Last updated:
Plain-English note: This policy covers what Healthplex does with your information when you visit this marketing website or contact us about our services. It does not cover patient data in the EHR — that is governed by your executed BAA or DPA.
1. Who we are
Summary: Healthplex, Inc. is the data controller for this website.
Healthplex, Inc. is a Delaware corporation operating the Healthplex EHR platform. For questions about this policy, contact us at privacy@healthplex.app.
2. What this policy covers
Summary: This policy covers the marketing website and sales process only. EHR patient data is governed by the BAA / DPA — not this document.
This Privacy Policy covers:
- Information collected when you visit healthplex.app and its subpages.
- Information collected during the sales process (contact forms, demo requests, sales conversations).
This Privacy Policy does not cover:
- Patient health information (PHI) processed through the Healthplex EHR Services. PHI processing is governed exclusively by the executed Business Associate Agreement (BAA) under HIPAA, or the Data Processing Agreement (DPA) under GDPR / DPDP, between Healthplex and the healthcare Customer.
- Information you submit to the EHR platform as an Authorized User. That processing is Customer-controlled and governed by the Customer’s privacy policies and applicable healthcare law.
3. Information we collect
Summary: We collect only what you give us voluntarily (contact form) plus anonymised page analytics.
3.1 Contact and inquiry data. When you complete a contact or demo request form, we collect: your name, work email address, organisation name, job title (if provided), and the content of your message.
3.2 Website analytics. We collect anonymised, aggregated data about page views and referrer sources to understand which pages are useful. We do not track individual visitors across sessions. We do not use cross-site tracking, advertising pixels, or retargeting networks.
3.3 Technical data. Standard web server logs may include IP address, browser type, and pages requested. These are retained for security and operational purposes only and are not used for marketing.
4. Cookies
Summary: We use only strictly necessary cookies. No advertising cookies, no cross-site tracking, no identifying analytics cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
hpx_session | Session continuity for the marketing site (e.g., form state) | Session (expires on browser close) | Strictly necessary |
hpx_prefs | User preference for language or theme (if applicable) | 1 year | Strictly necessary |
We do not use Google Analytics, Mixpanel, Intercom, HubSpot tracking pixels, Facebook Pixel, or any other third-party analytics or advertising cookies that identify individual visitors or track across sites.
5. How we use your information
Summary: We use your contact details to respond to you and, with your consent, to send follow-up sales emails. You can opt out at any time.
We use the information collected to:
- Respond to your inquiry or demo request.
- Send follow-up information about the Healthplex platform that is relevant to your inquiry, with your consent.
- Improve the marketing website based on aggregated, anonymised page analytics.
We do not use your information for:
- Advertising or retargeting on third-party platforms.
- Selling or renting to third parties.
- Automated decision-making that produces legal or similarly significant effects.
Every marketing email we send includes an unsubscribe link. You may also opt out at any time by emailing privacy@healthplex.app.
6. Sharing your information
Summary: We share only what is necessary to operate our business. We do not sell personal data, ever.
Healthplex may share your information with the following categories of subprocessors:
| Subprocessor category | Purpose | Location |
|---|---|---|
| Cloud hosting provider (e.g., AWS) | Website infrastructure | US / EU depending on deployment |
| CRM / sales platform | Sales follow-up and pipeline management | US |
| Email delivery provider (e.g., SendGrid) | Transactional and sales emails | US |
The current list of subprocessors is maintained at /legal/subprocessors.
Healthplex will never sell, rent, or trade your personal information to any third party for marketing purposes.
Healthplex may disclose personal information if required by law (e.g., a court order), in which case we will give you prompt notice where legally permitted.
7. Your rights
Summary: You have rights to access, correct, delete, or restrict your data. We take these seriously and will respond within 30 days.
7.1 GDPR rights (EU / UK residents): You have the right to: access your personal data; rectify inaccurate data; erasure (“right to be forgotten”) where we have no legitimate reason to retain it; portability in a machine-readable format; restriction of processing; objection to processing based on legitimate interests; and withdrawal of consent at any time without affecting prior processing.
7.2 CCPA rights (California residents): You have the right to: know what personal information we collect and how it is used; delete your personal information (subject to limited exceptions); opt out of the sale of personal information (note: Healthplex does not sell personal information); and non-discrimination for exercising your rights.
7.3 DPDP rights (India residents): You have the right to: access a summary of the personal data we hold; correction and erasure; grievance redressal. Our Data Protection Officer / Grievance Officer for India is reachable at privacy@healthplex.app. [Placeholder: grievance officer designation in progress per DPDP Board notification timeline.]
To exercise any of these rights, email privacy@healthplex.app. We will respond within 30 days (and within the statutory period if shorter under applicable law).
8. International transfers
Summary: If you are in the EU, your data may be transferred to the US under Standard Contractual Clauses.
Healthplex is based in the United States. If you contact us from the European Union or UK, your personal data will be transferred to and processed in the US. This transfer is made under the EU Standard Contractual Clauses (SCCs) incorporated by reference into our data processing arrangements.
Data residency for PHI within the EHR Services is governed by the BAA or DPA — not this policy.
9. Children
Summary: This website is not for children. We do not knowingly collect data from under-13s.
The Healthplex website and services are directed at healthcare professionals and business decision-makers. We do not knowingly collect personal information from individuals under 13 years of age. If we learn that we have inadvertently collected data from a child under 13, we will delete it promptly.
10. Retention
Summary: We keep contact form data for 24 months. Request deletion earlier at any time.
We retain contact form data (name, email, organisation, inquiry) for up to 24 months from the date of submission, or until you request deletion, whichever is earlier. After 24 months, inactive inquiry records are purged automatically.
Web server logs are retained for a maximum of 90 days for security and operational purposes.
11. Security
Summary: We use industry-standard security measures. We cannot guarantee absolute security — no one can.
Healthplex implements reasonable technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. Measures include HTTPS-only transmission, access controls, and regular security assessments.
No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and relevant regulators as required by applicable law.
12. Updates to this policy
Summary: We will email you and post a 30-day notice before any material change takes effect.
We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. For material changes, we will: (a) post the updated policy on this page with an updated “Last updated” date; (b) notify you by email (if we hold your contact details) at least 30 days before the change takes effect.
We encourage you to review this page periodically.
13. Contact and supervisory authority
Summary: Email us at privacy@healthplex.app. If you are in the EU, you also have the right to complain to your local data protection authority.
Data controller: Healthplex, Inc. — privacy@healthplex.app
EU / UK representative: [Placeholder — to be designated prior to EU/UK market launch.]
DPDP Grievance Officer (India): [Placeholder — to be designated per DPDP Board notification timeline.] Contact: privacy@healthplex.app
If you are in the EU or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or the relevant EU DPA).
Healthplex, Inc. — privacy@healthplex.app