Privacy Policy

Who We Are

PHCLink is a product of SOAR Consulting Group, LLC, an S Corporation organized under the laws of the United States. SOAR Consulting Group develops technology solutions for the emergency services community, with a primary focus on Community Risk Reduction tools for fire departments and EMS agencies.

For privacy-related inquiries, please contact us at:

Scope of This Policy

This Privacy Policy applies to:

• The PHCLink Writer mobile application (Android)
• The PHCLink Reader mobile application (Android)
• The PHCLink Device Initializer application (internal use only)
• PHCLink branded NFC physical devices (wristbands, magnets, wallet cards)
• The PHCLink website located at https://phclink.com
• Any communications, forms, or inquiries submitted through the website or by email

This policy does not apply to third-party services, platforms, or applications that may interact with PHCLink products, including but not limited to the Google Play Store, HubSpot CRM, or any fire department or EMS agency's own data systems. Those services are governed by their own privacy policies.

The PHCLink Data Architecture

The system is architected specifically to keep sensitive medical information under the control of the individual and their authorized fire department or EMS contacts — not under the control of SOAR Consulting Group.

3.1 — PHCLink Writer Application

The PHCLink Writer app is used by authorized fire department and EMS personnel to create emergency medical profiles.

Data Entered by Users

• Personal identification information (first name, last name, date of birth, blood type)
• Emergency contact information (names, relationships, phone numbers)
• Medical information (allergies, medications, conditions, implanted devices, DNR status, organ donor status)
• Certification information (name of certifying personnel, date and time of certification)

Where That Data Goes

• All medical profile data is written directly to the physical PHCLink NFC device at the time of profile creation.
• This data is NOT transmitted to SOAR Consulting Group servers, stored in any SOAR database, or sent to any third party at any time.
• The data exists solely on the physical NFC device after the write operation is complete.
• The Writer app does not retain a copy of the profile after writing. Once the write succeeds, the data exists only on the NFC device.

License & Account Data

To activate the PHCLink Writer app, organizations obtain a license key from SOAR. In connection with licensing, SOAR collects and retains organization name and type, primary contact name and email, license key records, and general geographic service area. This information is used solely for license management and support — it is never sold.

3.2 — PHCLink Reader Application

• The Reader app requires no user account, login, or registration of any kind.
• The Reader app does not collect, transmit, or store any personal information about the first responder using it.
• Profile data read from a PHCLink device is displayed on screen and is not stored, transmitted, or retained after the app is closed.
• The Reader app functions entirely offline. No internet connection is required or used during the profile display process.
• SOAR Consulting Group receives no information about when, where, or by whom a PHCLink device is scanned.

3.3 — PHCLink Physical NFC Devices

• The device owner is solely responsible for the security and physical custody of the NFC device.
• Any NFC-enabled phone may be able to read a PHCLink device if presented for scanning. NFC devices are not encrypted at the storage level — data is readable by any NFC reader.
• SOAR Consulting Group is not responsible for unauthorized access resulting from loss, theft, or misuse of a physical device.
• Serial numbers assigned during initialization are used for inventory management only and are not linked to personal information in SOAR's systems.

Website Data Collection

4.1 — Information You Provide Voluntarily

When you submit a product inquiry or contact form through the PHCLink website, you may provide your name, organization name and type, job title, email address, phone number, geographic location, and any message you include. This information is used to respond to your inquiry and provide information about PHCLink products and licensing. We do not use it to send unsolicited marketing communications unrelated to PHCLink.

4.2 — HubSpot CRM Integration

SOAR Consulting Group uses HubSpot, Inc. as its customer relationship management platform. When you submit an inquiry through the PHCLink website, your contact information and inquiry details are transmitted to and stored in HubSpot's systems. HubSpot acts as a data processor on behalf of SOAR, governed by SOAR's instructions and HubSpot's Data Processing Agreement.

HubSpot's privacy policy is available at: legal.hubspot.com/privacy-policy

By submitting an inquiry, you consent to your contact information being processed through HubSpot for the purpose of responding to your inquiry and maintaining a record of our business relationship.

4.3 — Cookies and Analytics

The PHCLink website may use session cookies, analytics cookies that collect anonymous aggregated data, and HubSpot tracking cookies. You may disable cookies through your browser settings, though this may affect certain website features. We do not use cookies to track individual users across unrelated third-party websites.

4.4 — Automatically Collected Technical Information

Our web hosting provider may automatically collect your IP address, browser type and version, operating system, referring URL, and pages visited. This is used for security monitoring and aggregate traffic analysis only, and is not linked to personally identifiable information.

HIPAA Considerations

The data flow within the PHCLink system is as follows: a community member voluntarily provides their medical information, authorized personnel enter that information into the PHCLink Writer app, and the data is written directly and exclusively to the physical NFC device — which belongs to and remains in the physical possession of the community member. At no point in this process does the fire department, EMS agency, hospital, or any other user organization receive, store, transmit, or maintain that data in any system, database, server, or record under their control. The Writer app retains no copy of the profile after the write operation completes.

