Save this document for offline use

Data Governance & Security Policy (DGSP)

Sleep & Safety Monitoring Edition — Stark County DODD Contract #2558727
Version 1.0 · April 2026 · Medforall

Plain-Language Summary

If you or your loved one is using HEARO thermal sensors for sleep and safety monitoring, here’s what you need to know:

Thermal sensors are heat cameras, not photo cameras. They show heat patterns only — no faces, no identifying features.
We only watch during scheduled monitoring hours. Outside those hours, the system is in Privacy Mode.
Access is limited to your care team on their scheduled shifts. Every access is logged.
Your data is encrypted in transit (TLS) and at rest (AES-256). Medforall holds the keys.
You have rights. You can pause or stop monitoring anytime, request a summary of your data, and ask for corrections.
We will never sell your data, use it for ads, or train external AI on it.

Important: This system supports the people keeping your loved one safe — it does not replace them. Notifications go to awake, on-duty staff only. No existing supports are removed until the team has real data showing the system is reliable for this person.

1. Purpose & Scope

This policy governs how Medforall collects, accesses, stores, secures, and retains data from thermal sensors used for sleep and safety monitoring in community-based HCBS residences. This scoped version focuses on thermal-only deployments for the Stark County program (60 participants with DD and seizure disorders).

This policy aligns with Ohio’s proposed rule 5123-2-XX (audio/video devices in HCBS residences) and applies to individuals, families/guardians, care teams, and Medforall as the data controller.

What this policy covers: thermal sensor data collection and access, encryption and security, who can see the data and when, retention periods, and your rights.

What this policy does NOT cover: RGB cameras (separate addendum), audio monitoring (not part of thermal-only scope), wearable devices (separate agreements).

2. What Thermal Sensors Collect

The Two-Layer Privacy Model

Privacy in the HEARO system works on two levels:

Inherent thermal privacy: Thermal sensors detect infrared heat and create heat-map images. No faces, no identifying features — though body shape, posture, limb positions, and activity are visible. Heat patterns cannot reveal identity.
Software filters: Additional software processing further reduces what the human viewer sees, limiting visual detail beyond what thermal inherently provides.

What Thermal Sensors Can Detect

Capability	Description
In-bed / out-of-bed state	Whether a person is lying in bed or has gotten up
Posture changes	Lying to sitting to standing, based on heat signature shape
Movement patterns	Activity vs. stillness, restlessness during sleep
Prolonged inactivity	No movement beyond a configured threshold
Floor presence	Heat signature at floor level (potential fall)
Body shape & limb positions	General body form, gender indicators, multiple people distinguishable
CPAP displacement	Mask movement or removal detectable via head region
Liquid on bed	Temperature differential from body-temp liquids
Baseline deviations over time	Changes from normal patterns (improves over 30–90 days)

What Thermal Sensors Cannot Detect

Cannot Detect	Why
Faces or identity	Thermal resolution and modality cannot capture identifying facial features
Text, clothing color, room contents at ambient temp	Objects at room temperature are invisible to thermal
Emotional state	Heat patterns do not convey subjective experience
Seizure activity itself	Seizures are neurological events; thermal detects movement consequences only
Breathing or respiratory distress	Thermal does not measure airflow or respiratory rate
Choking or aspiration	Internal events without distinct thermal signature

Seizure Monitoring: Thermal is a moderate confidence proxy for tonic-clonic seizures. It detects movement consequences (falls, thrashing, prolonged immobility) — not seizure electrical activity. It cannot detect absence or focal seizures. Confidence improves with 30+ days of baseline data.

3. Data Security

Encryption

In transit: TLS encryption (bank/healthcare standard) for all data between sensors and cloud
At rest: AES-256 encryption (military-grade) for stored data
Key management: Medforall holds encryption keys. On consent withdrawal, keys are destroyed — making data unreadable.

Access Control

Shift-based access: Staff can view data only during scheduled monitoring shifts
Multi-factor authentication: Password + second verification for all staff logins
No shared accounts: Individual logins with full audit trail
Least-privilege roles: Remote support sees live data; supervisors can approve emergency access; SSAs see summaries only
Network isolation: Sensors operate on a protected network segment, separated from home WiFi

Local Buffer & Backups

If internet fails, sensors store up to 24 hours of encrypted data locally, then auto-upload when restored
Encrypted backups protect against server failures
No vendor back-doors; security patches on a documented schedule

4. Who Can Access Your Data & When

Role	Can See	Cannot Do	When
Remote Support Staff	Live thermal stream, shift recordings, alerts	Access outside shift hours, download/export, change settings	Scheduled monitoring hours only
Supervisors	Same as above + emergency override approval, audit logs, limited export for incidents	Override consent/ISP, delete audit logs	Scheduled hours + documented emergencies
SSAs / Service Coordinators	Monthly/quarterly summaries, alert event logs, outcome data	View live data, request incident packages without formal process	Routine business hours
Family / Guardian	Separate encrypted stream via Guardian App (if enrolled in AT)	Access provider-side data	Per care plan agreement

5. Emergency Access (Break-Glass Protocol)

In a life-threatening emergency outside normal hours:

Supervisor approves access based on emergency reason
Live thermal stream opens for up to 30 minutes
Real-time notification sent to you and supervisory staff
Access is logged with reason code, timestamp, and duration
Post-event review within 1 business day
You are notified and can dispute if you believe it was misused

6. Data Retention & Deletion

Data Type	Retention
Routine sleep monitoring recordings	30–90 days (unless you request longer)
Seizure monitoring / higher-risk	Up to 180–365 days (baseline building)
Audit logs and access records	Minimum 1 year
Major Unusual Incident (MUI) recordings + logs	Minimum 7 years from incident date
Data outside monitoring hours	Automatically deleted after 24 hours

Secure deletion uses cryptographic hash-check verification. You receive proof of destruction.

7. What We Will Never Do

Never sell your data to advertisers, data brokers, or commercial enterprises
Never use it for targeted advertising or build marketing profiles
Never train external AI systems on your data
Never share with vendors or third parties without explicit consent
Never use data for purposes outside your care plan
Never disclose to individuals not part of your care team

8. Your Rights

Right	How It Works
Pause or stop monitoring	Anytime. No permission, penalty, or explanation needed. System enters Privacy Mode.
Withdraw consent	All monitoring stops and data is deleted (except MUI-related). Effective within 7 business days. Deletion verified with hash-check.
Access your data	Request a summary of what was collected, who accessed it, and when. Provided within 30 days in plain language.
Correct or dispute	File a complaint about wrong schedules, inappropriate access, or misuse. Investigated within 10 business days.
Accommodations	Available in large print, audio, other languages, or simplified versions.

9. Privacy Controls Available to You

Privacy Mode: No recording or viewing outside scheduled hours
Manual shutter: Physically cover the lens to disable (a blanket works — it’s just heat)
Region of Interest cropping: Mask areas of the room you don’t want monitored
Modality switching: Switch to less intrusive sensors at certain times

10. Audit & Accountability

Every access is logged with who, when, why, what they did, and the outcome. Logs are immutable. Medforall conducts periodic audits for compliance. You can request an audit report of all accesses to your data in the past 6 months, provided within 30 days.