Privacy Policy

Last updated: 2026-05-21

BID Partners LLC ("we") operates HCRIS.io. This policy explains what we collect, how we use it, and what choices you have. The Service primarily surfaces public-record data published by U.S. federal agencies; the personal data we collect is limited and tied to operating the Service.

1. What we collect

Account data — your name, work email, and organization when you sign up. Billing data is processed by Stripe; we receive only the last four digits of your card and the subscription state. Usage data — pages you visit, queries you run, exports you download, and the device/browser metadata your browser sends. AI prompts — text you submit to the Smart Query Builder, along with the structured query that gets returned.

2. What we don't collect

We don't buy or rent personal data from data brokers. We don't target ads. We don't set cookies for cross-site tracking. The healthcare data in the Service is sourced from public CMS and IRS publications about facilities and providers — it is not personal patient data.

3. How we use what we collect

To operate the Service (authenticate you, deliver exports, bill subscriptions), to improve the Service (aggregate analytics, debug, model quality), to communicate with you about your account, and to comply with legal obligations.

4. Sharing

We share with infrastructure providers strictly to run the Service — Stripe (billing), Supabase (database hosting), Vercel (web hosting), and our AI provider for the Smart Query Builder. We do not sell personal data. We may disclose information when required by law or to protect rights and safety.

5. Retention

Account data persists while your account is open. Billing records are retained for tax and audit periods (typically 7 years). Usage logs are retained for up to 24 months. AI prompts may be retained for service operation and quality improvement; you can request deletion of your prompt history at any time.

6. Your rights

You can access, correct, or delete your account data via the account settings or by emailing us. If you're in the EU, UK, or California, you have additional rights under GDPR, UK-GDPR, or CCPA respectively — including the right to data portability and to lodge a complaint with a supervisory authority.

7. Security

We use HTTPS everywhere, encryption at rest for database fields, and least-privilege access for staff. No system is perfectly secure; we'll notify affected users without undue delay if a breach affects their personal data.

8. Children

The Service is not directed at children under 13. If we learn we've collected data from a child under 13, we'll delete it.

9. International transfers

Our infrastructure runs primarily in the United States. If you're accessing from outside the U.S., you understand your data may be processed in the U.S.

10. Changes

We may update this policy. Material changes will be announced on the /updates page and emailed to subscribers.

11. Contact

Questions or requests: help@healthparse.io.