This architecture is a deliberate design decision. PHCLink does not function as an electronic health record, a patient data repository, a data collection platform, or any other system through which an organization could accumulate protected health information. The system provides authorized personnel with a conduit to place information directly onto a device owned by the individual — nothing more.

Because the PHCLink system provides no mechanism for organizational retention of PHI, the traditional HIPAA Business Associate relationship — which arises when a vendor receives, maintains, or transmits PHI on behalf of a covered entity — does not apply to SOAR Consulting Group in the context of medical profile data. SOAR never receives that data.

Reader App Access at Point of Care

When a first responder uses the PHCLink Reader app on scene to view a patient's profile, they are momentarily accessing medical information. The Reader app displays the profile and does not store, transmit, log, or retain any of that information after the session ends. Whether this momentary access creates any HIPAA obligation for the responding agency depends on whether that agency qualifies as a covered entity. Most fire departments that do not provide medical transport services are not covered entities. Hospital personnel, by contrast, are employed by covered entities and should follow their organization's existing HIPAA protocols when accessing any patient information, including PHCLink profiles.

Informed Consent — A Best Practice Recommendation

Although the PHCLink architecture eliminates the organizational data retention that typically drives HIPAA compliance obligations, SOAR Consulting Group strongly recommends that fire departments, EMS agencies, and hospital personnel obtain informed consent from community members before creating a PHCLink profile on their behalf. This is not a HIPAA legal obligation in this context — it is a best practice rooted in community trust, ethical emergency services practice, and the principles of Community Risk Reduction. The PHCLink Writer app includes a legal acknowledgment step for this purpose.

How We Use Information

SOAR Consulting Group uses the information we collect for the following purposes:

Information Sharing and Disclosure

SOAR Consulting Group does not sell, rent, or trade personal information to third parties. We may share information in the following limited circumstances:

7.1 — Service Providers

We share information with third-party service providers who assist in operating our business, including HubSpot for CRM and inquiry management. These providers are contractually obligated to use information only as directed by SOAR and to maintain appropriate security standards.

7.2 — Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of SOAR Consulting Group, our customers, or the public.

7.3 — Business Transfers

In the event of a merger, acquisition, or sale of assets involving SOAR Consulting Group, information we hold may be transferred as part of that transaction. We will provide notice before information is transferred and becomes subject to a different privacy policy.

7.4 — With Your Consent

We may share information for purposes not described in this policy with your explicit consent.

Data Retention

We retain different categories of information for different periods based on operational and legal requirements:

Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding personal information we hold about you. SOAR Consulting Group will honor the following rights upon verified request:

9.1 — Right to Access

You may request a copy of the personal information SOAR Consulting Group holds about you in connection with your inquiry, license, or business relationship.

9.2 — Right to Correction

You may request that we correct inaccurate or incomplete personal information we hold about you.

9.3 — Right to Deletion

You may request deletion of personal information we hold about you, subject to legal obligations to retain certain business records. Note that SOAR cannot delete medical profile data stored on physical NFC devices, as that data is not in our possession or control. To delete profile data from a PHCLink device, the fire department or EMS agency that created the profile must overwrite the device, or the device must be physically destroyed.

9.4 — Right to Opt Out of Marketing Communications

You may opt out at any time by clicking the unsubscribe link in any email communication, or by contacting us at privacy@phclink.com.

9.5 — California Residents — CCPA Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA) including the right to know what personal information is collected, whether it is sold or disclosed and to whom, the right to opt out of its sale, and the right to non-discrimination for exercising CCPA rights. SOAR Consulting Group does not sell personal information as defined under the CCPA. To exercise your CCPA rights, contact us at privacy@phclink.com with the subject line "CCPA Rights Request."

Data Security

SOAR Consulting Group implements reasonable administrative, technical, and physical safeguards to protect the personal information we collect, including:

• Encrypted transmission of data between the website and our servers (SSL/TLS)
• Access controls limiting personal information to authorized personnel with a legitimate business need
• Use of reputable third-party service providers (HubSpot) with established security certifications
• Regular review of data handling practices

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected individuals as required by applicable law.

Children's Privacy

PHCLink products and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website or applications. PHCLink devices may be created for individuals of any age, including minors, by their authorized guardians in coordination with a licensed fire department or EMS agency. In such cases, the agency and guardian are responsible for ensuring appropriate consent has been obtained. If you believe a child under 13 has provided personal information through our website without parental consent, please contact us at privacy@phclink.com.

Third-Party Links and Services

The PHCLink website may contain links to third-party websites provided for informational convenience only. SOAR Consulting Group is not responsible for the privacy practices or content of third-party websites. PHCLink NFC devices include a URI record that may direct users to phclink.com if scanned by a device without the PHCLink Reader app installed. The phclink.com website is governed by this Privacy Policy.

Changes to This Privacy Policy

SOAR Consulting Group may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this policy, post the revised policy at https://phclink.com/privacy, and where required by law notify affected users by email. Your continued use of PHCLink products or services after the effective date of a revised policy constitutes your acceptance of the updated terms.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or SOAR Consulting Group's data practices, please contact our Privacy Officer:

We will respond to all privacy-related inquiries within 30 days of receipt.