Skip to content
HCC Buddy home

Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 8, 2026

HCC Buddy (“we,” “our,” or “the Service”) is a web-based ICD-10-CM encoder and AI coding assistant. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

1. Information We Collect

We collect only the minimum information necessary to operate the Service:

  • Account information: Your email address and a hashed (encrypted) password when you register.
  • Chat queries: Questions you type into the coding assistant chat. These are used solely to generate a response and are logged for usage analytics. Users must not submit Protected Health Information (PHI) in chat queries.
  • Uploaded documents: PDF documents (payer guidelines, coding reference documents) you upload are processed for indexing and stored on our server. We do not accept documents containing patient-identifiable data.
  • Usage data: Basic usage statistics such as number of queries and tokens used, tied to your account.
  • Payment information: When you subscribe to a paid plan, your payment card details are collected and processed directly by Stripe. We do not store your full card number, expiration date, or CVV on our servers. We receive only a reference ID, subscription status, and billing email from Stripe.

2. Information We Do NOT Collect

  • We do not collect patient names, member IDs, dates of birth, Social Security Numbers, or any other Protected Health Information (PHI).
  • We do not collect browsing history or data from web pages you visit.
  • We do not sell, rent, or share your data with third parties for marketing purposes.
  • We do not use third-party advertising or marketing analytics trackers.

3. How We Use Your Information

  • To authenticate your account and maintain your session.
  • To respond to coding questions using AI (powered by Anthropic's Claude API).
  • To index uploaded reference documents for your personal knowledge base.
  • To process subscription payments via Stripe.
  • To monitor usage, diagnose errors, and maintain service reliability.

4. Third-Party Services

HCC Buddy uses the following third-party services:

  • Anthropic (Claude API): Your chat questions are sent to Anthropic's API to generate responses. We send only the text of your chat question and relevant coding context -- not your account information or uploaded documents. Anthropic does not use API data for model training. See Anthropic's Privacy Policy.
  • Stripe: Payment processing for subscriptions. Stripe collects your payment card information, billing address, and transaction details directly. We never see or store your full card number. See Stripe's Privacy Policy.
  • Sentry: Error monitoring and performance tracking. Sentry receives technical error logs (stack traces, request metadata) to help us diagnose and fix issues. No user-submitted content (chat queries, documents) or personally identifiable information is sent to Sentry. See Sentry's Privacy Policy.
  • Fly.io: Application hosting. Our backend runs on Fly.io infrastructure. See Fly.io's Privacy Policy.
  • Vercel: Website hosting. Our frontend is hosted on Vercel. See Vercel's Privacy Policy.
  • Supabase: Database hosting. Our PostgreSQL database is hosted on Supabase infrastructure. See Supabase's Privacy Policy.

5. Cookies and Local Storage

HCC Buddy uses essential cookies and browser local storage for authentication (session tokens) and user preferences (such as display settings). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

6. Data Storage and Security

  • Your account data and uploaded documents are stored in a PostgreSQL database hosted on secure infrastructure.
  • Passwords are never stored in plain text -- they are hashed using bcrypt encryption.
  • Access tokens expire automatically and sessions are single-device only.
  • We implement industry-standard security measures including rate limiting, input validation, and encrypted transport (HTTPS).
  • Database backups are encrypted and stored in Cloudflare R2 with automatic retention policies.

7. HIPAA & Protected Health Information

HCC Buddy is not a HIPAA covered entity and does not operate as a Business Associate under HIPAA regulations. We do not enter into Business Associate Agreements (BAAs).

HCC Buddy is an informational reference tool for ICD-10-CM codes and HCC categories. It is designed so that no Protected Health Information (PHI) is needed to use any feature.

Our system includes automated scanning that rejects queries containing patterns associated with member IDs, Social Security Numbers, or patient-identifiable data before they reach our servers.

If PHI is accidentally submitted despite these safeguards, we will delete the data from our logs within 72 hours of discovery or notification. To report accidental PHI submission, contact privacy@hccbuddy.com immediately.

Users are solely responsible for ensuring they do not submit PHI through any feature of the Service.

8. Data Retention

We retain your account data and uploaded documents for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us at the email below. Upon account deletion, your data is permanently removed within 30 days.

9. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with applicable law.

10. Your Rights

You have the right to:

  • Access the data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and all associated data.
  • Withdraw consent at any time by discontinuing use of the Service and requesting account deletion.

California residents (CCPA): You have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.

11. Children's Privacy

HCC Buddy is intended for use by healthcare coding professionals. We do not knowingly collect information from anyone under the age of 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to request data deletion, please contact: