hipafy ← Back to hipafy.com
Legal

Privacy Policy

Effective date: May 8, 2026 Last updated: May 8, 2026 Applies to: hipafy.com and all Hipafy services
Contents
1. Who we are 2. What data we collect 3. How we use your data 4. Legal bases (GDPR) 5. Data sharing 6. International transfers 7. Data retention 8. Cookies 9. Your rights 10. California residents (CCPA) 11. Children's privacy 12. Security 13. Changes to this policy 14. Contact and complaints
Section 1

Who We Are

Hipafy is a compliance documentation software platform operated by a registered sole trader (egyéni vállalkozó) under Hungarian law. Our services are accessible at hipafy.com.

For the purposes of the EU General Data Protection Regulation (GDPR), Hipafy acts as the data controller in respect of personal data collected through the website and account registration process. Where Hipafy processes data on behalf of its customers (such as practice information entered into the compliance assessment), Hipafy acts as a data processor.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it. It applies to all visitors to hipafy.com and all users of the Hipafy platform.

Section 2

What Data We Collect

2.1 Account and Registration Data

When you create a Hipafy account, we collect:

  • Full name and professional title
  • Email address
  • Practice name and type (e.g. therapy, dental, chiropractic)
  • State of practice (US state)
  • Phone number (optional)
  • Password (stored in hashed form — we never store plaintext passwords)

2.2 Assessment and Compliance Data

When you complete the Hipafy compliance assessment, we collect your answers to questions about your practice operations, including:

  • EHR and practice management software in use
  • Telehealth platform in use
  • Approximate staff count
  • Communication methods used with patients
  • Existing BAA and policy status
  • Device and network practices

This data is operational and practice-level only. We do not collect, require, or store patient names, patient health records, clinical notes, diagnoses, treatment information, or any other patient-level Protected Health Information (PHI).

2.3 Training and Certificate Data

When a staff member completes the Hipafy training module, we collect:

  • Staff member name (as entered by the user)
  • Quiz score and completion date
  • Certificate ID generated on completion

2.4 Payment Data

Payment processing is handled by Stripe, a third-party payment processor. Hipafy does not receive, store, or have access to your full payment card number, CVV, or bank account details. We receive from Stripe only a tokenized reference, the last four digits of your card, card type, and billing address for invoicing purposes.

2.5 Usage and Technical Data

When you use the Hipafy platform or visit hipafy.com, we automatically collect:

  • IP address (anonymized after 30 days)
  • Browser type and version
  • Operating system
  • Pages visited and time spent
  • Referring URL
  • Session duration and interaction data

This data is collected through privacy-respecting analytics tools and is used in aggregate form to improve the platform. We do not use advertising trackers or share this data with advertising networks.

2.6 Communications Data

If you contact us by email, through our support system, or through any contact form, we collect the content of your message and your contact details. We retain support correspondence for up to 3 years.

2.7 Data You Provide About Others

When you enter staff member names for training certificates, you are providing limited personal data about third parties. You are responsible for ensuring you have the right to provide this data and that affected individuals are informed of their rights under applicable privacy law.

Section 3

How We Use Your Data

PurposeData usedLegal basis
Creating and managing your accountAccount dataContract performance
Generating your compliance documentationAssessment dataContract performance
Processing payments and issuing invoicesAccount data, payment referenceContract performance, legal obligation
Delivering the training module and certificateTraining dataContract performance
Sending transactional emails (receipts, reminders, updates)Email address, account dataContract performance, legitimate interest
Responding to support enquiriesCommunications dataLegitimate interest
Improving the platform and user experienceUsage data (aggregated)Legitimate interest
Complying with legal obligations (tax, accounting)Account data, payment dataLegal obligation
Protecting against fraud and misuseUsage data, account dataLegitimate interest
Marketing emails (optional)Email address, nameConsent

We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not build individual profiles for advertising purposes.

Section 4

Legal Bases for Processing (GDPR)

Under the GDPR, we must have a valid legal basis for processing personal data. The legal bases we rely on are:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Services you have contracted for, including generating documentation, managing your account, and processing payments.
  • Legal obligation (Article 6(1)(c)): Processing required to comply with applicable law, including tax law (NAV requirements in Hungary), invoicing obligations, and data breach notification requirements.
  • Legitimate interests (Article 6(1)(f)): Processing for our legitimate business interests, including fraud prevention, security, platform improvement, and responding to support requests, where these interests are not overridden by your privacy rights.
  • Consent (Article 6(1)(a)): For optional processing such as marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

As Hipafy processes only operational practice data and not patient PHI, the special category data provisions of Article 9 GDPR are not ordinarily engaged. If you inadvertently provide data that could constitute special category data, please contact us so we can handle it appropriately.

Section 5

Data Sharing and Third Parties

5.1 Service Providers (Sub-processors)

We share your data with the following categories of trusted third-party service providers who process data on our behalf:

Provider typePurposeLocation
Payment processor (Stripe)Processing subscription payments securelyUSA (SCCs in place)
Email delivery (Brevo/Sendinblue)Transactional and marketing emailsEU
Website hosting (Netlify)Serving the Hipafy websiteUSA (SCCs in place)
Analytics providerPrivacy-respecting usage analyticsEU (where possible)
Invoicing software (Billingo)Generating Hungarian-compliant invoicesHungary (EU)

All sub-processors are contractually bound to process data only for the specified purpose, to implement appropriate security measures, and to comply with GDPR requirements.

