Legal
Privacy Policy
Velago is operated by the Mental Health Initiative for South Asians (MHISA), a nonprofit organization. This Privacy Policy describes how we collect, use, disclose, and protect information through the Velago platform (the “Platform”). By using the Platform, you agree to the practices described in this policy.
Velago is designed to facilitate mental health screening, demographic data collection, and referral to culturally concordant mental health providers in school settings. We take the privacy and security of your information seriously, particularly because the Platform handles sensitive health information about minors.
Information We Collect
1.1 Student Information (Collected via School Social Workers)
When a school social worker uses Velago to screen and refer a student, the following information may be collected:
- Name and date of birth
- Grade and school enrollment
- Gender identity, sex assigned at birth, and sexual orientation
- Race, ethnicity, and cultural background
- Primary language and language spoken at home
- Religious or spiritual identity
- ZIP code and address
- Insurance status and household income
- Transportation access and appointment modality preferences
- Mental health screening responses (PHQ-9 and GAD-7 scores)
- Provider preferences (gender, specialty areas, language, cultural background)
- Prior mental health treatment history
- Referral records, including provider match information, referral status, and appointment outcomes
- Access barrier information (transportation, internet, caregiver support, privacy)
1.2 Parent/Guardian Information
- Name and email address (for consent purposes via DocuSign)
- Phone number (for consent reminders via automated text message)
1.3 School Social Worker / Counselor Information
- Name and email address (for platform login and communication)
- School affiliation
1.4 Mental Health Provider Information
- Name, credentials, and license information
- Practice name, address, phone number, and email
- Insurance panels accepted, session rates, and sliding-scale availability
- Specialties, languages spoken, cultural background, and religious familiarity
- Availability and modality offerings
1.5 Automatically Collected Information
The Platform does not collect IP addresses, geolocation data, or device identifiers for research or tracking purposes. Standard server logs may temporarily record connection data for security and troubleshooting purposes; these logs are not linked to individual users and are purged regularly.
How We Use Your Information
We use the information collected through the Platform for the following purposes:
- To administer mental health screening (PHQ-9, GAD-7) for students identified by school social workers
- To match students with culturally concordant mental health providers based on demographic data, preferences, insurance, language, and location
- To facilitate referrals from school social workers to mental health providers
- To track referral outcomes (provider contact, appointment scheduling, care engagement) and support closed-loop referral management
- To obtain parental/guardian consent for student screening via DocuSign
- To send automated reminders related to consent completion and appointment scheduling
- To generate de-identified, aggregated analytics for platform improvement and research purposes
- To evaluate and improve the Platform through formative research conducted under IRB oversight
How We Share Your Information
We do not sell, rent, or trade personal information. We may share information in the following limited circumstances:
With school social workers/counselors
Social workers access student screening data, demographic information, and referral records for students at their assigned school as part of their clinical duties.
With mental health providers
When a referral is submitted, the matched provider receives the student's name, contact information, screening results, and relevant demographic/preference data necessary to initiate care. This information is transmitted via encrypted email.
With parents/guardians
Parents receive consent forms and may receive text message reminders. No PHI is transmitted in text messages; texts contain only links and brief instructions.
With the research team
De-identified, aggregated data may be used for research purposes under IRB oversight. Individual students are never identified in any research output.
With service providers
We use HIPAA-compliant third-party services to operate the Platform, including Neon (database hosting) and DocuSign (electronic consent). These providers are bound by Business Associate Agreements (BAAs) and are prohibited from using your data for any purpose other than providing their services to us.
As required by law
We may disclose information if required by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect the safety of any person, report suspected child abuse or neglect, or comply with mandatory reporting obligations.
Data Security
We implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of your information:
- All data is stored in a HIPAA-compliant PostgreSQL database hosted on the Neon platform, which maintains HIPAA, SOC 2, ISO 27001, ISO 27701, GDPR, and CCPA compliance.
- Data is encrypted at rest (AES-256) and in transit (TLS/SSL).
- Role-based access controls ensure that users can only access information relevant to their role.
- Automated audit logging tracks all data access and modification.
- A signed Business Associate Agreement (BAA) is maintained with Neon and any third parties handling Protected Health Information (PHI).
- Incident response and breach notification procedures are maintained in accordance with HIPAA regulations.
While we take extensive precautions, no system can guarantee absolute security. In the event of a data breach involving PHI, we will notify affected individuals and relevant authorities in accordance with HIPAA and applicable state law.
HIPAA Compliance
Velago is designed to handle Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Platform functions as a business associate to covered entities (school-based health programs) and maintains appropriate BAAs with all subcontractors who access PHI. All data handling practices comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Children's Privacy (COPPA and FERPA)
Velago is used in school settings with minor students (approximately ages 11–18). We are committed to protecting children's privacy:
- Parental/guardian consent is obtained via DocuSign before any data is collected from a student.
- Students provide verbal assent before participating in screening.
- The Platform does not collect data directly from children without verified parental consent.
- Student educational records maintained by the school are governed by FERPA. Clinical screening and referral data within Velago are maintained in a HIPAA-compliant environment separate from educational records.
- We do not knowingly collect personal information from children under 13 without parental consent in compliance with the Children's Online Privacy Protection Act (COPPA).
Data Retention
We retain information as follows:
Clinical data (screening results, referral records)
Retained in accordance with HIPAA requirements and the school's records retention policies.
Research data
De-identified research records are maintained for a minimum of 3 years after completion of the research, in accordance with federal regulations.
Consent forms
Retained via DocuSign for the duration required by applicable law.
Parent contact information
Retained only as long as needed for consent administration and appointment communication.
Your Rights
Depending on your role and applicable law, you may have the following rights:
Access
You may request access to the personal information we hold about you or your child.
Correction
You may request that we correct inaccurate information.
Deletion
You may request deletion of your or your child's data, subject to legal retention requirements.
Withdrawal of consent
Parents/guardians may withdraw consent for their child's participation at any time by contacting the Principal Investigator.
HIPAA rights
If your information constitutes PHI, you have rights under HIPAA including the right to access, amend, and receive an accounting of disclosures of your PHI.
To exercise any of these rights, contact us using the information in Section 11.
Third-Party Services
The Platform uses the following third-party services:
Neon
HIPAA-compliant PostgreSQL database hosting (BAA in place).
DocuSign
HIPAA-compliant electronic signature and consent form processing.
These services have their own privacy policies. We encourage you to review them. We do not control and are not responsible for the privacy practices of third-party services, although we require all third parties handling PHI to comply with HIPAA through BAAs.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify users by posting the updated policy on the Platform with a new effective date. Continued use of the Platform after changes are posted constitutes acceptance of the revised policy.
Contact Us
If you have questions about this Privacy Policy or your information, please contact:
For questions about research activities
Dr. Gio Iacono
Principal Investigator
UConn School of Social Work