Trust and guardrails
Trust is part of the service, not a decorative reassurance layer.
HAP is intended to operate inside explicit rules around sensitivity, approval, documentation, intake scope, and human override. This page is the public operating posture, not legal advice.
Operating rules
Initial intake is for scope and fit, not for the transfer of highly sensitive records.
HAP follows a data-minimization posture: collect less, ask later, retain only what is necessary.
AI suggestions do not replace human judgment in high-stakes decisions.
Every workflow needs a visible owner, an approval boundary, and an override path.
No black-box dependence: clients receive usable instructions and operating context.
What HAP will not do
Deploy autonomous decision-making in high-stakes settings
Push clients to upload sensitive material without an explicit review of risk and channel suitability
Install systems that only function while HAP remains in the room
Claim default HIPAA-grade handling or other regulated protections unless the actual scope, tooling, and agreements support it
Intake boundaries
Submitting an inquiry does not by itself create a physician-patient, therapist-client, attorney-client, or emergency response relationship.
Prospective clients should not send medical records, therapy notes, legal files, credentials, or other highly sensitive records in the first message unless specifically requested through an appropriate channel.
If a project may involve regulated or unusually sensitive information, HAP's intended operating model is to pause, define the handling requirements, and decide whether a separate agreement, more secure workflow, or a no-go decision is appropriate.
Why the language is this careful
The FTC's business guidance emphasizes data minimization, retaining only what is needed, and making privacy representations that match actual practice.
HHS' sample business associate agreement provisions show how much additional contractual and safeguard structure is required when protected health information is actually in scope.
Virginia's Consumer Data Protection Act requires assessments for processing sensitive data and other higher-risk activities.
Louisiana's data breach statute requires reasonable security procedures and breach notification without unreasonable delay, generally no later than sixty days after discovery.
Reference points
These references inform the public posture on this page. They are included for transparency and context, not as legal advice.