Privacy Policy

1. Introduction

EPICompliance, LLC ("EPICompliance," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in connection with: (a) visits to our public website at epicompliance.com (the "Website"); and (b) use of our cloud-based healthcare compliance software platform and related services (collectively, the "Platform" or "Services").

This Privacy Policy applies to all visitors to the Website, registered account holders, authorized users of the Services, and any individuals whose personal information is provided to us in connection with the use of the Services. Please read this Privacy Policy carefully. By using the Website or Services, you acknowledge that you have read and understand the practices described herein.

Note on HIPAA and Platform Data: If you are using the Services as a covered entity or business associate under the Health Insurance Portability and Accountability Act ("HIPAA"), the handling of Protected Health Information ("PHI") is governed by the Business Associate Agreement ("BAA") and the Terms of Service and License Agreement, not solely by this Privacy Policy. This Privacy Policy addresses personal information collected and processed in our capacity as a service provider and website operator.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including when you:

Register for an account or purchase a subscription
Complete onboarding or account setup forms
Contact us for support, inquiries, or compliance assistance
Sign up for newsletters, updates, or marketing communications
Participate in surveys, webinars, or promotional programs

The categories of personal information collected in these contexts include: full name, job title and organization name, business mailing address, business email address, business telephone number, billing and payment information (processed by our third-party payment processor; we do not store full credit card numbers), username and encrypted account credentials, and correspondence records.

2.2 Information Collected Automatically

When you visit the Website or use the Platform, our systems automatically collect certain technical and usage information, including:

IP address and approximate geographic location (city/state level)
Browser type, version, and operating system
Device type and screen resolution
Referring website and pages visited on our Website
Date, time, and duration of visits
Features accessed and actions taken within the Platform
Error logs and performance data

This information is collected through server logs, cookies, and similar tracking technologies as described in Section 4 below.

2.3 Information Collected Through the Platform

In connection with the Services, we collect and process information that Licensees and their authorized users submit or generate through the Platform, including:

User account profiles (name, email, role, department)
Compliance task records, completion logs, and audit trails
Training course enrollment and completion records
Policy and document management records
Business Associate Agreement records
Risk assessment inputs and outputs
Communications submitted through the Platform's messaging or support features

To the extent any Platform data constitutes Protected Health Information (PHI) under HIPAA, such data is governed by the applicable Business Associate Agreement and the Terms of Service. EPICompliance processes PHI only as directed by the Licensee (the covered entity or business associate) and in accordance with HIPAA requirements.

2.4 Information from Third Parties

We may receive information about you from authorized resellers or affiliate partners who refer you to EPICompliance, from payment processors in connection with billing and transaction verification, and from publicly available business directories or professional databases used to verify account registration information.

3. How We Use Your Information

EPICompliance uses the personal information we collect for the following purposes:

3.1 Providing and Operating the Services

Creating and managing user accounts and subscriptions
Delivering compliance software features, training, and content
Processing payments and managing billing
Providing customer support and responding to inquiries
Maintaining platform security, authentication, and access controls

3.2 Compliance and Legal Obligations

Fulfilling our obligations as a Business Associate under HIPAA
Complying with applicable state and federal healthcare regulations
Maintaining records required by law, including OSHA, ACA/OIG, and Medicare Fraud, Waste, and Abuse requirements
Responding to lawful requests from regulatory authorities or law enforcement

3.3 Communications

Sending transactional communications (account notices, invoices, security alerts, policy updates)
Sending service announcements, product updates, and compliance-related educational content
Sending marketing communications, where you have not opted out

3.4 Improvement and Analytics

Analyzing aggregated, anonymized usage data to improve Platform functionality and content
Evaluating Website performance and visitor behavior
Conducting internal research and development

EPICompliance does not sell personal information to third parties. EPICompliance does not use personal information for behavioral advertising targeting directed at individual users of the Platform.

4. Cookies and Tracking Technologies

The Website uses cookies and similar technologies to enhance your experience, analyze usage, and support security. Cookies are small text files stored on your device by your browser.

