Bg Image

Privacy Policy & Data Security Framework

Last Updated: March 2026

1. Introduction
Welcome to Health Coder. We provide an AI-powered development platform designed for healthcare compliance. This policy outlines how we handle two distinct types of data: Account Data (your info) and Protected Health Information (PHI) (your users' info).


2. The "Two-Layer" Data Distinction

  • Layer 1: User Account Data: Information we collect from you (the Founder) to manage your subscription (e.g., email, billing info).

  • Layer 2: Application Data (PHI): Health data processed by the applications you build on our platform. We treat this data as a Business Associate under HIPAA.


3. HIPAA & Business Associate Agreement (BAA)

  • Our Role: Health Coder acts as a Business Associate to you (the Covered Entity).

  • Your Responsibility: You are responsible for configuring access controls within your generated app.

  • The BAA: A signed BAA is available to all subscribers on the $399/mo plan. It defines our liability and security obligations regarding your PHI.


4. AI & Data Usage (Crucial Section)

  • No Training on PHI: We strictly prohibit our AI models from learning, memorizing, or training on any Protected Health Information (PHI) stored in your databases.

  • Prompt Privacy: The prompts you write to generate code are processed to build your app but are not shared with third parties for marketing purposes.


5. Infrastructure & Security

  • Hosting: Your applications are hosted on [AWS Health / Google Cloud Healthcare] infrastructure, which is HITRUST CSF certified.

  • Encryption: All database volumes are encrypted at rest. All traffic is encrypted via SSL/TLS.

  • Access Control: Our support team cannot access your patient data without your explicit, temporary permission (e.g., for debugging).


6. Data Ownership & Portability

  • You retain full ownership of the software code and database schema generated by the platform.

  • Upon cancellation, we provide a 30-day window to export your data in standard formats (JSON/SQL) before permanent deletion.


7. Third-Party Sub-processors
We utilize the following compliant sub-processors to deliver our service:

  • Infrastructure: AWS / Google Cloud

  • AI Models: OpenAI / Anthropic (via Enterprise Zero-Retention API)

  • Payments: Stripe