ProofOps Medical
Free Audit
Privacy

Privacy Policy

How ProofOps Medical collects, uses, stores, and protects information about visitors to our website, our customer clinics, and the staff and patients whose data we process on our customers' behalf.

Last updated: May 20, 2026 · Version 1.2

The short version: We collect what we need to run the service. We do not sell personal information. We do not train AI foundation models on Customer Data. PHI is handled under HIPAA and the BAA. You can request access, deletion, or correction of your information at any time.

1. Who we are

ProofOps Medical ("ProofOps", "we", "our") operates the website at proofopsmedical.com and the ProofOps Medical service. For questions, write to info@proofopsmedical.com.

2. The kinds of information we handle

Site visitors

Customer clinics (account data)

Patients (PHI)

3. How we use information

4. How we share information

We share information only as follows:

We do not sell or rent personal information.

5. Cookies and tracking

We use a small number of essential cookies to run the site and a privacy-respecting, cookieless analytics tool — Vercel Web Analytics and Vercel Speed Insights — to count page views, identify popular content, and monitor real-user Core Web Vitals in aggregate. Vercel's analytics product does not set tracking cookies, does not store visitor IP addresses, does not perform device fingerprinting, and does not share data for cross-site advertising. We do not engage in "sales" of personal information or "sharing" for cross-context behavioral advertising as those terms are defined in U.S. state privacy laws. You can clear or block cookies in your browser settings.

EEA / UK visitors: Because Vercel's analytics product is cookieless and does not store identifiers that meet the GDPR / UK GDPR definition of personal data, no affirmative cookie-banner consent is required for it. Any non-essential cookies that may be introduced in the future will be set only after affirmative consent. You may opt out of all analytics by emailing info@proofopsmedical.com.

U.S. residents: because we do not sell or share personal information, no opt-out signal is required for that purpose. If state law nevertheless requires a "Do Not Sell or Share My Personal Information" mechanism, you may exercise it by emailing info@proofopsmedical.com with the subject line "Do Not Sell or Share." We honor Global Privacy Control (GPC) signals as opt-out requests where applicable.

6. How long we keep information

7. Security

We encrypt data in transit (TLS) and at rest. We use least-privilege access controls, multi-factor authentication for staff, audit logging, and routine vulnerability scanning. Our Trust & Security page describes our practices in more detail: security.html.

8. Your rights

You can request access, correction, deletion, or portability of your personal information by writing to info@proofopsmedical.com with the subject line "Privacy Request." We will verify the request, respond within the longer of (a) the time required by your jurisdiction, or (b) 30 days, and may extend by an additional 45 days where allowed and on written notice. There is no fee for the first request in any 12-month period. Where you submitted information about your clinic, requests are routed through the Account Owner.

You may also designate an authorized agent to make a request on your behalf. We may verify the agent's authority under applicable law before processing.

Automated decision-making: our service computes an automated readiness score and surfaces remediation gaps based on the documents and structured data you upload. Outputs are presented for human review and are not legally binding decisions about you. You may request a human review of any specific output by writing to info@proofopsmedical.com.

9. State-specific notices

California (CCPA / CPRA). California residents have rights to know, access, delete, correct, port, and limit use of sensitive personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise rights, see Section 8 above. We honor Global Privacy Control (GPC) signals as Do Not Sell / Share opt-outs where applicable.

Florida (FDBR). Florida residents have rights under the Florida Digital Bill of Rights to access, correct, delete, port, and opt out of targeted advertising, sale of personal data, and certain profiling. We respond to verified FDBR requests within 45 days of receipt and may extend an additional 15 days where reasonably necessary, on notice to the requester. To appeal a denial, reply to our response within 60 days; we will provide a written reason in response to the appeal within 60 days. If denied on appeal you may submit a complaint to the Florida Department of Legal Affairs.

Other U.S. comprehensive state privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Tennessee, etc.): residents have analogous rights and may exercise them by writing to info@proofopsmedical.com.

EU/UK (GDPR/UK GDPR). Per Article 13: ProofOps Medical (a Florida-domiciled software business — full legal contact via info@proofopsmedical.com) is the data controller for site-visitor data and a processor for Customer Data. We have not appointed a Data Protection Officer because we are not required to under Article 37; concerns may be raised with our privacy contact above. Lawful bases: legitimate interest (site security, lead-management), contract performance (service delivery to customers), and consent (cookie-set analytics and email outreach). Recipients are listed in the sub-processor table referenced in Section 4 and reproduced at security.html#subprocessors. Data is transferred to the United States under Standard Contractual Clauses where required. Retention periods are listed in Section 6. You have rights of access, rectification, erasure, restriction, portability, and to object; you may withdraw consent for consent-based processing at any time without affecting prior lawful processing. You may lodge a complaint with your local supervisory authority. We do not engage in solely-automated decision-making with legal or similarly-significant effects on individuals.

10. Children

The service is not directed at children. We do not knowingly collect personal information from individuals under 13. Consistent with the California Consumer Privacy Act and similar state laws, we do not sell or share personal information of consumers we know to be under 16 without affirmative authorization.

10A. Breach notification

If a data incident affecting your personal information occurs, we will notify affected individuals without undue delay and no later than required by applicable law. For Florida residents, our timeline mirrors FL § 501.171 (within 30 days unless law-enforcement delay applies). For customer Protected Health Information, breach notification follows 45 CFR § 164.404–.408 and the Business Associate Agreement, which take precedence in any conflict with this policy.

11. International transfers

ProofOps' primary infrastructure is in the United States. If you access the service from outside the US, your information will be transferred to the US, and we use standard contractual clauses or other lawful mechanisms where required.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active customers at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Privacy questions: info@proofopsmedical.com. Security issues: support@proofopsmedical.com.

This policy is informational. The binding privacy and data-handling terms for customers are set out in the Master Services Agreement and Business Associate Agreement.