1. Information We Collect
Account Information
When you create an account, we collect:
- Email address (required)
- Name and organization (optional)
- Payment information (processed by Stripe, not stored by us)
Content You Submit
Free Tier: Clinical notes processed client-side in your browser when possible. We do not store the content of your notes.
Paid Tiers: To provide audit history and multi-user access, we store:
- De-identified clinical notes (you should redact PHI before submission)
- Audit results and compliance scores
- Timestamps and usage metadata
Usage Data
We collect analytics data to improve the Service:
- Pages visited and features used
- Device type, browser, and operating system
- IP address and general location (city/state level)
- Audit counts and subscription tier
2. How We Use Your Information
- Provide the Service: Process audits, generate reports, maintain audit history
- Account Management: Handle billing, subscriptions, and support requests
- Improve Product: Analyze usage patterns to enhance features
- Communications: Send account notifications, product updates, and marketing (opt-out available)
- Legal Compliance: Respond to subpoenas, prevent fraud, enforce Terms of Service
4. Data Storage and Security
We implement industry-standard security measures:
- Encryption: All data encrypted in transit (TLS) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication for team accounts
- Infrastructure: Hosted on SOC 2 certified cloud providers
- Retention: Audit data retained for 90 days (free) or subscription duration (paid)
3.1. PHI Detection and Prevention
To protect you and your patients, OpsIQ includes automated PHI (Protected Health Information) detection in all wizard forms:
How It Works
Our client-side detection system automatically scans form inputs in real-time to identify potential PHI, including:
- Social Security Numbers (SSN) - formatted (123-45-6789) or unformatted (123456789)
- Medical Record Numbers (MRN)
- Dates of Birth (DOB) with context
- Credit card numbers
- Patient names with medical context
- Full addresses with city and ZIP codes
- Phone numbers and email addresses (low confidence)
What Happens When PHI is Detected
- Real-time Warnings: A red border appears around the input field and a warning message is displayed
- Form Submission Blocking: If high-confidence PHI is detected, form submission is automatically blocked
- User Options: When blocked, you can:
- Cancel and remove PHI manually
- Use "Auto-Remove PHI" to automatically redact detected PHI
- Continue anyway (with additional confirmation) - not recommended
Privacy and Security
- Client-Side Processing: PHI detection runs entirely in your browser - no PHI is sent to our servers during detection
- No Storage: Detected PHI patterns are never stored, logged, or transmitted
- False Positives: The system may occasionally flag non-PHI content; you can override if needed
- Limitations: This is a pattern-matching system, not a perfect PHI detector. Always review content before submission
⚠️ PHI Warning: OpsIQ is not a HIPAA-covered entity. Do not submit actual patient Protected Health Information (PHI) unless you have an Enterprise plan with a signed Business Associate Agreement (BAA). Our PHI detection system helps prevent accidental submission, but you are responsible for ensuring no PHI is included in your compliance documentation.
5. Data Sharing and Disclosure
We do NOT sell your data. We may share data with:
- Service Providers: Stripe (payments), Vercel (hosting), analytics tools
- Legal Requirements: When required by law, subpoena, or court order
- Business Transfers: In event of merger, acquisition, or sale of assets
- With Your Consent: When you explicitly authorize sharing
Enterprise BAA Customers
If you have a signed Business Associate Agreement:
- We act as your HIPAA business associate
- Additional security controls and audit logging enabled
- Data stored in HIPAA-compliant infrastructure
- Breach notification procedures in place
6. Your Privacy Rights
Depending on your location, you may have the right to:
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Request deletion of your account and data
- Export: Download your audit history in JSON format
- Opt-Out: Unsubscribe from marketing emails
To exercise these rights, email privacy@opsiq.com
7. Cookies and Tracking
We use cookies for:
- Essential: Authentication, session management (required)
- Analytics: Usage statistics via Google Analytics (opt-out available)
- Preferences: Remember your settings (e.g., theme, dashboard layout)
You can disable cookies in your browser, but some features may not work properly.
Google Analytics 4 (GA4)
We use Google Analytics 4 to understand how visitors use our website. This helps us improve the Service and measure marketing effectiveness.
What We Track:
- Page views and navigation paths
- Button clicks and form interactions
- Document downloads (PDFs)
- Wizard start and completion events
- Subscription signups and conversions
- Device type, browser, and operating system
- General location (city/state level, not precise location)
Privacy Protections:
- ✅ IP addresses are anonymized before being sent to Google
- ✅ Google Signals and ad personalization are disabled
- ✅ No personally identifiable information (PII) is collected
- ✅ No Protected Health Information (PHI) is tracked (prevented by our PHI detection system)
- ✅ Data is aggregated and anonymized
How to Opt-Out:
- Browser Extension: Install Google Analytics Opt-out Browser Add-on
- Browser Settings: Disable cookies in your browser settings (may affect site functionality)
- Do Not Track: We respect browser "Do Not Track" signals when technically feasible
For more information, see Google's Privacy Policy.
8. Third-Party Services
We integrate with:
- Stripe: Payment processing (Stripe Privacy Policy)
- Vercel: Website hosting (Vercel Privacy)
- Google Analytics 4: Website usage analytics with IP anonymization enabled. Tracks page views, user interactions, and conversion events. See "Cookies and Tracking" section above for details and opt-out options. (Google Privacy Policy)
9. Children's Privacy
OpsIQ is not intended for users under 18. We do not knowingly collect data from minors. If you believe a child has provided data to us, contact us immediately.
10. International Users
OpsIQ is based in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. By using the Service, you consent to this transfer.
11. Data Retention
- Free Tier: No audit data stored (processed client-side)
- Paid Tiers: Audit history retained for subscription duration + 90 days
- Account Data: Retained until you request deletion or 2 years of inactivity
- Billing Records: Retained for 7 years per tax law requirements
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on the Service. Continued use after changes constitutes acceptance.
13. Contact Us
Questions or concerns about privacy?
🔒 Your Data is Yours: You can export or delete your data at any time from your account dashboard. We do not use your clinical notes to train AI models.
Last Updated: January 20, 2026
Return to Home |
Terms of Service |
Legal Disclaimer