DSPFY Privacy Policy

The short version

DSPFY is built for direct support professionals (DSPs) by FY Network Inc. ("FY Network," "we," "us," or "our"). We built this app to make a DSP's work better, not to harvest their data. Here are the five things you should know before reading anything else:

1. Your notes stay on your phone. DSPFY's AI runs on your device. We never upload your visit notes, your client information, or any Protected Health Information (PHI) to a server.
2. No account required. DSPFY works without an email, a password, a phone number, or any login. We don't know who you are and we don't want to.
3. Free for DSPs, always. You will never pay to use DSPFY. Agencies who choose to connect to DSPFY in the future will pay for their side of the connection. You will not.
4. We don't advertise and we don't sell data. DSPFY has no ads, no sponsored content, and no data brokers. Not now, not later.
5. You can delete everything with one tap. Settings → Delete all local data → done. Nothing survives on a server because nothing was ever on a server.

1. What this policy covers

This Privacy Policy applies to the DSPFY mobile app available in the Apple App Store and Google Play Store, and to related websites at dspfy.net and fynetwork.com/dspfy. It explains what information the app touches, where that information lives, who can see it, and what rights you have over it.

2. What information DSPFY handles

DSPFY processes two kinds of information:

a) Information you enter into the app. Visit notes, client initials, durations, service types, credentials, training records, tips you favorite, and app settings. This information lives only on your device in encrypted local storage. We do not receive it, we do not store it, and we do not transmit it anywhere.

b) Anonymous diagnostic information. The app may generate standard crash reports and anonymous usage statistics (how many times the app was opened, which screens were visited, how long AI inference took) to help us improve stability and performance. This information contains no client data, no visit notes, no PHI, and no identifier that could reasonably be linked back to you. You can turn off diagnostic reporting in Settings at any time.

3. AI and Protected Health Information (PHI)

DSPFY uses a small language model ("LLM") to help structure visit notes into the six required Medicaid documentation elements. This model runs entirely on your device. The model weights are downloaded to your phone when you first install DSPFY, and from that point forward, every AI operation happens locally in your phone's memory and storage.

We never send your visit notes, client information, or any PHI to FY Network servers, to model vendors (Meta, Google, Microsoft, or any other provider of open-source models), to cloud inference APIs (OpenAI, Anthropic, Google Cloud, AWS Bedrock, or any other), or to anyone else. The model loads, runs, and unloads entirely within your device.

Because no PHI ever reaches us, DSPFY in its standalone mode does not require a Business Associate Agreement (BAA) between you and FY Network. You remain the sole custodian of your own data.

4. Voice input and speech recognition

DSPFY supports voice input for writing visit notes. When you use the voice feature, DSPFY uses your device's built-in speech recognition (Apple's Speech framework on iOS, Android's SpeechRecognizer on Android) to convert audio to text. These built-in services are provided by Apple and Google respectively, and their privacy terms apply.

On most modern iPhones and Android devices, on-device speech recognition is available and is the default. If on-device recognition is not available on your device, the platform speech service may send audio to Apple or Google for transcription. You can see which mode your device supports in Settings → Privacy → Voice input.

DSPFY itself does not store audio recordings. Once speech is transcribed into text, the audio is discarded, and only the text is processed locally by the on-device model.

5. Regulatory content updates

DSPFY bundles a library of New Jersey Division of Developmental Disabilities (NJ DDD) regulations, documentation standards, labor rights guidance, emergency protocols, and related public content. Over time, this content is updated to reflect changes in state regulations.

To deliver these updates, your device will occasionally check a public URL on our website for new content (for example, every 24-72 hours when the app opens and the phone has an internet connection). This check downloads only the public regulatory content we publish. It does not upload anything from your device. No PHI, no visit notes, no client data, no identifiers leave your phone during a content update check.

6. Agency connection (future feature)

In a future release, DSPFY will offer an optional "connected mode" where a DSP can link the app to an agency they work for that has also subscribed to DSPFY. When and if you choose to connect, separate and explicit consent will be required before any information is shared with your agency.

