The federal 80/20 Rule reaches full enforcement July 9, 2030. State reporting starts 2028. See if your agency is ready ›
Meet Lora Meet Lora

Privacy Policy  ·  Effective May 16, 2026

Your data stays yours.

HCBS.AI Inc (“HCBS.AI”) is the Wyoming corporation that operates this site and the HCBS.AI product. We do not sell your data, do not train AI models on it, and do not run third-party trackers. Last updated May 16, 2026.

1. Scope and acceptance

This Privacy Policy explains what information HCBS.AI collects, how we use and share it, and the rights you have. It applies to visitors of the HCBS.AI website, users of the agency-snapshot tool, subscribers to the Daily Brief, and paid Subscription customers. It does not govern Protected Health Information (PHI) transmitted through the Service; PHI is governed by the separately-executed HIPAA Business Associate Agreement (BAA). By using the Service, you consent to the practices described here.

2. Categories of information we collect

We collect the following categories of personal information:

  • Identifiers: name, email address, business contact information, IP address.
  • Account information: agency name, state of operation, role, account credentials (hashed), Subscription tier.
  • Commercial information: Subscription status, billing records (handled by Stripe; we do not store full card numbers).
  • Internet activity: pages visited, referring URL, browser type, language, anonymized usage analytics from Cloudflare Web Analytics (no cookies, no fingerprinting, no third-party trackers).
  • Agency operational data (Customer Data): the answers you provide in the agency-snapshot tool (state, services, scale, current stack, top pain) and any subsequent SOPs, citations, dossiers, training-plan progress, network ranking inputs, and Daily Brief subscription preferences.
  • Sensitive personal information (CCPA § 1798.140(ae)): account credentials, precise geolocation is not collected. PHI is collected only under a BAA and is handled per Section 6.
  • Inferences: aggregated, anonymized patterns derived from Customer Data across the network (used only at the aggregate level; never identifiable to an individual agency).

3. Sources of information

  • Directly from you when you use the Service (agency-snapshot answers, account creation, email subscription, support emails, billing).
  • From your devices automatically (IP, browser metadata, page-view analytics).
  • From our payment processor (Stripe) on billing events; we receive transaction status, not card data.
  • We do not purchase personal information from data brokers and we do not receive personal information from advertising networks.

4. How we use information (purposes of processing)

  • Provide the Service. Generate your agency snapshot, income projection, regulatory primer, Daily Brief, SOPs, citations, dossiers, and the per-agency website.
  • Authenticate and secure accounts; detect and prevent fraud, abuse, and unauthorized access.
  • Operate billing and Subscription renewals via Stripe.
  • Deliver operational communications you have subscribed to (the Daily Brief and account notices).
  • Improve the Service using aggregate, anonymized patterns. Your individual Customer Data is never identifiable in those patterns and is never used to train AI models.
  • Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

4.1 Aggregation methodology

When the Service surfaces network-wide patterns (peer benchmarks, industry baselines, regulatory trends), individual operator data is k-anonymized: no metric is shown unless at least five contributing agencies meet the segmentation criteria. Aggregation covers operational metrics only (caregiver tenure, audit pass rate, pay-through ratio, regulatory absorption time). Protected Health Information is never aggregated and never appears in any cross-agency view.

5. What we never do

  • We do not sell or rent personal information.
  • We do not share personal information for cross-context behavioral advertising.
  • We do not use Customer Data to train AI models.
  • We do not run third-party trackers (no Google Analytics, no Meta Pixel, no Segment, no Mixpanel, no LinkedIn Insight, no advertising cookies).
  • We do not share Daily Brief subscriber lists with advertisers or list-rental services.
  • We do not retain prospective-customer data more than 18 months without engagement.

6. HIPAA and PHI

PHI is governed by the BAA executed between HCBS.AI and Customer before any PHI is transmitted to the Service. Under the BAA:

  • PHI is encrypted at rest (AES-256) and in transit (TLS 1.3 minimum).
  • Access to PHI is role-based and access-logged on a tamper-proof audit trail on every read or write.
  • PHI is segregated from marketing systems, analytics, and AI model-training pipelines.
  • Subcontractors who handle PHI execute downstream BAAs with HCBS.AI before access is granted.
  • Breach notification follows 45 CFR §§ 164.400–414 and the BAA.

Marketing surfaces (this site, the Daily Brief landing pages, the agency-snapshot tool) do not carry PHI. Do not transmit PHI to HCBS.AI through any channel until a BAA is in effect.

7. Disclosure to third parties (subprocessors)

We share personal information only with service providers (subprocessors) acting on our behalf and bound by contractual confidentiality and security obligations. Our current subprocessors:

  • Cloudflare, Inc. — static hosting, CDN, DDoS protection, and anonymized Web Analytics.
  • Stripe, Inc. — payment processing. Stripe stores card data under PCI-DSS; we receive transaction status only.
  • Email delivery provider — transactional and Daily Brief delivery (specific provider disclosed on request).

