Privacy Policy
Effective Date: March 1, 2026
This Privacy Policy describes how The Script Health, LLC ("The Script," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website, platform, and related services (collectively, the "Platform"). The Script Health, LLC is the employer of record for healthcare clinicians placed through our staffing services. All data collected through the Platform is stored on servers located in the United States.
By using the Platform, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Platform.
Information We Collect
Personal Information You Provide
When you create an account, apply for positions, or interact with the Platform, we may collect the following categories of information:
Account Information: Your name, email address, phone number, and password.
Professional Data: Professional licenses, certifications, skills, specialties, employment history, education, and professional references.
Application Materials: Resumes, cover letters, and other documents you upload to the Platform.
Communication Preferences: Your preferred methods of contact, notification settings, and marketing preferences.
Sensitive Data Categories
We treat professional licenses, certifications, and background check data as sensitive categories with heightened protections. These data elements are subject to additional access controls and are shared only when necessary for credential verification and placement services.
Information Collected Automatically
When you use the Platform, we automatically collect certain information, including:
Usage Data: Pages visited, features used, search queries, and interaction patterns.
Device and Browser Information: IP address, user agent string, browser type, operating system, and device identifiers.
Authentication Logs: Timestamps, IP addresses, and authentication methods used when you log in or perform security-sensitive actions.
Cookies: We use httpOnly session cookies for authentication and security. See our Cookie Policy for details.
Information from Third Parties
We may receive information about you from the following sources:
Healthcare Facilities: Facilities you have worked with may provide performance feedback or assignment-related information.
Professional References: Individuals you designate as references may provide information about your qualifications and work history.
Google OAuth: If you choose to sign in with Google, we receive your name, email address, and profile picture from Google.
When we collect information about you from third-party sources, we will notify you of the collection and the source at or before the point of first use of that information.
How We Use Your Information
We use the information we collect for the following purposes:
Staffing Services: To match you with healthcare positions, process applications, manage placements, and fulfill our obligations as your employer of record.
Algorithmic Job Matching: We use automated decision-making to recommend positions based on your qualifications, preferences, geographic location, and availability. These recommendations are suggestions only and do not constitute binding offers or decisions. You may request human review of any algorithmically generated recommendation by contacting us at hello@thescript.health.
Compliance and Credential Verification: To verify professional licenses, certifications, and other credentials required for healthcare placements.
Communication: To send you assignment notifications, authentication codes, job alerts, and other service-related communications via email (Resend) and SMS (Twilio).
Platform Improvement: To analyze usage patterns, improve features, fix issues, and develop new services.
Security: To detect, prevent, and respond to fraud, unauthorized access, and other security threats.
Legal Obligations: To comply with applicable laws, regulations, and legal processes.
Washington My Health My Data Act
The Script recognizes that certain professional credential data — including professional licenses, certifications, and health-related employment history — may fall within the scope of the Washington My Health My Data Act ("MHMD Act"). We treat this data with the heightened protections required under the MHMD Act.
Categories of Health Data Collected: Professional healthcare licenses, clinical certifications, health-related employment history, and credential verification records.
Purposes of Collection: Credential verification, regulatory compliance, staffing placement services, and ensuring patient safety through qualified clinician placement.
Third Parties With Whom Health Data Is Shared: Healthcare facilities (for placement purposes, at the user's direction), licensing boards (for verification), and service providers contractually bound to protect such data.
Your Rights Under the MHMD Act: You have the right to withdraw consent to the collection and sharing of your health data, request deletion of your health data (subject to regulatory retention requirements), and receive confirmation of whether we hold health data about you. To exercise these rights, contact us at hello@thescript.health.
Information Sharing
We do not sell your personal information. When we share your professional data with healthcare facilities for placement purposes, this sharing is performed at your direction as part of our service delivery and does not constitute a "sale" of personal information under the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA).
We may share your information with the following parties:
Service Providers: We use Resend (email delivery), Twilio (SMS delivery), DigitalOcean (hosting, storage, and database), and Google (OAuth authentication). Each provider is contractually obligated to protect your data and use it only for the purposes of providing services to us.
Healthcare Facilities: We share professional information, qualifications, and credentials with healthcare facilities as necessary to facilitate your placement at your direction.
Legal Requirements: We may disclose your information when required by law, regulation, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of The Script, our users, or the public.
Data Retention
We retain your personal information for seven (7) years from the date of your last activity on the Platform. This retention period is based on regulatory requirements including the Fair Labor Standards Act (FLSA), Internal Revenue Service (IRS) record-keeping requirements, and Sarbanes-Oxley Act (SOX) provisions. Authentication logs may be subject to shorter retention periods based on their specific purpose.
When you request deletion of your account, we implement a 30-day soft delete grace period during which you may restore your account. After this grace period, your data is queued for permanent deletion. Data is automatically and permanently deleted after the applicable retention period expires.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Right to Access: Request a copy of the personal information we hold about you.
Right to Correction: Request correction of inaccurate or incomplete personal information.
Right to Deletion: Request deletion of your personal information, subject to regulatory retention requirements.
Right to Portability: Request your personal information in a structured, commonly used, machine-readable format.
Right to Opt-Out: Opt out of non-essential communications at any time.
California Residents — CCPA/CPRA Rights
If you are a California resident, you have additional rights under the CCPA and CPRA, including the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.
We will respond to all verified requests within 30 days. To exercise any of these rights, contact us at hello@thescript.health.
Data Security
We implement technical and organizational measures designed to protect your personal information, including:
Encryption: Data is encrypted in transit using TLS and at rest on our servers.
Access Controls: Role-based access controls limit data access to authorized personnel.
Audit Logging: We maintain audit logs of data access and modifications.
Authentication Security: We use httpOnly cookies to prevent cross-site scripting attacks and support multi-factor authentication (TOTP and SMS) for enhanced account security.
US-Only Infrastructure: All data is stored on DigitalOcean servers located in the United States.
Breach Notification
In the event of a data breach that compromises your personal information, we will notify affected users within 30 days in accordance with the Washington State Data Breach Notification Act (RCW 19.255.010) and any other applicable state notification laws.
Children's Privacy
Our services are designed for licensed healthcare professionals. We do not knowingly collect information from individuals under 18. If we learn that we have collected personal information from a person under 18, we will promptly delete that information.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised effective date and, where appropriate, by sending you an email notification. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
Governing Law
This Privacy Policy is governed by the laws of the State of Washington, without regard to its conflict of laws principles.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Email: hello@thescript.health
Phone: (206) 424-1101
Location: Redmond, WA