Types of cookies we use:

Essential Cookies: Required for the Website and Platform to function, including session management, authentication, and security. These cannot be disabled without affecting functionality.
Analytics Cookies: Used to understand how visitors interact with the Website (e.g., pages viewed, time spent). We use aggregated, anonymized data from these cookies to improve the Website. We do not use analytics cookies to build individual behavioral profiles.
Preference Cookies: Used to remember your settings and preferences across visits.

We do not use third-party advertising or behavioral tracking cookies on the Platform. The Website may include limited third-party analytics tools (such as website traffic analytics). Any such tools are subject to their own privacy policies, which we encourage you to review.

You may configure your browser to refuse cookies or alert you when cookies are being sent. Disabling essential cookies may prevent you from using certain features of the Website or Platform. For more information on managing cookies, refer to your browser's help documentation.

5. How We Share Your Information

EPICompliance does not sell personal information. We share personal information only in the following limited circumstances:

5.1 Service Providers and Subprocessors

We engage trusted third-party service providers to assist in operating our business and delivering the Services, including cloud hosting and infrastructure providers, payment processors, email delivery services, customer support platforms, and security and monitoring services. These service providers are contractually required to process personal information only on our behalf, for the purposes specified, and in accordance with appropriate data protection standards. We do not permit service providers to use personal information for their own purposes.

5.2 Resellers and Affiliate Partners

If you access the Services through an authorized reseller or affiliate partner, we may share account status and usage information with that partner to the extent necessary to support your account. Resellers and partners are subject to confidentiality obligations and may not use your information for any other purpose.

5.3 Legal and Regulatory Disclosures

We may disclose personal information when required by law, regulation, or valid legal process (such as a court order or government request), when necessary to protect the safety, rights, or property of EPICompliance, our users, or the public, or in connection with fraud prevention or investigation.

5.4 Business Transfers

In the event of a merger, acquisition, asset sale, or similar corporate transaction involving EPICompliance, personal information may be transferred to the successor entity. We will provide notice before personal information is transferred and becomes subject to a materially different privacy policy.

6. Data Retention

EPICompliance retains personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, to maintain active account relationships, and to comply with applicable legal obligations, including HIPAA recordkeeping requirements, OSHA recordkeeping standards, and ACA/OIG Medicare compliance retention obligations. In practice, this means we retain Licensee and user data for a period that may exceed standard minimum retention periods required by applicable law.

Upon termination of a subscription, Licensees have 30 days to export their data using the Platform's self-service export functionality. Following that period, EPICompliance will deactivate account access. Retained data will be maintained in accordance with our data retention schedule and applicable legal requirements, and will be securely destroyed at the end of the applicable retention period.

Our complete data retention schedule, including retention periods by data category and the process for requesting data deletion following the expiration of required retention periods, is available upon written request. Please contact us at the address in Section 11.

7. Data Security

EPICompliance implements industry-standard technical, administrative, and physical security measures to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include encrypted data transmission (TLS), access controls and authentication requirements, role-based user permissions, regular security monitoring and vulnerability assessments, and disaster recovery capabilities.

No method of data transmission or storage is completely secure. While we work diligently to protect your information, we cannot guarantee absolute security. In the event of a security incident affecting your personal information, we will notify you in accordance with applicable law and as described in Section 7.1 below.

7.1 Security Incident Notification

If EPICompliance discovers a security incident that results in unauthorized access to or disclosure of your personal information, we will notify affected individuals and entities as follows:

PHI Breaches: In accordance with HIPAA Breach Notification Rule requirements and the applicable Business Associate Agreement, as further described in the Terms of Service.
Non-PHI Platform Incidents: We will notify affected Licensees within 72 hours of confirming a material security incident involving non-PHI Licensee data (such as account credentials or business records), to the extent practicable. Notification will be sent to the primary account contact email on file and will include a description of the incident, the categories of data involved, and the steps we are taking to address it.
Website Visitors: In the event of a breach involving personal information collected through the Website, we will notify affected individuals by email within the timeframe required by applicable law

8. Your Privacy Rights

Depending on where you are located, you may have certain rights with respect to your personal information. EPICompliance will honor these rights to the extent required by applicable law.