5.2 Legal Disclosure

We may disclose your data where required by law, including in response to valid legal process from competent authorities in Hungary or the United States, or to protect the rights, property, or safety of Hipafy, our customers, or others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our business assets, your data may be transferred to the successor entity. We will notify you of any such transfer and the privacy practices of the successor before your data is transferred.

5.4 No Sale of Data

Hipafy does not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes. We do not permit advertising networks to access user data from the Hipafy platform.

Section 6

International Data Transfers

Hipafy is based in Hungary (EU). When we transfer personal data to service providers located outside the European Economic Area (EEA), including to the United States, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR.

For transfers to the United States, we rely primarily on Standard Contractual Clauses (SCCs) approved by the European Commission, as well as the EU-US Data Privacy Framework where applicable providers are certified.

For US-based customers: your data may be processed and stored on servers located in the United States or the European Union. By using the Services, you acknowledge that your data may be transferred across borders as described in this Policy.

Section 7

Data Retention

Data typeRetention periodReason
Account and assessment dataDuration of subscription + 30 daysService provision; deletion after export window
Training completion recordsDuration of subscription + 30 daysCertificate audit trail
Payment and invoicing records8 years from transaction dateHungarian and EU tax law requirements
Support communications3 years from last contactDispute resolution and legitimate interest
Usage analytics data13 months (aggregate only after 30 days)Platform improvement; GDPR best practice
IP addresses30 days then anonymizedSecurity; anonymized thereafter for analytics
Marketing consent recordsUntil consent withdrawn + 3 yearsEvidence of consent; legal obligation

When your Subscription terminates, we will retain your data for 30 days to allow you to export Documentation. After that period, account and assessment data is permanently deleted. Payment and invoicing records are retained for the period required by Hungarian tax law (8 years).

Section 8

Cookies and Tracking

8.1 What We Use

Hipafy uses a minimal set of cookies and similar technologies. We do not use advertising or cross-site tracking cookies.

Cookie typePurposeConsent required?
Session cookieKeeps you logged in during your sessionNo (strictly necessary)
Security cookieCSRF protection and fraud preventionNo (strictly necessary)
Preference cookieRemembers your toggle settings (e.g. annual/monthly pricing)No (functional)
Analytics cookiePrivacy-respecting usage analytics (no personal fingerprinting)Yes

8.2 Managing Cookies

You can manage cookie preferences through our cookie consent banner when you first visit the site. You can also manage cookies through your browser settings. Disabling strictly necessary cookies will prevent the platform from functioning correctly.

Section 9

Your Rights Under GDPR

If you are located in the EU, EEA, or UK, you have the following rights regarding your personal data:

RightWhat it meansHow to exercise
AccessRequest a copy of the personal data we hold about youEmail privacy@hipafy.com
RectificationRequest correction of inaccurate or incomplete dataUpdate in account settings or email us
ErasureRequest deletion of your data (subject to legal retention obligations)Email privacy@hipafy.com
RestrictionRequest that we limit processing of your data in certain circumstancesEmail privacy@hipafy.com
PortabilityReceive your data in a structured, machine-readable formatUse the export feature in your account or email us
ObjectionObject to processing based on legitimate interests or for direct marketingEmail privacy@hipafy.com or unsubscribe link
Withdraw consentWithdraw consent for any processing based on consent (e.g. marketing)Unsubscribe link or email privacy@hipafy.com
ComplaintLodge a complaint with the Hungarian supervisory authority (NAIH)See Section 14

We respond to all rights requests within 30 days. In complex cases we may extend this by a further 60 days, in which case we will notify you within the initial 30-day period. We will not charge a fee for reasonable requests.

Hungarian supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — ugyfelszolgalat@naih.hu — naih.hu

Section 10

California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you additional rights:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: Hipafy does not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
  • Right to non-discrimination: We will not discriminate against you for exercising any CCPA right.

To exercise any of these rights, contact us at privacy@hipafy.com. We will respond within 45 days. We may verify your identity before fulfilling a request.

Categories of personal information collected in the preceding 12 months: identifiers (name, email, IP address); commercial information (subscription and payment history); internet activity information (usage data); professional information (practice type, state, EHR vendor). We have not sold or shared personal information in the preceding 12 months.

Section 11

Children's Privacy

The Hipafy platform is intended for use by healthcare professionals and practice staff who are adults (18 years of age or older). We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe we may have collected data from a child, please contact us at privacy@hipafy.com.

Section 12

Security

Hipafy implements appropriate technical and organizational security measures designed to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest
  • Hashed and salted password storage
  • Access controls limiting data access to authorized personnel on a need-to-know basis
  • Regular security reviews and vulnerability assessments
  • Contractual security obligations imposed on all sub-processors

No security system is impenetrable. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay as required by GDPR Article 34.

Section 13

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account and by posting the updated policy on our website with a new effective date at least 14 days before the changes take effect.

Your continued use of the Services after the effective date of any update constitutes acceptance of the revised policy. If you do not agree to the updated policy, you must stop using the Services and may request deletion of your data.

Section 14

Contact and Complaints

For any questions about this Privacy Policy, to exercise your rights, or to report a data protection concern:

Email: privacy@hipafy.com

Subject line: "Privacy Request — [your name]"

Response time: Within 30 days

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection supervisory authority:

Hungarian authority (NAIH):

Nemzeti Adatvédelmi és Információszabadság Hatóság

Email: ugyfelszolgalat@naih.hu

Website: naih.hu

For US residents: You may also contact the data protection authority in your state, or the Federal Trade Commission (FTC) at ftc.gov for matters relating to privacy and consumer protection.