Privacy Policy
Last updated: March 2026 · Draft — Pending Legal Review
GapClose ("we," "our," or "us") is committed to protecting your privacy and the security of protected health information (PHI) entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the GapClose platform.
1. Information We Collect
We collect information you provide directly to us, including: account registration information (name, email address, organization name), patient panel data you upload (CSV files containing patient demographics and clinical data), usage data and analytics related to your use of the platform, and communications you send to us (support requests, feedback).
2. How We Use Information
We use the information we collect to: provide, maintain, and improve the GapClose platform; analyze patient panel data to identify HEDIS care gaps and HCC recapture opportunities; generate reports, worklists, and outreach communications; send you technical notices, updates, and support messages; and comply with legal obligations.
3. Data Security
We implement industry-standard security measures to protect your data, including: AES-256 encryption for protected health information (PHI) at rest, TLS encryption for all data in transit, role-based access control (RBAC), append-only audit logging for all PHI access, and regular security assessments. We ensure zero PHI appears in application logs or external analytics services.
4. HIPAA Compliance
GapClose is designed with HIPAA compliance in mind. We maintain administrative, technical, and physical safeguards appropriate for handling protected health information. We will enter into a Business Associate Agreement (BAA) with covered entities as required by HIPAA. Our platform includes HIPAA-conscious features such as audit logging, access controls, encryption, and PHI redaction from logs.
5. Data Retention
We retain your account data for as long as your account is active or as needed to provide you services. Patient panel data is retained in accordance with your subscription terms and applicable legal requirements. You may request deletion of your data at any time by contacting us. Upon account termination, we will delete or de-identify your data within 90 days, unless retention is required by law.
6. Your Rights
Depending on your jurisdiction, you may have the right to: access the personal information we hold about you, request correction of inaccurate data, request deletion of your data, object to or restrict certain processing activities, and data portability. To exercise any of these rights, please contact us using the information below.
7. Contact
If you have questions about this Privacy Policy or our data practices, please contact us at: [email protected]