Privacy Policy

HIPAAready ("we," "us," or "our") operates the HIPAAready platform, a HIPAA Security Rule self-assessment tool for healthcare businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services. Please read this policy carefully. If you disagree with its terms, please discontinue use of our platform. We reserve the right to update this policy at any time; changes will be reflected by the "Last Updated" date at the top of this page.

We use the information we collect to: • Provide, operate, and improve the HIPAAready platform. • Process your assessment and generate your gap analysis report. • Process payments and deliver purchased reports. • Communicate with you about your account, orders, and support requests. • Send transactional emails related to your assessment or purchase. • Monitor and analyze usage to improve platform performance and user experience. • Comply with legal obligations and enforce our Terms of Service. We do not use your assessment data to train AI models or sell it to third parties.

We do not sell, trade, or rent your personal information. We may share your data with: • Service providers — Clerk (authentication), Supabase (database), Stripe (payments), and Vercel (hosting). Each is contractually bound to protect your data and use it only as directed. • Legal obligations — if required by law, subpoena, or to protect the rights, property, or safety of HIPAAready, our users, or the public. • Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data is transferred and subject to a different privacy policy. All third-party service providers are selected for their strong security and privacy practices.

Your HIPAA self-assessment responses are stored securely in our database and used solely to: • Display your results and gap analysis within the platform. • Generate your purchased PDF gap analysis report. • Allow you to resume an in-progress assessment. Assessment responses are associated with your account and are not shared with other users or organizations. You may request deletion of your assessment data at any time by contacting us. Important: HIPAAready is a self-assessment tool and does not constitute legal or compliance advice. Your assessment data is not reviewed or audited by our team unless you contact us for support.

We implement administrative, technical, and physical security measures appropriate to the nature of the data we process, including: • Encryption in transit (TLS) for all data transmitted between your browser and our servers. • Encryption at rest for data stored in our database (Supabase). • Role-based access controls limiting which personnel can access stored data. • Secure authentication via Clerk, including support for multi-factor authentication. • Payment data handled exclusively by Stripe's PCI-DSS compliant infrastructure. No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

We use cookies and similar technologies for: • Authentication — session cookies managed by Clerk to keep you signed in. • Local storage — your in-progress assessment is saved to your browser's localStorage so you can resume it later. This data stays on your device and is not transmitted to our servers until you submit. • Analytics — we may use privacy-respecting analytics to understand how users interact with our platform. You can configure your browser to reject cookies, though some features (such as staying signed in) may not function correctly without them.

Depending on your location, you may have the right to: • Access — request a copy of the personal data we hold about you. • Correction — request that we correct inaccurate or incomplete data. • Deletion — request that we delete your personal data, subject to certain legal exceptions. • Portability — request your data in a machine-readable format. • Opt-out — opt out of marketing communications at any time by using the unsubscribe link in any email we send. To exercise any of these rights, contact us at support@hipaaready.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.

We retain your personal data for as long as your account is active or as needed to provide services. Specifically: • Account data is retained until you delete your account or request deletion. • Assessment responses are retained for 2 years to allow you to reference past assessments, after which they are automatically purged. • Payment records are retained for 7 years as required for tax and accounting purposes. • Anonymized, aggregated data may be retained indefinitely for analytics and product improvement.

HIPAAready is intended for business use by adults. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending you an email notification. Your continued use of the platform after changes are posted constitutes your acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: support@hipaaready.com We take privacy inquiries seriously and will respond within 30 days.