Legal

Privacy Policy

Last updated: March 2026

Who We Are

Operating Authority is a content strategy agency operating under Amatoris Media LLC. We work with physician clients — primarily orthopedic, spine, and neurosurgeons — to develop practice leadership content delivered in their voice. Our website is theoperatingauthority.com.

This policy explains how we collect, use, and protect information in connection with our services and messaging program.

Data We Collect

We collect only what is necessary to deliver our services. This includes:

  • Name and professional credentials (specialty, institution, practice name)
  • Phone number (WhatsApp) for service delivery and messaging
  • Voice recordings submitted via WhatsApp, which are processed for transcription and deleted immediately after transcription is confirmed
  • Content produced during the engagement (transcripts, drafts, finalized posts)
  • Email address for contract and billing correspondence
  • Information you voluntarily share via our website contact or booking forms

We do not collect sensitive personal health information (PHI) about your patients. If a client voluntarily references patient scenarios for illustrative purposes, that information is not stored, catalogued, or retained beyond the immediate working session.

How We Use It

Data is used exclusively to deliver content strategy services to the individual client who provided it. Specifically:

  • To send weekly voice note prompts and receive audio responses via WhatsApp
  • To transcribe and categorize content from voice submissions
  • To draft and refine LinkedIn posts in your voice
  • To maintain a client-specific content bank and positioning record
  • To communicate about the engagement, scheduling, and deliverables
  • To send operational alerts and program notifications

No client data is shared with any other client. Transcripts and content are stored in isolated, client-specific databases.

What We Don't Do

  • We do not sell, rent, or share client data with third parties for their own commercial purposes
  • We do not use client data to train AI models beyond the scope of the current engagement
  • We do not use client data for marketing our services to third parties
  • We do not retain audio files after transcription is confirmed
  • We do not send unsolicited messages outside of the agreed program scope

Third-Party Tools

We use the following tools to operate the service. Each provider is bound by their own privacy policy and data processing terms.

Tool Purpose
Twilio WhatsApp message delivery and receipt for the program's messaging channel
Airtable Client-specific data storage for content banks, transcripts, and engagement records
Make.com (Integromat) Workflow automation connecting messaging, transcription, and content storage
OpenAI (Whisper) Audio transcription; audio files are passed to the API and not retained by us after processing
Anthropic (Claude) Content categorization and draft generation from transcripts
Calendly Scheduling calls; governed by Calendly's own privacy policy
Netlify Website hosting; may collect standard server logs (IP address, browser, referring URL)

We select tools that allow us to limit data retention and configure processing boundaries where possible. We do not authorize any third-party tool to use client data for purposes beyond operating our service.

Data Security

We take reasonable technical and organizational measures to protect client data against unauthorized access, disclosure, or loss. These include:

  • Client data stored in isolated, access-controlled Airtable bases (one per client)
  • API keys and integration credentials stored as environment variables, not in code
  • Access to production systems limited to authorized personnel only
  • Encrypted transmission for all data in transit via HTTPS and Twilio's secure channels

No system is completely secure. If you have reason to believe a data incident has occurred, contact us immediately at ben@madewithpbj.com.

Data Retention

  • Audio recordings: Deleted immediately after transcription is confirmed, and no later than 24 hours after receipt
  • Transcripts and content drafts: Retained for the duration of the active engagement and up to 12 months after service termination, unless the client requests earlier deletion
  • Contact and billing records: Retained as required by applicable law and accounting obligations
  • Message logs: Retained by Twilio per their data retention policies; we retain metadata (timestamps, delivery status) for program management

Clients may request deletion of their content data at any time by emailing ben@madewithpbj.com. Deletion requests will be fulfilled within 30 days.

HIPAA Notice

Operating Authority is a content strategy service, not a covered entity or business associate under HIPAA. Our service does not require, request, or process Protected Health Information (PHI) about your patients. Do not share patient identifiers, diagnoses, or any information that could identify a specific patient in your communications with us.

Content we help you develop is intended for public distribution (LinkedIn posts, practice communications). By providing content for development, you confirm that it does not contain patient PHI.

Your Rights

Depending on your location, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data (subject to legal retention obligations)
  • Opt out of the messaging program at any time by replying STOP
  • Withdraw consent for data processing (note: this may require termination of services)

To exercise any of these rights, contact us at ben@madewithpbj.com.

Cookies & Analytics

Our website does not currently use tracking cookies or behavioral analytics. Standard server-access logs (IP address, browser type, pages visited) may be retained by our hosting provider, Netlify, per their data retention practices. We do not use this data to identify individual visitors.

If we introduce analytics tools in the future, this policy will be updated and notice will be provided.

Children's Privacy

Our services are directed exclusively at adult professionals (physicians and practice administrators). We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently received such information, we will delete it promptly.

Policy Changes

We may update this policy to reflect changes in our services or applicable law. When we do, we will update the "Last updated" date at the top of this page. Active clients will be notified of material changes via the program's messaging channel or email.

Contact

Questions about this policy or your data: