Privacy Policy

1. Introduction

TintPass ("we," "our," or "us") is a Management Services Organization (MSO) that facilitates connections between patients and independently licensed Texas physicians for the purpose of medical evaluations related to window tint exemptions under Texas Transportation Code §547.613. This Privacy Policy describes how we collect, use, disclose, and protect your personal information and protected health information (PHI).

2. Information We Collect

We collect the following categories of information:

• Personal Identifiers: Full name, date of birth, mailing address, phone number, and email address.
• Protected Health Information (PHI): Medical conditions, symptoms related to sunlight sensitivity, symptom descriptions, and physician evaluation notes.
• Vehicle Information: Vehicle year, make, model, VIN, and license plate number.
• Account Credentials: Email address and hashed password (we never store plaintext passwords).
• Payment Information: Payment processing is handled by Stripe, Inc. We store only a payment reference ID and amount paid. We do not store credit card numbers.
• Usage Data: IP address, browser type, pages visited, and other standard web analytics data.

3. How We Use Your Information

• To facilitate telehealth medical evaluations by independently licensed Texas physicians.
• To issue and manage medical exemption cards for window tint.
• To process payments through our payment processor (Stripe).
• To communicate with you via SMS (Twilio) and email regarding your application status and exemption.
• To comply with legal and regulatory obligations.
• To improve our services and user experience.

4. Who We Share Your Information With

• Licensed Physicians: Your medical and personal information is shared with independently licensed Texas physicians who conduct your evaluation.
• Stripe, Inc.: Payment information is processed by Stripe under their own privacy policy.
• Twilio, Inc.: Your phone number is shared with Twilio for SMS notifications about your application.
• Database Provider: Your data is stored in a secure, encrypted database hosted by our infrastructure provider.
• Law Enforcement: We may disclose information if required by law, subpoena, or court order.

We do not sell your personal information or PHI to third parties.

5. Patient Rights Under HIPAA

Under the Health Insurance Portability and Accountability Act (HIPAA), you have the following rights:

• Right to Access: You may request a copy of your PHI that we maintain.
• Right to Amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete.
• Right to Restrict: You may request restrictions on certain uses and disclosures of your PHI.
• Right to Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
• Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if you believe your privacy rights have been violated.
• Right to Receive Notice: You have the right to receive this notice of our privacy practices.

6. Patient Rights Under Texas Health & Safety Code Chapter 181

Under the Texas Medical Records Privacy Act (Chapter 181, Texas Health & Safety Code), you have additional protections regarding the use and disclosure of your PHI. Texas law provides that covered entities may not use, disclose, or sell your PHI for marketing purposes without your written authorization. You also have the right to receive notice of any unauthorized access or breach of your health information. Texas law may impose stricter requirements than federal HIPAA regulations, and we comply with both.

7. Data Retention

We retain your medical records and associated personal information for a minimum of seven (7) years from the date of the last physician encounter, in compliance with Texas medical records retention requirements. After the retention period, records may be securely destroyed.

8. Security Measures

• All data is encrypted at rest in our database.
• All data in transit is protected using TLS (Transport Layer Security) encryption.
• Passwords are hashed using industry-standard bcrypt algorithms and are never stored in plaintext.
• Access to patient data is restricted to authorized personnel and licensed physicians.
• We conduct regular security reviews of our systems and processes.

9. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals within sixty (60) days of discovery, as required by HIPAA and Texas House Bill 300 (HB 300). Notification will be made via email or first-class mail. If the breach affects more than 500 Texas residents, we will also notify the Texas Attorney General and the U.S. Department of Health and Human Services.

10. Cookies and Tracking

Our website may use cookies and similar technologies for essential site functionality, such as maintaining your session during the intake process. We may also use analytics tools to understand how visitors use our site. You can control cookie settings through your browser preferences.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information or PHI from children under 18. If we become aware that we have collected information from a person under 18, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Any material changes will be posted on this page with an updated "Last Updated" date. Continued use of our services after changes constitutes acceptance of the revised policy.

13. Contact Information

For questions or concerns about this Privacy Policy, to exercise your privacy rights, or to file a complaint, please contact us at:

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr or by calling 1-800-368-1019.