Privacy Policy

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide, including: (a) account registration data such as name, email address, phone number, and password; (b) payment and billing information processed securely through our payment processor (Razorpay); (c) project data, including healthcare application descriptions, stakeholder requirements, compliance selections, and generated code; (d) communications you send us through support, contact forms, or feedback; and (e) any other information you choose to provide.

1.2 Information Collected Automatically

When you use our Services, we automatically collect: (a) device and browser information (type, operating system, unique device identifiers); (b) log data including IP address, access times, pages viewed, and referring URLs; (c) usage data such as features used, actions taken, and session duration; and (d) cookies and similar tracking technologies as described in Section 8.

1.3 Protected Health Information (PHI)

VertiComply is designed to help users build healthcare applications. While our platform generates code and project configurations, we do not require users to upload actual patient data or Protected Health Information (PHI) to use our Services. If you voluntarily include PHI in your project descriptions or communications, we will treat that data in accordance with HIPAA requirements and our Business Associate Agreement (BAA), where applicable.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, maintain, and improve our Services
• To process transactions and send related information, including purchase confirmations and invoices
• To send administrative messages, security alerts, and support communications
• To respond to your comments, questions, and customer service requests
• To monitor and analyze trends, usage, and activities to improve user experience
• To detect, investigate, and prevent fraudulent transactions and abuse
• To comply with legal obligations, including HIPAA, CCPA/CPRA, and GDPR requirements
• To enforce our Terms of Service and protect our rights, privacy, safety, or property
• To generate anonymized, aggregated analytics that cannot be used to identify you

3. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party vendors who perform services on our behalf (payment processing, cloud hosting, email delivery, analytics), bound by contractual obligations to protect your data
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with notice to affected users
• With Your Consent: When you have given us explicit permission to share specific information
• Aggregate/De-identified Data: We may share anonymized, aggregate data that cannot reasonably be used to identify you

4. Data Security

We implement industry-standard technical and organizational measures designed to protect your personal information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure, httpOnly authentication cookies with CSRF protection
• Role-based access controls and principle of least privilege
• Regular security assessments and vulnerability scanning
• Comprehensive audit logging as required by HIPAA
• SOC 2 Type II certified infrastructure and processes
• Rate limiting and brute-force protection on all endpoints

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected users and relevant authorities in the event of a data breach, as required by applicable law.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you Services. We may retain certain information as required by law, to resolve disputes, enforce agreements, and for legitimate business purposes. Audit logs required by HIPAA are retained for a minimum of six (6) years. Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law.

6. Your Rights and Choices

6.1 All Users

You may access, update, or delete your account information at any time through your account settings. You may opt out of non-essential communications by following the unsubscribe instructions in any email or contacting us directly.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know what personal information we collect, use, and disclose; (b) request deletion of your personal information; (c) opt out of the sale or sharing of personal information (we do not sell personal information); (d) correct inaccurate personal information; (e) limit the use and disclosure of sensitive personal information; and (f) not be discriminated against for exercising your privacy rights. To exercise these rights, contact us at privacy@verticomply.com or use the mechanisms provided in your account settings. We will respond within 45 days as required by law.

6.3 European Economic Area / UK (GDPR)

If you are located in the EEA or UK, you have the right to: (a) access your personal data; (b) rectify inaccurate data; (c) erase your data ("right to be forgotten"); (d) restrict processing; (e) data portability; (f) object to processing based on legitimate interests; and (g) withdraw consent at any time where processing is based on consent. Our legal bases for processing include: performance of a contract (providing Services), legitimate interests (security, improvement), legal obligation (HIPAA, tax), and consent (marketing). You may lodge a complaint with your local supervisory authority. Our Data Protection Officer can be reached at dpo@verticomply.com.

6.4 Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out. Please contact privacy@verticomply.com to exercise your rights under your state's applicable law. We will verify your identity and respond within the timeframes required by your state's statute.

7. HIPAA Compliance

VertiComply maintains administrative, physical, and technical safeguards in compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Where VertiComply acts as a Business Associate under HIPAA, we will enter into a Business Associate Agreement (BAA) with the Covered Entity. We limit access to any PHI to authorized personnel, maintain audit trails, and conduct regular risk assessments. In the event of a breach of unsecured PHI, we will notify affected individuals and the Department of Health and Human Services (HHS) as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

8. Cookies and Tracking Technologies

We use strictly necessary cookies for authentication and session management (httpOnly secure cookies). We use analytics tools (such as Google Analytics) to understand how users interact with our Services. You can control cookie preferences through your browser settings. We honor Do Not Track (DNT) browser signals. We do not use third-party advertising cookies or engage in cross-site behavioral tracking.

9. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. When we transfer data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms to ensure adequate protection of your personal data.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@verticomply.com.

11. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date and, where required by law, by sending you an email notification. Your continued use of our Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a concern, please contact us: