1. Information We Collect
We collect information you provide directly to us and information generated through your use of the service:
- Account information: Name, email address, and hashed password when you register
- Usage data: IP address, user agent, browser type, pages visited, features used, and session duration
- Assessment data: Responses, risk scores, gap analyses, policies, and compliance documentation you enter into the platform
- PHI-adjacent data: Any protected health information or individually identifiable health information stored in connection with compliance activities
- Payment information: Billing contact details (payment card data is handled directly by our payment processor and never touches our servers)
2. How We Use Information
We use the information we collect to:
- Provide, maintain, and improve the service
- Process transactions and send transactional notifications (account activity, billing receipts, security alerts)
- Respond to your comments, questions, and support requests
- Monitor and analyze usage patterns to improve platform functionality
- Detect, investigate, and prevent fraudulent or unauthorized activity
- Comply with legal obligations and enforce our agreements
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
3. Business Associate Relationship
For customers who are HIPAA covered entities or business associates, OnlyHIPAA, Inc. acts as your Business Associate with respect to any protected health information processed through the platform. In this capacity:
- Our Business Associate Agreement (BAA) governs the handling of PHI and supersedes this Privacy Policy for PHI
- We use and disclose PHI only as permitted by the BAA and HIPAA
- We maintain appropriate administrative, physical, and technical safeguards for PHI
A signed BAA is required before storing any PHI in the platform and is executed automatically upon account activation.
4. Data Sharing
We share your data only in the following circumstances:
- Hosting infrastructure: Cloud infrastructure providers (AWS) for storing and processing service data under appropriate data processing agreements
- Email delivery: Transactional email provider for sending account notifications, security alerts, and receipts - no marketing data is shared
- Payment processor: Stripe processes all payment card transactions; card data never passes through or is stored on our servers
- Legal requirements: When required by law, court order, or governmental authority, or to protect the rights, property, or safety of OnlyHIPAA, our customers, or others
All third-party sub-processors are bound by appropriate data processing agreements and, where applicable, our BAA obligations.
5. Data Retention
We retain your data for as long as your account is active and for a period after cancellation sufficient to allow you to retrieve your data or resolve disputes:
- Account data: Retained while your account is active plus 90 days after cancellation, after which it is permanently deleted
- Audit logs: Retained for 6 years from the date of creation, in accordance with HIPAA documentation requirements under 45 CFR § 164.316(b)(2)
- Billing records: Retained for 7 years as required by applicable tax and financial regulations
You may request earlier deletion of your personal data subject to our legal retention obligations. See Section 7 (Your Rights) below.
6. Security
We implement industry-standard technical and organizational security measures to protect your data:
- In transit: TLS 1.3 encryption for all data transmitted to and from the platform
- At rest: AES-256 encryption for all stored data
- Passwords: Argon2id hashing - we never store plaintext passwords
- Authentication: MFA enforcement required for all accounts accessing compliance data
- Access controls: Role-based access controls and regular access reviews
- Vulnerability management: Annual third-party penetration testing and ongoing vulnerability scanning
No method of transmission or storage is 100% secure. If you become aware of any security issue, please contact [email protected] immediately.
7. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete personal data
- Deletion: Request deletion of your personal data, subject to legal retention requirements
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to certain processing of your data
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies
We use only session cookies strictly necessary to maintain your authenticated login session. We do not use:
- Advertising or retargeting cookies
- Third-party tracking cookies
- Analytics cookies from third-party services
Session cookies are deleted when you log out or close your browser. You can configure your browser to refuse cookies, but this will prevent you from using the authenticated portions of the service.
9. Children
This service is intended for use by healthcare organizations and their employees in a professional capacity. It is not directed at, and we do not knowingly collect personal information from, anyone under the age of 18. If we become aware that we have inadvertently collected personal information from a person under 18, we will promptly delete it. Contact [email protected] if you believe this has occurred.
10. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at the address associated with your account at least 30 days before the changes take effect. The updated policy will be posted on this page with a revised "Last updated" date.
Your continued use of the service after the effective date of any changes constitutes your acceptance of the updated policy.
11. Contact
For privacy-related questions, requests, or concerns, contact our Privacy team:
OnlyHIPAA, Inc.
Privacy Team
[email protected]