Privacy Policy

We collect information you provide directly when you create an account, complete the clinic onboarding form, or contact us. This includes: • Account information: Name, email address, and authentication credentials managed through Manus OAuth. • Practice information: Practice name, type, size, and other details you enter during onboarding. • Compliance data: HIPAA control statuses, notes, evidence URLs, vendor and employee records you create within the platform. • Usage data: Log data, IP addresses, browser type, pages visited, and time spent on pages. • Payment information: Billing is processed by Stripe. We store only your Stripe customer ID and subscription status — we never store full card numbers or CVV codes.

We use the information we collect to: • Provide, maintain, and improve the Haskera platform. • Generate HIPAA compliance reports, gap analyses, and policy documents on your behalf. • Process payments and manage your subscription. • Send you operational notifications such as BAA expiration alerts and training reminders. • Respond to your support requests and inquiries. • Comply with legal obligations and enforce our Terms of Service. We do not sell, rent, or share your personal information with third parties for marketing purposes.

Haskera is a compliance management tool — it does not store, process, or transmit Protected Health Information (PHI) about your patients. The platform stores only compliance metadata (control statuses, policy documents, vendor records) that you enter. You are responsible for ensuring that no PHI is entered into any free-text fields within the platform. If you are a Covered Entity or Business Associate under HIPAA, please contact us at [email protected] to execute a Business Associate Agreement (BAA) before using Haskera in a production environment.

Your data is stored in encrypted databases hosted on cloud infrastructure in the United States. We implement industry-standard security controls including: • TLS 1.2+ encryption for all data in transit. • AES-256 encryption for data at rest. • Role-based access controls limiting data access to authorized personnel. • Regular security assessments and penetration testing. • HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options) on all responses. Despite these measures, no system is completely secure. We encourage you to use strong passwords and report any suspected security incidents to [email protected].

We retain your account and compliance data for as long as your account is active or as needed to provide services. If you cancel your account, we will delete your data within 90 days, except where retention is required by law or legitimate business purposes (such as resolving disputes or enforcing agreements). Compliance score history and audit logs may be retained for up to 7 years to support regulatory audit requirements.

We may share your information with: • Service providers: Third-party vendors who assist us in operating the platform (e.g., Stripe for payments, cloud hosting providers). These parties are contractually obligated to protect your data. • Legal requirements: We may disclose information if required by law, court order, or government authority. • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We do not share your compliance data with your patients, regulators, or any third party without your explicit consent, except as required by law.

Depending on your jurisdiction, you may have the following rights regarding your personal data: • Access: Request a copy of the personal data we hold about you. • Correction: Request correction of inaccurate or incomplete data. • Deletion: Request deletion of your personal data (subject to legal retention requirements). • Portability: Request your data in a structured, machine-readable format. • Objection: Object to processing of your data for certain purposes. To exercise these rights, contact us at [email protected]. We will respond within 30 days.

We use a single session cookie to maintain your authenticated session. This cookie is essential for the platform to function and cannot be disabled while using the service. We do not use advertising cookies or third-party tracking cookies.

Haskera is intended for use by healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of Haskera after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: Haskera Email: [email protected] Website: https://haskera.com For HIPAA-specific inquiries or to request a Business Associate Agreement, email: [email protected]