Compliance

Effective: December 7, 2025

This page summarizes the legal, privacy, and security frameworks Pathways to Parenthood Inc. ("PtP") respects. For binding terms, see our Terms of Service and Privacy Policy.

1) Hybrid Data Model & Roles

PtP primarily processes user-entered data and, with user authorization, may receive records from providers (e.g., labs, clinics). PtP treats all health information with HIPAA-grade safeguards. HIPAA Business Associate obligations apply only to datasets governed by an executed BAA.

HIPAA-gradeRBACZero Trust

2) U.S. Federal Requirements

HIPAA & HITECH

Privacy, Security, Breach Notification Rules
Minimum Necessary, BAAs (as applicable)

HHS HIPAA

FTC Health Breach Notification Rule

D2C health app breach notices
Third-party incident reporting

FTC HBNR

21st Century Cures Act

Information blocking prohibitions
Patient access & interoperability

ONC Cures Rule

FDA – Non-Device CDS

No diagnosis/treatment by software
Human-in-the-loop decision support

FDA CDS Guidance

3) U.S. State Privacy & Health Data

California: CCPA/CPRA; CMIA; California Privacy Protection Agency
Virginia: VCDPA
Colorado: CPA
Connecticut: CTDPA
Utah: UCPA
New York: SHIELD Act
Washington: My Health My Data Act (strict health data protections)

4) International (GDPR/UK GDPR)

Lawful bases for processing; explicit consent for special-category data
Data subject rights (access, erasure, portability, objection)
Cross-border transfers with appropriate safeguards

GDPR Guide ·UK ICO

5) AI Governance & Safety

NIST AI Risk Management Framework
NIST Privacy Framework
OECD AI Principles
IEEE P7003 (Algorithmic Bias)

NIST AI RMF ·NIST Privacy ·OECD AI

6) Security & Audit Readiness

Encryption in transit and at rest (TLS 1.2+, AES-256)
Role-based access control; least privilege; zero trust segmentation
Audit logging, monitoring, vulnerability management
Annual third-party penetration testing
SOC 2–aligned controls; PCI-DSS via payment processors

7) Regulator & Standards Links

This page summarizes PtP's compliance posture. It does not create a contract or provide legal or medical advice. For commitments, see our Privacy Policy and Terms.