Privacy Policy

Effective Date: April 2026

1. Overview

TrackHIPAA ("we," "our," or "the Service") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data. By using TrackHIPAA, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a secure hash). This information is required to provide you access to the Service.

Practice Profile Data

To customize your compliance documents, we collect information about your healthcare practice including: practice name, type of practice, state of operation, number of employees, EHR and other systems used, and vendor relationships. This data is used solely to generate documents tailored to your practice.

Compliance Activity Data

We store records of your compliance activities such as quiz results, risk assessment responses, training completion records, and document generation history. This data powers your compliance dashboard and audit export.

Payment Information

Payment processing is handled entirely by LemonSqueezy. We do not store your credit card number or banking details on our servers. We receive only confirmation of payment status and subscription state from LemonSqueezy.

Usage Data

We may collect basic usage analytics such as pages visited, features used, and session duration to improve the Service.

3. Information We Do NOT Collect

TrackHIPAA does not collect, store, process, or have access to any protected health information (PHI), patient records, or patient identifiers. The Service is designed exclusively to manage compliance documentation and practice-level operational data. You should never enter patient information into the Service.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including generating customized compliance documents.
  • Power the compliance dashboard and track your compliance status over time.
  • Process the AI Oracle's responses to your HIPAA-related questions.
  • Send you important notifications about your account, subscription status, and regulatory changes that may affect your compliance.
  • Improve the Service based on usage patterns and feedback.

5. Third-Party Services

We use the following third-party services to operate TrackHIPAA:

Supabase (Database and Authentication)

Your account data and practice profile are stored in Supabase, a hosted PostgreSQL database service. Supabase also handles authentication (login and signup). Data is encrypted in transit and at rest.

Anthropic (AI Processing)

The AI Oracle feature sends your questions and relevant context to Anthropic's Claude API for processing. We send only the text of your question and relevant regulatory context — never your personal information or practice data. Anthropic does not use API inputs to train their models. See Anthropic's Privacy Policy for details.

LemonSqueezy (Payment Processing)

Subscription billing is handled by LemonSqueezy. When you subscribe, you provide payment information directly to LemonSqueezy. We receive only subscription status and billing event notifications. See LemonSqueezy's Privacy Policy for details on how they handle payment data.

6. Data Retention

We retain your account and practice data for as long as your account is active. If you cancel your subscription, your data is retained for 30 days after the end of your billing period in case you choose to resubscribe. After 30 days, your data is permanently deleted from our systems. You may request immediate deletion of your data at any time by contacting us at support@trackhipaa.com.

7. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your data. All data is transmitted over encrypted connections (TLS/SSL) and stored in encrypted databases. Access to production systems is limited and protected by multi-factor authentication.

While we take data security seriously, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. HIPAA Disclaimer

TrackHIPAA is a compliance documentation tool that helps healthcare practices create and manage their HIPAA compliance programs. TrackHIPAA itself is not a HIPAA covered entity or business associate. We do not access, store, or process protected health information (PHI) on your behalf.

Because we do not handle PHI, a Business Associate Agreement (BAA) between your practice and TrackHIPAA is not required. If you have questions about whether a BAA is needed for any service you use, consult a qualified healthcare attorney.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you by contacting us.
  • Correct inaccurate data in your account settings or by contacting us.
  • Request deletion of your data at any time by contacting us.
  • Export your data through the audit export feature or by contacting us.
  • Cancel your subscription at any time without penalty.

10. Cookies and Tracking

We use essential cookies required for authentication and session management. We do not use third-party advertising trackers or sell your data to advertisers. If we introduce analytics tools in the future, we will update this policy accordingly.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@trackhipaa.com.