Privacy Policy — ProofOps Medical

The short version: We collect what we need to run the service. We do not sell personal information. We do not train AI foundation models on Customer Data. PHI is handled under HIPAA and the BAA. You can request access, deletion, or correction of your information at any time.

1. Who we are

ProofOps Medical, Inc. ("ProofOps", "we", "our") operates the website at proofopsmedical.com and the ProofOps Medical service. For questions, write to info@proofopsmedical.com.

2. The kinds of information we handle

Site visitors

Information you submit through forms (audit form, plan request modal, contact): name, clinic name, email, phone, city, type of clinic, EMR vendor, waste vendor, comments.
Automatically collected data: IP address, device type, browser, referrer, pages viewed, time on page. Used for security and to improve the site.
Cookies and similar technologies. See "Cookies" below.

Customer clinics (account data)

Account-owner identity, billing address, payment-method tokens (we do not store full card numbers).
Staff roster, license numbers, training records, vendor contracts, manifests, EMR-derived schedule data.
Audit logs of customer use of the service.

Patients (PHI)

To the extent the service touches Protected Health Information, we are a Business Associate under HIPAA. We process PHI only as necessary to deliver the service and as permitted by the BAA.
We do not market to patients. We do not access or use PHI for any purpose other than providing the service.

3. How we use information

To deliver the service (run agents, send reminders, generate readiness reports, file documents).
To support customers and respond to inquiries.
To bill and collect.
To detect and prevent fraud, abuse, and security threats.
To comply with legal obligations and to enforce our agreements.
To improve the service through aggregated, de-identified analytics. We do not use Customer Data or PHI to train foundation models.

4. How we share information

We share information only as follows:

Sub-processors that help us run the service (cloud hosting, document storage, communications, analytics, billing). A current list is available at security.html#subprocessors. Sub-processors are bound by data-protection agreements.
Customer-directed disclosures (e.g., when a customer instructs us to send a renewal pack to their insurance broker).
Legal compliance — when required by valid legal process, with prior notice to the affected customer where lawful.
Business transfers — in a merger, acquisition, or asset sale, with notice and continued protection of personal information.

We do not sell or rent personal information.

5. Cookies and tracking

We use a small number of essential cookies to run the site and a privacy-respecting analytics tool to count visits in aggregate. We do not use cross-site advertising trackers. You can clear or block cookies in your browser settings. For California residents, see Section 9.

6. How long we keep information

Site form submissions: retained for up to 24 months unless the relationship continues.
Customer account data: retained during the subscription and for the period required by tax, audit, and legal obligations after termination.
PHI: retained per the BAA and applicable law. On termination, customers can export PHI for 30 days; thereafter we delete or return it as required by the BAA.
Audit logs: retained for at least 6 years to support claim-investigation and compliance review.

7. Security

We encrypt data in transit (TLS) and at rest. We use least-privilege access controls, multi-factor authentication for staff, audit logging, and routine vulnerability scanning. Our Trust & Security page describes our practices in more detail: security.html.

8. Your rights

You can request access, correction, or deletion of your personal information by writing to info@proofopsmedical.com. We will respond within 30 days. Where you submitted information about your clinic, requests are routed through the Account Owner.

9. State-specific notices

California (CCPA / CPRA). California residents have rights to know, delete, correct, and limit use of sensitive personal information. ProofOps does not sell or share personal information for cross-context behavioral advertising.

Texas (TDPSA), Colorado, Connecticut, Virginia, Utah, and similar laws. Residents of these states have analogous rights to access, correct, delete, port, and opt out of targeted advertising and certain profiling.

EU/UK (GDPR/UK GDPR). If you are in the EEA or UK, ProofOps is a controller for site visitor data and a processor for Customer Data. Lawful bases include legitimate interest, contract performance, and consent. You may lodge a complaint with your local supervisory authority.

10. Children

The service is not directed at children. We do not knowingly collect personal information from individuals under 13.

11. International transfers

ProofOps' primary infrastructure is in the United States. If you access the service from outside the US, your information will be transferred to the US, and we use standard contractual clauses or other lawful mechanisms where required.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active customers at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Privacy questions: info@proofopsmedical.com. Security issues: support@proofopsmedical.com.

This policy is informational. The binding privacy and data-handling terms for customers are set out in the Master Services Agreement and Business Associate Agreement.