HOSPITAL FOCUS CK — PRIVACY POLICY
Version 2.3.0 | Last Updated: June 23, 2026
1. INFORMATION WE COLLECT
Personal Information (provided by you):
- Full name, work email address, job title
- Organization name and profile (city, state, bed count, GPO affiliation)
- Login timestamps and IP addresses
- Digital acceptance records (document hashes, timestamps)
Business Data (entered by you):
- Aggregate financial data (annual spend by category)
- Vendor names and pricing information
- Contract terms and expiration dates
- Project notes, decisions, and action items
- RFP scoring and evaluation data
Automatically Collected:
- Browser type and version (anonymized)
- Pages visited and features used (masked by PostHog)
- Device type (desktop/mobile — no device identifiers)
Information We Do NOT Collect:
- Protected Health Information (PHI) — the Platform is not designed to collect it and instructs users not to enter it (see Section 4 and the Data Protection Addendum)
- Patient names, medical records, or clinical data
- Social Security numbers or government IDs
- Payment card numbers (processed exclusively by Stripe)
- Biometric data
- Precise geolocation data
2. HOW WE USE YOUR INFORMATION
a) Provide, operate, and maintain the Hospital Focus CK platform
b) Generate documents, reports, and exports you request
c) Send transactional emails (login links, project stage notifications, billing confirmations)
d) Process payments (via Stripe — we never access card numbers)
e) Improve the platform using anonymized, aggregate analytics
f) Enforce our Terms of Service and prevent fraud
We Do NOT:
a) Sell, rent, or trade your personal information to third parties
b) Share your data with other hospitals or healthcare organizations
c) Use your data to train artificial intelligence or machine learning models (and our third-party AI provider, OpenRouter, is contractually bound under a zero data retention agreement not to train on your inputs)
d) Display advertising or share data with advertising networks
e) Create user profiles for cross-context behavioral advertising
3. SUBPROCESSORS & DATA SHARING
| Provider | Purpose | Data Processed |
|----------|---------|---------------|
| Supabase Inc. | Database & Authentication | All business data, user profiles |
| Vercel Inc. | Application Hosting & CDN | Session data, static assets |
| Resend Inc. | Transactional Email | Email addresses, notification content |
| Stripe Inc. | Payment Processing | Billing information (we never see card numbers) |
| PostHog Inc. | Product Analytics | Anonymized, PHI-masked usage events only |
| OpenRouter Inc. | AI-Assisted Content Tailoring | Masked tenant profile metadata (no PHI) |
We do not share Customer data with any other third parties except as required by law (see Section 8).
4. DATA SECURITY
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.3
- Row-Level Security: Complete data isolation between tenants
- Role-based access controls with platform role separation
- Zero-PHI architecture: The platform is not designed to collect patient health information and instructs users not to enter it; because free-text fields could technically receive such text, we mask analytics inputs and operate an incidental-PHI discovery and deletion protocol (see the Data Protection Addendum)
- Cryptographic hashing (SHA-256) for compliance acceptance verification
- Regular security assessments and vulnerability monitoring
5. DATA RETENTION
We retain personal information only as long as reasonably necessary for the purpose for which it was collected, after which it is deleted or irreversibly anonymized.
- Active accounts: Data retained for the duration of the subscription
- Terminated accounts: Customer data deleted within 30 days of termination
- Sales leads and demo requests: If you submit your contact details through a lead, demo, or interest form and do not become a customer, we delete that contact information within 90 days
- Invoice / billing requests not completed: If you request an invoice or quote and the request is not paid or converted to an account, the request and associated contact details are deleted within 90 days; records of paid invoices are retained by our payment processor (Stripe) for the period required by applicable tax and financial-recordkeeping law
- Backup copies: Purged within 90 days of deletion from production
- Audit logs: Retained for 7 years (standard regulatory compliance period)
- Aggregate analytics: Retained indefinitely only in de-identified, aggregated form that does not identify you or your organization
6. BREACH NOTIFICATION
In the event of a confirmed security breach involving personal information:
a) We will notify affected users via email within 72 hours of confirmation
b) Notification will include: nature of the breach, data involved, steps taken, and recommended actions
c) We will notify applicable regulators, including state attorneys general and any other authorities, as and when required by applicable law
d) We will provide updates as the investigation progresses
7. YOUR RIGHTS
a) Access: Export your data at any time in JSON/CSV format via Settings
b) Correction: Edit your information at any time through the Platform
c) Deletion: Request complete account and data deletion at any time
d) Portability: Download your data in machine-readable format
e) Objection: Object to processing by contacting privacy@hospitalfocus.net
8. STATE-SPECIFIC PRIVACY RIGHTS
Residents of the following states have additional rights under their respective privacy laws:
California (CCPA/CPRA): Right to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information. We do not sell or share personal information as defined by the CPRA, we do not use personal information for cross-context behavioral advertising, and we do not collect or process sensitive personal information, so no "Do Not Sell or Share" or "Limit the Use of My Sensitive Personal Information" mechanism is required. We will not retaliate against you for exercising any privacy right.
Other U.S. states: If you are a resident of any U.S. state whose law grants you these rights, you have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in targeted advertising, do not sell personal data, and do not conduct such profiling. We honor these rights for residents of any state whose law provides them, and we apply the standard most protective of you where state laws differ.
To exercise any state privacy rights, contact: privacy@hospitalfocus.net
Response time: Within 45 days of verified request (with one 45-day extension if needed).
We will not discriminate against you for exercising your privacy rights.
9. COOKIES & TRACKING
Essential Cookies (required for Platform operation):
- sb-access-token (Supabase authentication) — session duration
- sb-refresh-token (Supabase session refresh) — 7 days
Preference Cookies:
- hf-theme (dark/light mode selection) — 1 year
Analytics Cookies:
- ph_* (PostHog anonymized analytics) — 1 year, opt-out available
We do NOT use:
- Advertising or retargeting cookies
- Third-party tracking pixels
- Social media tracking cookies
- Cross-site tracking of any kind
Global Privacy Control (GPC): We honor GPC browser signals as a request to opt out of any sale or sharing of personal information. We do not sell or share personal information; in addition, when a GPC signal is detected our third-party analytics tool (PostHog) is not loaded at all, so no analytics events are collected from your browser. Separately, analytics are off by default for every visitor and are enabled only if you choose "Accept" on our cookie banner. Note that essential, first-party operational logs required to run and secure the Platform are not affected by GPC.
10. CHILDREN'S PRIVACY
Hospital Focus CK is a B2B platform for healthcare professionals. We do not knowingly collect information from individuals under 18 years of age. If we become aware that we have collected such information, we will delete it promptly.
11. INTERNATIONAL DATA TRANSFERS
Hospital Focus CK processes data in the United States. By using the Platform, you consent to the transfer of your data to the United States. We implement appropriate safeguards for any cross-border data transfers as required by applicable law.
12. CHANGES TO THIS POLICY
We will notify you of material changes to this Privacy Policy via email at least 30 days before they take effect. The updated policy will be posted on this page with a new "Last Updated" date.
13. CONTACT
Privacy inquiries: privacy@hospitalfocus.net
Security inquiries: security@hospitalfocus.net
This document is accepted digitally during onboarding with SHA-256 cryptographic verification. Questions? Contact security@hospitalfocus.net.