Skip to content
HCC Buddy home

Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 8, 2026

HCC Buddy (“we,” “our,” or “the Service”) is a web-based ICD-10-CM encoder and AI coding assistant. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

1. Information We Collect

We collect only the minimum information necessary to operate the Service:

  • Account information: Your email address and a hashed (encrypted) password when you register.
  • Chat queries: Questions you type into the coding assistant chat. These are used solely to generate a response and are logged for usage analytics. Users must not submit Protected Health Information (PHI) in chat queries.
  • Uploaded documents: PDF documents (payer guidelines, coding reference documents) you upload are processed for indexing and stored on our server. We do not accept documents containing patient-identifiable data.
  • Usage data: Basic usage statistics such as number of queries and tokens used, tied to your account.
  • Payment information: When you subscribe to a paid plan, your payment card details are collected and processed directly by Stripe. We do not store your full card number, expiration date, or CVV on our servers. We receive only a reference ID, subscription status, and billing email from Stripe.

2. Information We Do NOT Collect

  • We do not collect patient names, member IDs, dates of birth, Social Security Numbers, or any other Protected Health Information (PHI).
  • We do not collect browsing history or data from web pages you visit.
  • We do not sell, rent, or share your data with third parties for marketing purposes.
  • We do not use third-party advertising or marketing analytics trackers.

3. How We Use Your Information

  • To authenticate your account and maintain your session.
  • To respond to coding questions using AI (powered by Anthropic's Claude API).
  • To index uploaded reference documents for your personal knowledge base.
  • To process subscription payments via Stripe.
  • To monitor usage, diagnose errors, and maintain service reliability.

4. Third-Party Services

HCC Buddy uses the following third-party services:

  • Anthropic (Claude API): Your chat questions are sent to Anthropic's API to generate responses. We send only the text of your chat question and relevant coding context -- not your account information or uploaded documents. Anthropic does not use API data for model training. See Anthropic's Privacy Policy.
  • Stripe: Payment processing for subscriptions. Stripe collects your payment card information, billing address, and transaction details directly. We never see or store your full card number. See Stripe's Privacy Policy.
  • Sentry: Error monitoring and performance tracking. Sentry receives technical error logs (stack traces, request metadata) to help us diagnose and fix issues. No user-submitted content (chat queries, documents) or personally identifiable information is sent to Sentry. See Sentry's Privacy Policy.
  • Fly.io: Application hosting. Our backend runs on Fly.io infrastructure. See Fly.io's Privacy Policy.
  • Vercel: Website hosting. Our frontend is hosted on Vercel. See Vercel's Privacy Policy.
  • Supabase: Database hosting. Our PostgreSQL database is hosted on Supabase infrastructure. See Supabase's Privacy Policy.

5. Cookies and Local Storage

HCC Buddy uses essential cookies and browser local storage for authentication (session tokens) and user preferences (such as display settings). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

6. Data Storage and Security

  • Your account data and uploaded documents are stored in a PostgreSQL database hosted on secure infrastructure.
  • Passwords are never stored in plain text -- they are hashed using bcrypt encryption.
  • Access tokens expire automatically and sessions are single-device only.
  • We implement industry-standard security measures including rate limiting, input validation, and encrypted transport (HTTPS).
  • Database backups are encrypted and stored in Cloudflare R2 with automatic retention policies.

7. HIPAA Disclaimer

HCC Buddy is not a HIPAA covered entity and does not process, store, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). HCC Buddy does not enter into Business Associate Agreements (BAAs). Our platform is designed with a “HIPAA-conscious” architecture that actively prevents PHI from entering our systems:

  • Built-in PHI scanning rejects uploads containing patient names, Social Security Numbers, Medicare Beneficiary Identifiers, or dates of birth.
  • No patient-identifiable data is stored in our database, logs, or backups.
  • Chat queries are processed for coding reference only and must not contain PHI.

Users are solely responsible for ensuring they do not submit PHI through any feature of the Service.

8. Data Retention

We retain your account data and uploaded documents for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us at the email below. Upon account deletion, your data is permanently removed within 30 days.

9. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with applicable law.

10. Your Rights

You have the right to:

  • Access the data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and all associated data.
  • Withdraw consent at any time by discontinuing use of the Service and requesting account deletion.

California residents (CCPA): You have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.

11. Children's Privacy

HCC Buddy is intended for use by healthcare coding professionals. We do not knowingly collect information from anyone under the age of 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to request data deletion, please contact: