3. Information We Collect

3.1 Business Contact Information

In the course of our sales and client relationship management activities, we collect professional contact information from healthcare facility administrators, directors of nursing, physicians, and other business contacts:

Name, professional title, and credentials
Business email address and phone numbers
Facility or organization name, type, and address
Professional relationship notes, meeting summaries, and service-related correspondence

This is business-to-business (B2B) contact information collected in a professional healthcare services context. We do not collect personal consumer data, social security numbers, dates of birth, or personal financial information of our business contacts.

3.2 SMS and MMS Communications

XRMT uses SMS/MMS messaging for internal business coordination among our field team. When messages are exchanged through our business SMS system:

Phone numbers are processed to route messages between team members
Message content may be processed to extract and organize business contact information (e.g., from a photographed business card)
Images sent via MMS are processed for optical character recognition (OCR) and securely stored

Our SMS service is used exclusively for internal business operations among XRMT personnel. We do not send unsolicited text messages to patients, consumers, or individuals outside our organization for marketing purposes.

SMS Consent & Message Flow All XRMT employees who participate in the Lead Capture Notifications program provide written consent before receiving any automated SMS messages. Consent is voluntary, not a condition of employment, and may be revoked at any time by replying STOP. A copy of the consent form is available at XRMT SMS Consent Form. Message frequency is approximately 5–20 messages per week depending on lead volume. Message and data rates may apply. Reply HELP for assistance or contact support@xraymobiletexas.com. Mobile information is never shared with or sold to third parties.

3.3 Financial and Operational Data

Our internal operations platform aggregates business financial data from authorized sources to provide operational visibility to XRMT leadership:

Accounting data (QuickBooks Online): Revenue, expense, and balance sheet summaries — accessed in real-time via API, not persistently stored
Payment data (Square): Invoice and payment summaries — accessed in real-time, not stored
Expense data (Expensify): Expense report summaries — accessed in real-time, not stored
Bank balance data (Plaid): Account names, types, and current balances — queried in real-time, never persisted
Accounts receivable data: Payer-level aging summaries from our billing system — aggregated with no patient-identifiable information
Order volume data (RapidRad): Facility-level exam counts and modality summaries — aggregated, no patient information

3.4 System User Accounts

Authorized users of our internal platform have accounts consisting of:

Business email address
Cryptographically hashed password (bcrypt with unique salt per user)
Role assignment (administrator or standard user)

4. How We Use Information

Service delivery: Coordinating mobile imaging services with client facilities
Client relationship management: Maintaining contact records, tracking service agreements, and managing our sales pipeline
Financial oversight: Monitoring business financial health, accounts receivable, and operational performance
Internal communications: Coordinating field operations among XRMT team members via SMS
Quality assurance: Tracking order volume and service patterns to maintain high standards of care

We do not sell, rent, lease, or disclose personal or business information to third parties for their own marketing or commercial purposes.

5. HIPAA Compliance and PHI Safeguards

XRMT is a HIPAA-covered entity. We maintain comprehensive administrative, physical, and technical safeguards to protect Protected Health Information in accordance with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subpart C).

Architectural Separation of PHI

Our business operations systems are architecturally separated from clinical and billing systems that handle PHI:

Clinical systems (RapidRad/EmergentConnect): Contain patient records, imaging orders, and clinical data — secured under separate BAAs and HIPAA-compliant infrastructure
Business operations systems (this platform): Contain only aggregated, de-identified business metrics and B2B contact information — zero PHI by design

This separation ensures that a compromise of any business operations system cannot expose patient health information.

Business Associate Agreements

We maintain current Business Associate Agreements (BAAs) with all third-party service providers who access, process, or store data on our behalf where required by HIPAA. Our infrastructure providers (Google Workspace, Cloudflare) operate under executed BAAs.

Workforce Training

All XRMT personnel receive HIPAA privacy and security training, including protocols for handling PHI, recognizing and reporting breaches, and understanding the distinction between clinical and business data systems.

6. Data Security

Encryption in transit: All data transmitted between systems is encrypted using TLS 1.2 or higher
Encryption at rest: Data stored in our database (Cloudflare D1) and file storage (Cloudflare R2) is encrypted at rest
Authentication: User passwords are hashed using bcrypt with unique salts; sessions use signed JWT tokens in httpOnly cookies
Access control: Role-based access control restricts data visibility based on user authorization level
Application security: CSRF protection, Content Security Policy headers, Strict-Transport-Security, X-Frame-Options, and other defensive headers are enforced
SMS security: SMS data is processed through Twilio, which maintains SOC 2 Type II certification and encrypts data in transit and at rest
Vendor security: All automation services (Make.com) process data through encrypted channels with no long-term storage of message content

7. Data Retention

Data Type	Retention Period	Disposal Method
Business contact records	Duration of business relationship + 3 years	Deletion from all systems upon request or expiration
SMS message content	Processed in real-time; raw content not stored long-term	Extracted data follows contact record retention
Financial API tokens	Until disconnected by administrator	Deleted from encrypted database
Bank balance data	Not stored (real-time query only)	N/A
A/R summary uploads	24 months active, then archived	Secure deletion from cloud storage
MMS images (business cards)	Duration of business relationship	Deletion from cloud storage upon request
User accounts	Until terminated by administrator	Account and credential data deleted

8. Third-Party Service Providers

We use the following third-party services to operate our business systems. Each provider has been evaluated for security practices and data handling:

Provider	Purpose	Security	Privacy Policy
Cloudflare	Application hosting, database, file storage	SOC 2 Type II, ISO 27001	Link
Google Workspace	Email, business data (Sheets), file storage (Drive)	SOC 2, ISO 27001, BAA	Link
Twilio	SMS/MMS messaging	SOC 2 Type II, ISO 27001	Link
Make.com	Workflow automation	SOC 2 Type II, GDPR	Link
Anthropic (Claude)	AI-assisted data extraction	SOC 2 Type II	Link
Plaid	Bank account balance access	SOC 2 Type II, ISO 27001	Link
Intuit (QuickBooks)	Accounting data	SOC 1 & 2	Link
Square	Payment processing data	PCI DSS Level 1, SOC 2	Link
Expensify	Expense management data	SOC 1 & 2, PCI DSS	Link
Google Cloud Vision	Optical character recognition	SOC 2, ISO 27001	Link

9. Your Rights

Depending on your relationship with XRMT and applicable law, you may have the following rights:

Access: Request a copy of the information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your information from our business systems, subject to legal and contractual retention requirements
Bank access revocation: Disconnect linked bank accounts at any time through our dashboard, through Plaid's consumer portal (my.plaid.com), or directly through your bank
SMS opt-out: Reply STOP to any message from (903) 600-9768 to cease receiving messages

To exercise any of these rights, please contact us using the information in Section 12. We will respond to verified requests within 30 days.

10. State Privacy Laws

XRMT respects the privacy rights granted under applicable state laws, including the Texas Data Privacy and Security Act (TDPSA). Texas residents may exercise their rights as described in Section 9 above. We do not sell personal information or use it for targeted advertising.

11. Changes to This Policy

We may update this policy to reflect changes in our business practices, technology systems, or legal requirements. The effective date at the top of this page indicates the most recent revision. Material changes will be communicated to affected parties through appropriate channels.

12. Contact Information

For questions about this policy, to exercise your privacy rights, or to report a concern:

Brian Truax
Managing Director of Growth & Strategy
X-Ray Mobile Texas, Inc.
brian@houstonmobilexray.com
Houston, TX

For matters related to Protected Health Information or HIPAA compliance, please contact us at the address above.