HIPAAPal — HIPAA Compliance for Medical Spas

1. Information We Collect

Account information — name, email address, practice details entered during onboarding
Usage data — how you navigate and use the HIPAAPal platform
Compliance data — practice policies, staff records, BAA information, training records you enter
Payment information — processed by Stripe; we do not store card numbers or CVVs

2. How We Use Your Information

To provide and continuously improve the HIPAAPal service
To send compliance reminders and weekly digest emails
To process your subscription payments
To provide customer support

3. Business Associate Agreement

If your use of HIPAAPal involves Protected Health Information as defined by HIPAA, a Business Associate Agreement (BAA) is available and required. By using HIPAAPal for HIPAA compliance management, you acknowledge that you have reviewed and accepted our BAA terms. View our BAA →

4. Data Security

We use industry-standard security measures including AES-256 encryption at rest, TLS encryption in transit, role-based access controls, and regular security reviews. Our infrastructure is hosted on Supabase with SOC 2 compliant data centers.

5. Data Retention

We retain your data for the duration of your subscription plus 90 days after cancellation, giving you time to export your records. After 90 days, your data is permanently deleted from our systems.

6. Your Rights

You have the right to access, correct, or delete your account data at any time. To exercise these rights, contact privacy@hipaapal.com.

7. Third-Party Services

HIPAAPal uses the following third-party services, each with their own privacy practices:

SupabaseDatabase and file storage

StripePayment processing

ClerkUser authentication

ResendTransactional email

AnthropicAI compliance assistant

VercelApplication hosting

8. Contact

Privacy questions or requests: privacy@hipaapal.com

Privacy Policy