1. Scope — who this policy covers (and who it doesn't)
CCE Platform, Inc. ("CCE," "we") operates two distinct surfaces with two distinct privacy regimes. Read the part that applies to you.
| Surface | Who you are | What governs your data |
|---|---|---|
Beacon (beacon.cce-platform.com, Beacon apps) | A patient / caregiver using your own emergency health profile | This Privacy Policy plus the separate Consumer Health Data Privacy Policy. CCE is the data controller. |
| OMD / CCE platform (field app, OMD Admin, Builder Lab) | An EMS clinician/administrator of a contracting agency | HIPAA + your agency's Notice of Privacy Practices, not this policy. CCE is a HIPAA Business Associate processing PHI on behalf of your agency under a Business Associate Agreement. See §10. |
Marketing site (cce-platform.com) | A visitor | §§3–9 (limited — contact + minimal analytics). |
The critical boundary: Protected Health Information (PHI) that EMS agencies process through OMD is not governed by this consumer Privacy Policy. It is governed by HIPAA, the BAA between CCE and the agency, and the agency's own privacy notices. This policy governs the consumer (Beacon) relationship and ordinary website/account data.
2. Quick summary (not a substitute for the full text)
- We collect health and account information only to provide the services you ask for — emergency profile, MyChart import, patient-authorized sharing, consent management, export, and deletion.
- We do not sell your data, do not sell or share access to it, and do not use it for advertising — including de-identified data, which we do not sell.
- Health data is stored on your device and on servers in the United States.
- You can export, review the access log for, and delete your Beacon data.
- We use sub-processors under data-protection terms (§7); for any PHI path they are HIPAA-BAA-covered.
3. Information we collect (Beacon / consumer)
You provide:
- Account identifiers (email, authentication credentials via Firebase Auth).
- Emergency profile details: demographics, medications, allergies, conditions, history/baseline, emergency contacts.
- Documents you add to your vault.
- Consent grants and share settings you create.
From connected sources, only with your authorization:
- Epic / MyChart (SMART-on-FHIR) data you choose to import — demographics, allergies, conditions, medication orders, observations, diagnostic reports, immunizations, procedures, documents. Imported items are review-required; you choose what to save. Epic access tokens are held server-side only and never exposed to the client.
Collected automatically:
- Security and audit logs (access events, share/consent events, sign-in events).
- Limited technical/device metadata needed to operate and secure the service.
- We do not enable advertising analytics on PHI surfaces (advertising/analytics SDKs are kept off PHI surfaces).
4. How we use information
We use Beacon information solely to:
- Create and maintain your emergency profile;
- Import and let you review MyChart data;
- Deliver a time-boxed, consent-scoped snapshot to EMS or care-team recipients you authorize (and, where you enable it, a durable post-ED / MIH follow-up grant with its own narrow scope);
- Maintain access logs and provide export/deletion;
- Secure the service and meet legal obligations.
We do not use your data for advertising or sell it (§5).
5. No sale; no advertising; no data-sharing for ads
CCE does not sell your personal or health information, does not sell access to it, and does not sell de-identified data. We do not "share" personal information for cross-context behavioral advertising. We do not use Beacon health data to serve ads.
6. How information is shared / disclosed
- EMS / care-team recipients you authorize — only the consent-scoped snapshot for the window you grant. Vault documents are excluded unless the grant scope includes them.
- Sub-processors — service providers that host, secure, and operate the platform, under contract (§7).
- Legal / safety — when required by law or to protect rights, safety, and security, limited to what is necessary.
- Business transfers — in a merger/acquisition, subject to this policy.
We do not disclose Beacon data to your EMS agency's OMD records except through the audited, patient-authorized snapshot egress. (By design, OMD never queries Beacon patient tables.)
7. Sub-processors
We use a maintained list of sub-processors (available on request). Any sub-processor on a PHI path is covered by a Business Associate Agreement and operates under a zero-retention / no-model-training posture for that data (clinical reasoning is routed only to BAA-covered providers). Hosting and core infrastructure are provided by Google Cloud (United States).
8. Data retention and deletion
- We retain Beacon profile, clinical facts, vault documents, imported records, SMART tokens, share grants, and access logs while your account/profile is active.
- You may delete your account (in-app "Delete account," or email support@cce-platform.com from your account email). Deletion removes profile details, saved clinical facts, vault documents, and stored Epic-imported data, and immediately revokes active sharing.
- Limited retention: security, consent, access, and audit records may be retained as needed for legal, fraud-prevention, compliance, and system-integrity purposes. Disconnecting MyChart deletes the associated SMART access/refresh tokens.
9. Your rights and choices
Depending on your residency, you may have rights to access, correct, delete, export (portability), and restrict certain processing of your information, and to be free from discrimination for exercising them.
- All Beacon users: export your data, view your access log, request correction, and delete your account — in-app or via support@cce-platform.com.
- US state rights (e.g., California/CCPA, Colorado, Virginia, and consumer health-data laws): the access/deletion/portability/opt-out rights above apply; we do not sell or share for ads, so no ad opt-out is needed.
We verify requests against the account email before acting. Do not include urgent medical information in support email — Beacon is not an emergency service; call 911 for emergencies.
10. EMS clinician / agency users (HIPAA path) — not governed here
If you use OMD/CCE as a clinician or administrator of a contracting EMS agency, the patient information you handle is PHI processed by CCE as a Business Associate on behalf of your agency. That processing is governed by HIPAA, the BAA, and your agency's Notice of Privacy Practices — not this consumer Privacy Policy. Patients seeking their EMS records should contact the treating agency. Recording-consent practices follow state law (Missouri one-party / Illinois all-party) as configured by the agency.
11. Children
Beacon is not directed to children under 13. A parent/guardian may maintain a dependent's emergency profile as caregiver; that data is treated as the dependent's health information under this policy.
12. Security
We use administrative, physical, and technical safeguards including per-tenant row-level security, encryption in transit and at rest, envelope encryption of sensitive fields, signed-URL object access, server-side-only third-party tokens, and access/audit logging. No method of transmission or storage is 100% secure.
13. International users
The service is operated from and stores data in the United States. If you access it from outside the US, you consent to processing in the US.
14. Changes to this policy
We will post updates here with a new "Last updated" date and, for material changes affecting health data, provide a more prominent notice.
15. Contact
Privacy questions or requests: privacy@cce-platform.com. General: hello@cce-platform.com. Mailing: CCE Platform, Inc., 12747 Olive Blvd, Suite 300, St. Louis, MO 63141.