8.1 General Rights (All Users)

All users may:

Access and update their account information by logging into the Platform
Export their own compliance and training data using the Platform's self-service export tools
Opt out of marketing communications by clicking "unsubscribe" in any marketing email or contacting us directly
Request a copy of EPICompliance's data retention schedule

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared.
Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions (such as where retention is required by law or necessary to complete a transaction).
Right to Correct: You may request correction of inaccurate personal information we hold about you.
Right to Opt Out of Sale or Sharing: EPICompliance does not sell personal information and does not share personal information for cross-context behavioral advertising. No opt-out action is required for these purposes.
Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information (as defined by CPRA) to purposes necessary to provide the Services. Contact us to make this request.
Right to Non-Discrimination: EPICompliance will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, please contact us using either of the methods listed in Section 11. We will respond within 45 days of receiving a verifiable request. We may extend this period by an additional 45 days when reasonably necessary, with notice.

Authorized Agents: You may designate an authorized agent to make a CCPA request on your behalf. We may require written authorization and verification of the agent's identity and your identity before processing the request.

8.3 Other State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have similar rights including access, deletion, correction, portability, and opt-out of certain processing. EPICompliance will honor requests from residents of those states consistent with the requirements of applicable law. Please contact us using the information in Section 11 to submit a request.

9. Artificial Intelligence and Automated Processing

As of the effective date of this Privacy Policy, EPICompliance does not use artificial intelligence or automated decision-making systems to generate, recommend, or personalize compliance content delivered through the Services. All content, templates, training materials, and compliance resources are created and maintained by EPICompliance personnel or authorized Content Partners.

If EPICompliance introduces AI-assisted or automated processing features in the future, we will update this Privacy Policy, provide advance notice to affected users, and clearly identify any such features within the Services.

10. Additional Disclosures

10.1 Children Under 18

The Services are intended for use by healthcare organizations and business professionals. EPICompliance does not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will promptly delete it. If you believe we may have collected information from a minor, please contact us at [email protected].

10.2 Third-Party Links

The Website and Platform may contain links to third-party websites or resources. EPICompliance is not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party websites you visit.

10.3 Custom Modules and Third-Party Content Partners

The Platform may offer Custom Modules — content modules developed and provided by third-party Subject Matter Expert (SME) partners. EPICompliance hosts this content as a platform service only. Content Partners may be identified in connection with the Custom Module they provide. Any personal information you submit in connection with a Custom Module is processed by EPICompliance as described in this Privacy Policy. EPICompliance does not share user personal information with Content Partners except as necessary to support the delivery of the module and as permitted by this Privacy Policy.

10.4 International Users

The Services are operated from the United States and are intended primarily for users located in the United States. If you access the Services from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you acknowledge this transfer and processing.

11. How to Contact Us and Submit Requests

To exercise your privacy rights, ask questions about this Privacy Policy, request our data retention schedule, or submit any other privacy-related inquiry, please contact us using either of the following methods:

Email: [email protected]

Mail: EPICompliance, LLC, Attn: Privacy, 6817 Southpoint Parkway, Suite 1704, Jacksonville, Florida 32216

We will acknowledge receipt of your request within 10 business days and respond within the timeframe required by applicable law (generally 45 days for CCPA requests). If we require additional time, we will notify you of the extension and the reason for it.

12. Updates to This Privacy Policy

EPICompliance reserves the right to update this Privacy Policy at any time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will post the updated policy on the Website and update the effective date shown at the top of this document. For material changes that significantly affect your rights or our data practices, we will provide additional notice by email to registered account holders.

We encourage you to review this Privacy Policy periodically. Your continued use of the Website or Services after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.