If and when you connect, you will receive a separate agency connection disclosure that explains exactly what information flows between DSPFY, your device, and your agency's backend, along with a Business Associate Agreement where PHI is involved. Nothing in this standalone app version sends data to any agency. If the current version of DSPFY does not offer connected mode, ignore this section — it's here for transparency about the product roadmap.

7. Credentials and training tracker

DSPFY includes a local tracker for your credentials and trainings (CPR, First Aid, NJ DDD training bundles, background checks, etc.). Everything you enter stays on your device. In a future release, DSPFY may offer an option to log in to the Rutgers College of Direct Support (CDS) platform on your behalf to automatically pull training completion records. If that feature is available and you opt in, your CDS login credentials are stored only in your device's secure keychain (iOS Keychain or Android Keystore), never transmitted to our servers, and used only to scrape your own training status directly from the CDS website.

8. Children's privacy

DSPFY is not directed to children under 13. We do not knowingly collect information from children. DSPFY is designed for direct support professionals, who are generally adults in a regulated profession.

9. Your rights and choices

Because almost nothing leaves your device, most privacy rights are exercised directly on your phone:

• Access your data: browse it in the app. It's all there.
• Delete your data: Settings → Delete all local data. One tap. Irreversible.
• Export your data: individual notes can be exported via the share sheet; a full export (all notes, all credentials, all settings) is available in Settings → Export.
• Opt out of diagnostic reporting: Settings → Privacy → Diagnostics → Off.
• Opt out of content updates: Settings → Privacy → Regulatory content updates → Off. DSPFY will continue to work with the content that was bundled at app install time.
• Uninstall the app: removes DSPFY and everything it stored on your device.

Because we don't collect personal information about you, there is nothing on our servers for us to delete if you ask us to delete "your" data. We simply don't have it.

10. HIPAA, state privacy laws, and regulatory posture

DSPFY is designed with HIPAA in mind. In standalone mode, DSPFY does not transmit, store, or process PHI on any FY Network infrastructure, which means DSPFY in standalone mode is not acting as a Business Associate under HIPAA. The DSP (or the agency, if later connected) is the covered entity with responsibility for PHI handling. DSPFY is a tool that helps that handling happen well on the DSP's own device.

DSPFY also complies with applicable state privacy laws including the New Jersey Data Privacy Act (NJDPA). Because we do not collect personal information, do not sell data, and do not advertise, we do not need to establish the opt-out mechanisms required of data brokers and advertisers.

11. Security

Local data in DSPFY is stored in SQLite databases with encryption at rest via SQLCipher. Sensitive credentials (such as future CDS login tokens) are stored in the device's secure keychain. We rely on your device's own security (screen lock, biometric authentication, device encryption) to protect your data at the hardware level. We strongly recommend enabling a screen lock and biometric authentication on any device where you use DSPFY.

iCloud and device backups. DSPFY marks its local database files with the iOS NSURLIsExcludedFromBackupKey attribute. This means your visit notes, your Vault documents, and your AI model files are intentionally excluded from iCloud backups and iTunes/Finder backups. We do this for two reasons: (1) your visit notes may contain information about individuals you support, and backing them up to cloud storage without your explicit knowledge would be inconsistent with our on-device-only privacy posture; (2) the AI model file is large (1-2 GB) and would consume backup storage unnecessarily. If you reset your phone or move to a new device, you will need to re-download the AI model and re-enter any data you want to keep. Export your notes to your email before switching devices.

12. Third parties

DSPFY does not use third-party advertising, analytics platforms that track individuals, or data brokers. We may use Apple App Store Connect and Google Play Console for app distribution and crash reporting; these platforms are governed by Apple and Google's own privacy policies.

13. Changes to this policy

If we update this Privacy Policy, we will change the Effective Date at the top of this page. For material changes, we will show you a notice in the app the next time you open it so you can review what changed before you continue using DSPFY. Your continued use of the app after the Effective Date constitutes acceptance of the updated policy.

14. Contact us

Questions about this Privacy Policy, about how DSPFY handles data, or about any concern? Email admin@fynetwork.com. We are a small team and we take privacy concerns seriously. You will get a real human reading your message.

Physical mail (if you prefer): FY Network Inc., Newark, NJ, USA.