We may also disclose information when required by law, in response to lawful process, to enforce our Terms, to protect the rights, property, or safety of HCBS.AI, our customers, or others, or in connection with a merger, acquisition, or sale of assets (with notice to affected users).

8. Data retention

  • Account data: for the life of the account plus 90 days after termination (recoverable export window).
  • Customer Data (agency snapshot, SOPs, dossiers, audit trail): for the life of the account; on termination, retained for 90 days then deleted or anonymized except where retention is required by law or under the BAA.
  • Daily Brief subscriber email: until you unsubscribe; honored within one business day.
  • Billing records: 7 years to satisfy U.S. tax and accounting recordkeeping requirements.
  • Web analytics: anonymized at collection; aggregated metrics retained indefinitely; no individual visitor records.
  • Prospective-customer data (incomplete snapshots, abandoned signups): 18 months without engagement, then purged.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption at rest and in transit, role-based access controls, a tamper-proof audit trail on data access, segregation of PHI from marketing systems, and a documented incident-response program. No security control is absolute; we will notify affected users and regulators of a breach as required by applicable law and the BAA.

10. Your rights

You have the following rights with respect to personal information we hold about you:

  • Access: request a copy of the personal information we have about you.
  • Correction: request that we correct inaccurate information.
  • Deletion: request deletion of your personal information, subject to legal-retention obligations.
  • Portability: receive your personal information in a structured, commonly-used format (CSV, JSON, PDF).
  • Opt out of sale or sharing: we do not sell or share personal information, so opt-out is the default.
  • Limit use of sensitive personal information: we use sensitive PI only as needed to deliver the Service.
  • Non-discrimination: we will not deny service, change prices, or degrade service quality for exercising any of these rights.

To exercise any of these rights, email wecare@hcbs.ai with the subject line “Privacy request” and the email address associated with your account. We will respond within 45 days (extendable once by 45 days for complexity, with notice). If we deny your request, we will explain why. Authorized agents may submit requests on your behalf with verifiable written authorization.

11. State-specific rights

Residents of certain states have additional rights under their state privacy laws. We honor those rights as set out below; any right above that overlaps applies regardless of state.

  • California (CCPA/CPRA): right to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination. We do not sell or share personal information for cross-context behavioral advertising. To submit a request, see Section 10.
  • Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), Utah (UCPA), Texas (TDPSA): right to access, correct, delete, port, and opt out of targeted advertising, sale of personal data, and certain profiling decisions. To submit a request, see Section 10.
  • Nevada (SB 220): right to opt out of sale of covered information. We do not sell covered information.

We will not retaliate against you for exercising any state-law privacy right. If we cannot verify your identity through your account email, we may request additional information to authenticate the request.

12. Cookies and tracking technologies

We use a minimal number of strictly-necessary first-party cookies and local-storage entries to keep you signed in, remember your text-size preference, and remember when you have dismissed the 80/20 Rule deadline banner. We do not use advertising cookies, tracking pixels, or third-party analytics beyond anonymized Cloudflare Web Analytics (cookieless). We honor Global Privacy Control (GPC) and Do Not Track (DNT) signals where applicable, though because we do not sell or share personal information, there is little practical effect.

13. Children's privacy

HCBS.AI is a business-to-business product for HCBS caregiver agency operators. The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, contact wecare@hcbs.ai and we will delete it.

14. International data transfers

HCBS.AI is a U.S.-only operation. Personal information is stored in the United States. We do not transfer personal information outside the United States. If you access the Service from outside the United States, your information will be transmitted to and processed in the United States.

15. Marketing communications

You can unsubscribe from the Daily Brief and other marketing communications by clicking the one-click unsubscribe link in any email, or by emailing wecare@hcbs.ai. We will continue to send transactional communications (account, security, billing, BAA-required notices) as long as you have an account.

16. Changes to this policy

We may update this Privacy Policy as the product evolves or as required by law. We will post the updated version on this page with a revised “Last updated” date. For material changes, we will notify Daily Brief subscribers and account holders by email at least 30 days before the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

Privacy questions, requests, and complaints go to:

  • Email: wecare@hcbs.ai
  • Mail: HCBS.AI Inc, Attn: Privacy, 30 N Gould St, STE N, Sheridan, WY 82801

A real person writes back. If you are not satisfied with our response, you have the right to lodge a complaint with your state attorney general or the U.S. Federal Trade Commission.

The contract

You take care of the people. We take care of the rest.

Tell us about your agency. Nine short questions, four minutes. You walk away with your agency snapshot, your income projection, your state-specific regulatory primer, and tomorrow's brief at 6 AM.

See what changes Talk to a human

Direct: hello@hcbs.ai wecare@hcbs.ai