Privacy Policy
Effective date: May 9, 2025 · Health Data Insights, LLC
Health Data Insights ("HDI," "we," "us," or "our") operates health-data-insights.com and the Formulary Scanner data product. This policy explains what information we collect, how we use it, and the choices you have. We keep it in plain English — no legalese walls.
1. Information we collect
Account information
When you register for a portal account we collect your full name, company name, work email address, and a hashed password. We never store your password in plain text — it is hashed with a one-way algorithm before it touches our database.
Billing information
Subscription payments are processed by Stripe. HDI never sees or stores your credit-card number, CVV, or billing address. Stripe assigns you a customer ID that we store alongside your account so we can manage your subscription and open the Stripe Customer Portal on your behalf. Stripe's privacy practices are described at stripe.com/privacy.
Contact form submissions
When you submit the consulting inquiry form on our Services page we collect your name, company, email address, area of interest, and message. This information is emailed directly to our team and is not stored in our database.
Usage and technical data
Our web server logs collect standard technical information — IP address, browser type, referring URL, pages visited, and timestamps — for security monitoring and diagnosing errors. We do not use third-party analytics trackers (no Google Analytics, no Meta Pixel).
Cookies
We use a single session cookie to keep you logged in. It is HttpOnly,
set to SameSite=Lax, and marked Secure in production.
We do not use advertising or tracking cookies.
2. How we use your information
- Delivering the service — provisioning your Formulary Scanner access on Databricks Marketplace, Snowflake Marketplace, or AWS Data Exchange.
- Transactional email — welcome messages, password-reset links, and subscription confirmations. These are operational, not marketing.
- Billing and subscription management — creating Stripe checkout sessions, handling subscription renewals, and surfacing your plan status in the portal.
- Consulting inquiries — routing your contact-form message to the appropriate member of our team.
- Security and integrity — detecting abuse, investigating incidents, and maintaining the reliability of our infrastructure.
We do not sell your personal information. We do not use it for advertising or share it with data brokers.
3. Data sharing
We share data only in the narrow circumstances described below.
| Recipient | Purpose | What is shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Email address; Stripe-assigned customer ID |
| Cloud marketplace platforms (Databricks, Snowflake, AWS) |
Data delivery to your existing cloud environment | No personal data — data is delivered into your account |
| Email service provider (Zoho Mail / SMTP) |
Sending transactional email | Recipient email address and message content |
| Law enforcement / legal process | Compliance with valid legal obligations | Only what is required by law; we will notify you when permitted |
4. A note on HIPAA and health data
Formulary Scanner contains formulary data — a health plan's list of covered drugs, tiers, and utilization-management rules. This is plan and policy metadata published by insurers. It is not Protected Health Information (PHI) and is not subject to HIPAA. HDI does not handle claims data, clinical records, or any individually identifiable health information. No Business Associate Agreement (BAA) is required.
Our security posture is governed by SOC 2. We are targeting SOC 2 Type I at Month 6 of operations and SOC 2 Type II at Month 12. Enterprise customers receive the report on request.
5. Data retention
- Account data — retained for the life of your account. Deleted within 30 days of a verified account-deletion request.
- Billing records — retained for 7 years to satisfy financial record-keeping obligations. Stripe retains its own records per its policy.
- Contact form submissions — retained in our email inbox per our internal email-retention policy (currently 2 years).
- Server logs — retained for 90 days, then automatically purged.
6. Security
Passwords are hashed with a one-way algorithm (scrypt / PBKDF2). All traffic is
encrypted in transit via TLS. Production cookies are flagged Secure and
HttpOnly. Our infrastructure runs on Microsoft Azure with role-based
access control. We are working toward SOC 2 Type I certification.
No system is perfectly secure. If you discover a security issue, please disclose it responsibly to info@health-data-insights.com.
7. Your rights
Regardless of where you are located, you may request any of the following by emailing info@health-data-insights.com:
- Access — a copy of the personal data we hold about you.
- Correction — updating inaccurate or incomplete information (you can also do this yourself in the portal under Account Settings).
- Deletion — removing your account and associated personal data, subject to billing-record retention obligations.
- Portability — your account data in a machine-readable format.
- Withdrawal of consent — opting out of any non-operational communications. Note that transactional emails (password reset, subscription confirmation) are necessary to operate the service.
We will respond to requests within 30 days. We may ask you to verify your identity before acting on a request.
8. Children's privacy
Our services are directed at business professionals and are not intended for anyone under 18. We do not knowingly collect personal information from minors.
9. Changes to this policy
We may update this policy as our services evolve. Material changes will be announced via email to registered users at least 14 days before they take effect. The "Effective date" at the top of this page always reflects the current version. Continued use of the service after the effective date constitutes acceptance.
10. Contact
Questions about this policy or requests to exercise your rights:
Health Data Insights, LLCinfo@health-data-insights.com