Privacy Policy

Last Updated: February 9, 2026

1. Introduction

Polaris HIPAA Compliance ("Polaris," "we," "us," or "our") operates as a compliance management platform for healthcare covered entities, business associates, and SaaS companies subject to HIPAA regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

As a provider of HIPAA compliance services, we take data privacy and security with the utmost seriousness. This policy describes our practices in accordance with HIPAA, HITECH, and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us:

  • Account Information: Name, email address, phone number, organization name, job title
  • Organization Profile: Entity type (covered entity, business associate, subcontractor), workforce size, physical locations, cloud infrastructure details
  • Assessment Responses: Answers to Security Risk Assessment (SRA) questions, remediation plans, compliance documentation
  • Payment Information: Billing address, payment method details (processed securely through third-party payment processors)
  • Communications: Messages, support tickets, consultation notes, feedback

2.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent on platform, click patterns
  • Device Information: IP address, browser type, operating system, device identifiers
  • Cookies and Tracking: Session cookies, analytics cookies, preference cookies

3. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: Provide compliance assessments, generate reports, calculate risk scores, deliver AI-powered recommendations
  • Account Management: Create and maintain your account, process payments, manage subscriptions
  • Communication: Send service updates, respond to inquiries, provide expert consultation
  • Platform Improvement: Analyze usage patterns, improve AI algorithms, develop new features
  • Security: Detect fraud, prevent unauthorized access, maintain platform integrity
  • Legal Compliance: Comply with legal obligations, respond to lawful requests, enforce our Terms of Service

4. HIPAA Compliance and PHI

Important Notice: Polaris is designed to help organizations achieve HIPAA compliance. However, the platform itself is not intended to store Protected Health Information (PHI) as defined by HIPAA.

Our Security Risk Assessment questionnaires collect information about your compliance posture and security controls, not patient data. If you inadvertently enter PHI into the platform:

  • We will treat such information with the same security measures as all other data
  • You should immediately contact us to have such information removed
  • A Business Associate Agreement (BAA) is available upon request for organizations that require one

5. Information Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

  • Service Providers: Third-party vendors who assist with hosting, analytics, payment processing, email delivery (all under confidentiality agreements)
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Requirements: When required by law, court order, or government request
  • Protection of Rights: To protect our rights, privacy, safety, or property
  • With Your Consent: When you explicitly authorize us to share information

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication, least-privilege principles
  • Infrastructure: Secure cloud hosting with SOC 2 Type II certified providers
  • Monitoring: 24/7 security monitoring, intrusion detection, regular vulnerability assessments
  • Incident Response: Documented breach notification procedures compliant with HIPAA requirements

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specific retention periods:

  • Account Data: Retained while account is active, deleted 90 days after account closure
  • Assessment Data: Retained for 7 years to comply with HIPAA documentation requirements
  • Payment Records: Retained for 7 years for tax and accounting purposes
  • Usage Logs: Retained for 12 months for security and analytics

8. Your Rights

You have the following rights regarding your information:

  • Access: Request a copy of your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information (subject to legal retention requirements)
  • Portability: Request export of your data in a machine-readable format
  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us at [email protected].

9. Cookies and Tracking

We use cookies and similar technologies to enhance your experience:

  • Essential Cookies: Required for platform functionality (authentication, session management)
  • Analytics Cookies: Help us understand how you use the platform
  • Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings, but disabling essential cookies may limit platform functionality.

10. Third-Party Services

Our platform integrates with third-party services:

  • Payment Processing: Stripe (PCI DSS compliant)
  • Cloud Hosting: AWS (HIPAA-eligible services)
  • Analytics: Privacy-focused analytics tools
  • Email Delivery: Transactional email providers

These providers have their own privacy policies and security practices. We carefully vet all third-party services for HIPAA compliance where applicable.

11. Children's Privacy

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

12. International Data Transfers

Our platform is hosted in the United States. If you access our services from outside the U.S., your information will be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date
  • Sending email notification for significant changes (if you have an account)

Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices:

Polaris HIPAA Compliance

Email: [email protected]

Support: [email protected]

Phone: (800) 555-1234