Privacy Policy

Last Updated: November 3, 2025

Important: This application is for educational purposes only. It collects health-related information that may be considered Protected Health Information (PHI) under HIPAA. By using this service, you acknowledge that this is an educational tool and not a substitute for professional medical or insurance advice.

Privacy Architecture Summary

This application is designed to minimize privacy risk through a "transient processing" architecture:

✓ What We STORE in Database:

Your email and hashed password (for account access)
Anonymous page view analytics (NOT linked to your account)

✗ What We DO NOT STORE:

Health information (height, weight, BMI, medical conditions)
Insurance details (member ID, group number, plan information)
Medication selections or eligibility results
Call scripts or coverage decisions

Why This Matters: Your sensitive health and insurance data is processed transiently (in memory only) to generate your eligibility results and call scripts, then immediately discarded. This architecture minimizes the risk of data breaches and eliminates the ability to link your health activity to your email address.

1. Information We Collect

Personal Information (Stored in Database)

Account Information: Email address and encrypted password (stored securely)

Important: Health & Insurance Data is NOT Stored

The following information is collected temporarily to generate your eligibility results and call scripts, then immediately discarded after processing. None of this data is saved to our database:

Health Information: Height, weight, BMI, comorbidities, contraindications
Insurance Information: Plan name, member ID, group number, BIN, PCN
Medication selections and eligibility results

Anonymous Usage Analytics

Completely Anonymous Tracking: Pages visited, timestamps, IP addresses, and browser user agent strings
No User Linkage: Usage analytics are not linked to your email or account - they cannot be traced back to individual users
Session Data: Login sessions managed via secure cookies (stored separately from usage analytics)

2. How We Use Your Information

We use your information solely to:

Determine your eligibility for GLP-1 RA/GIP medications based on clinical criteria
Screen for medication contraindications and safety concerns
Generate personalized insurance coverage call scripts
Provide medication pricing information and manufacturer program details
Maintain your account and session security
Analyze aggregate usage patterns (admin analytics dashboard)

3. Data Storage and Security

What Data is Stored (and What Isn't)

Data Stored in Database:

Account credentials (email and hashed password)
Anonymous page view analytics (not linked to your account)

Data NOT Stored (Discarded Immediately):

Health information (height, weight, BMI, comorbidities, contraindications)
Insurance details (plan name, member ID, group number, BIN, PCN)
Eligibility results and call scripts

All database storage is hosted on Replit's infrastructure. We do not share your data with third-party analytics providers, marketing services, or data brokers.

Security Measures

Passwords are securely hashed using bcrypt and never stored in plaintext
Database connections use secure credentials managed via environment variables
Session data is encrypted and stored server-side
Admin access is restricted to authorized personnel only
Health and insurance data is processed in memory only and never persisted

Data Retention

Account Information: We retain your email and password for as long as your account is active. You may request account deletion at any time.

Health & Insurance Data: Not retained - this data is immediately discarded after generating your eligibility results and call scripts.

Anonymous Analytics: Page view data is retained indefinitely for aggregate analysis but cannot be linked to individual users.

4. Third-Party Services and Business Associate Agreements

Current Status: This application currently does NOT use third-party analytics, tracking, or monitoring services (e.g., Google Analytics, PostHog, Sentry). All data collection happens within our own database.

Future Third-Party Integrations

If we integrate third-party services in the future that may access Protected Health Information (PHI), we will:

Execute a Business Associate Agreement (BAA) with each vendor as required by HIPAA
Ensure vendors are HIPAA-compliant and provide adequate security safeguards
Update this privacy policy to disclose all third-party data processors
Obtain your consent before sharing PHI with new third parties

External Links

This application may link to manufacturer websites (NovoCare, LillyDirect) and insurance provider resources. We are not responsible for the privacy practices of these external sites.

5. Your Rights and Choices

Access and Correction

You have the right to access and correct your personal information. Contact us to request access to your data or to update inaccurate information.

Data Deletion

You may request deletion of your account and all associated data at any time. Note that some anonymous aggregate usage statistics may be retained for analytics purposes.

Consent Withdrawal

You consented to this privacy policy when you created your account. You may withdraw consent by deleting your account.

6. HIPAA Considerations

Important Disclaimer: This is an educational tool and is NOT a covered entity under HIPAA. The information you provide may constitute Protected Health Information (PHI), but this application:

Does not act as a healthcare provider, health plan, or healthcare clearinghouse
Does not transmit PHI electronically to covered entities
Does not provide medical diagnosis, treatment, or insurance coverage decisions

However, we still implement reasonable security measures to protect your health information as if HIPAA applied.

7. Children's Privacy

This service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

8. Changes to This Privacy Policy

We may update this privacy policy from time to time. The "Last Updated" date at the top indicates when changes were last made. Continued use of the service after updates constitutes acceptance of the revised policy.

9. Contact Information

If you have questions about this privacy policy, data access requests, or account deletion, please contact us:

Privacy Inquiries: Contact your Obeon administrator or the person who provided you access to this application
Data Requests: To request access to your data, corrections, or account deletion, contact the administrator
Review account settings for self-service options (when available)

Note: As this is an educational application, the specific contact information will depend on your institution or organization's deployment. Ask your administrator for the appropriate contact details.