Privacy Policy

Last updated: March 23, 2026

CareCost ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, and protect your information when you use our drug cost estimation service.

1. Information We Collect

Account Information: When you create an account, we collect your email address, password (stored securely via Supabase Auth), and practice name.

Practice Information: Practice name, NPI, address, phone number, and operational preferences (fee schedules, default settings).

Usage Data: We track the number of estimates generated per month for billing purposes. We do not track which patients are the subject of any estimate.

2. Information We Do NOT Collect or Store

Patient Health Information (PHI): CareCost is designed with a privacy-first architecture. Estimate inputs — drug selection, plan type, deductible, copay, coinsurance — are entered and calculated entirely in your browser. This data is:

• Never transmitted to our servers unless you explicitly save an estimate
• Never logged in server-side analytics
• Never shared with third parties

Saved estimates are stored under your practice's account for your own audit trail. Patient identifiers on a saved estimate are optional; practices may use generic labels (e.g. "Patient A") at their discretion.

3. How We Use Your Information

• To provide and maintain the CareCost service
• To manage your account and subscription
• To track usage for billing purposes
• To communicate service updates and important notices
• To improve our service based on aggregate, non-identifying usage patterns

4. Data Security

We use industry-standard security measures including:

• TLS encryption for all data in transit
• Row-Level Security (RLS) in our database ensuring practice isolation
• JWT-based authentication with short-lived tokens
• Service-role separation between client and server operations

5. Third-Party Services

We use the following third-party services:

• Supabase — Authentication and account data storage
• Stripe — Payment processing (we never see or store your credit card details)
• Vercel — Application hosting

6. Data Retention

Account and practice data is retained for the duration of your subscription. Upon account cancellation, we retain your data for 30 days in case of reactivation, then permanently delete it.

7. Your Rights

You may:

• Access and update your account information at any time through Settings
• Request a copy of all data we hold about your practice
• Request deletion of your account and all associated data

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the email associated with your account.

9. Contact

For privacy-related questions or requests, contact us at legal@carecostestimate.com.