What we collect, what we don't.
Last updated: May 2026
1. What we collect
This site does not require a login. The free triage tool and the 5-Minute HIPAA Self-Check run entirely in your browser — your answers stay on your device and are never transmitted to us.
If you contact us via the form or email, your message reaches us by email and is used only to respond to your inquiry. We do not add inbound contacts to a marketing list.
2. PHI
We do not store customer Protected Health Information (PHI) as part of our service delivery. Paid engagements are covered by a signed Business Associate Agreement (BAA) that documents this explicitly. Reading this site does not create a Business Associate relationship.
3. Analytics & cookies
We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personal data or IP addresses. Plausible aggregates anonymous page-view counts only.
This site sets no advertising, marketing, or cross-site tracking cookies. The only cookies that may appear are session cookies set by your browser for routing, which expire when you close the tab.
4. Sub-processors
The site is built and hosted on Lovable, with infrastructure provided by Supabase and Cloudflare. None of these sub-processors receive PHI as part of normal site operation. Customer engagements requiring sub-processor disclosure are documented in the engagement-specific BAA.
5. Children & minors
This site is intended for clinical staff and practice administrators, not patients or minors. Pediatric practices are part of our ICP, but the site itself does not knowingly collect any personal data from individuals under 18. The triage tool collects no identifiers of any kind.
6. Your rights
Depending on your jurisdiction (US state privacy laws, Canadian PIPEDA and provincial health-information acts, UK GDPR, EU GDPR), you may have the right to request access to, correction of, or deletion of personal data we hold about you. Because we do not store visitor data beyond inbound email correspondence, most such requests are satisfied by deleting your contact thread on request.
EU/UK visitors: our lawful basis for processing inbound contact is the legitimate interest of replying to your inquiry (Art. 6(1)(f) UK/EU GDPR). We do not transfer personal data outside the jurisdiction in which you reached us, except as required to operate email infrastructure.
7. Retention
Inbound contact emails are retained for up to 24 months for support continuity, then deleted unless an active engagement requires longer retention under a signed BAA.
8. Changes & contact
We will note material changes to this notice on this page with an updated date. For questions about this notice, or to exercise a right described above, write to hello@medical.hackfirstaid.com.