Skip to main content
DocuCenter

DocuCenter

Privacy Policy

Last updated: January 18, 2025

1. Introduction

DocuCenter ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website docucenterhq.com and use our document processing services.

By using our website or services, you consent to the data practices described in this policy. If you do not agree with this policy, please do not access our website or use our services.

2. HIPAA Compliance & Protected Health Information

DocuCenter may process documents containing Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). When handling PHI, we operate under strict compliance requirements.

2.1 Business Associate Agreement (BAA)

For clients requiring HIPAA compliance, we will execute a Business Associate Agreement (BAA) before processing any PHI. This agreement:

  • Defines our obligations as a Business Associate under HIPAA
  • Outlines permitted uses and disclosures of PHI
  • Establishes breach notification requirements
  • Requires appropriate safeguards for PHI protection

2.2 PHI Safeguards

We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule:

  • Access Controls: Role-based access, unique user IDs, automatic session timeout after 15 minutes of inactivity
  • Audit Logging: Comprehensive activity logs for all PHI access, modifications, and exports
  • Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit
  • Data Integrity: Hash verification, version control, and change tracking
  • Transmission Security: Secure file transfer protocols and encrypted communications

2.3 Minimum Necessary Standard

We apply the minimum necessary standard when using, disclosing, or requesting PHI. Staff access is limited to only the information necessary to perform their job functions.

2.4 PHI Breach Notification

In the event of a breach involving PHI, we will:

  • Notify affected Covered Entities within 60 days of discovery (or sooner as required by BAA)
  • Provide detailed breach information as required by 45 CFR 164.410
  • Cooperate with breach investigation and remediation
  • Document breach response in accordance with HIPAA requirements

3. Information We Collect

3.1 Information You Provide

We collect information that you voluntarily provide when you:

  • Submit an inquiry through our contact form
  • Request a quote or consultation
  • Create an account or register for services
  • Communicate with us via email or phone
  • Provide documents for processing

This information may include:

  • Name and contact information (email, phone number, company name)
  • Job title and role
  • Document type preferences and estimated volume
  • Project requirements and specifications
  • Payment information (processed securely through third-party payment processors)

3.2 Client Documents and Data

When you use our document processing services, we receive and process documents that may contain:

  • Employee records and personnel files
  • Onboarding documents (I-9s, W-4s, etc.)
  • Financial records and invoices
  • Healthcare and medical records (subject to HIPAA BAA)
  • Other business documents as specified in your service agreement

We process this data solely to perform the services you requested and in accordance with our contractual obligations.

3.3 Automatically Collected Information

When you visit our website, we may automatically collect:

  • IP address and browser type
  • Device information and operating system
  • Pages visited and time spent on our site
  • Referring website and search terms
  • Cookies and similar tracking technologies

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve our document processing services
  • Communication: To respond to your inquiries, send quotes, and provide customer support
  • Business Operations: To process payments, manage accounts, and fulfill contractual obligations
  • Quality Assurance: To ensure accuracy and quality in our document processing
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Website Improvement: To analyze website usage and improve user experience
  • Marketing: To send you relevant updates and information (with your consent)

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC) limits data access to authorized personnel only
  • Multi-Factor Authentication: Required for all administrative access
  • Session Management: Automatic session timeout after 15 minutes of inactivity
  • Audit Logging: Comprehensive logging of all data access and modifications
  • Secure Infrastructure: Enterprise-grade hosting with SOC 2 compliance (Microsoft Azure, Vercel)
  • Error Monitoring: Privacy-preserving error tracking with automated PII/PHI scrubbing
  • Regular Audits: We conduct regular security audits and vulnerability assessments
  • Employee Training: Annual security awareness training for all staff
  • Incident Response: Documented procedures for detecting and responding to security incidents

Important: While we use reasonable efforts to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your information only as long as necessary:

  • Client Documents: Retained for 90 days after project completion for support purposes, then securely deleted unless otherwise agreed
  • PHI Documents: Retained and disposed of in accordance with the BAA and applicable HIPAA requirements
  • Audit Logs: Retained for minimum 6 years as required by HIPAA (for PHI) or applicable regulations
  • Contact Information: Retained until you request deletion or we no longer have a business relationship
  • Financial Records: Retained for 7 years for tax and legal compliance
  • Website Analytics: Typically retained for 26 months

You may request early deletion of your data at any time by contacting us (subject to legal retention requirements).

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

  • Service Providers: Third-party vendors who assist with payment processing, hosting, data storage, or other business operations (under strict confidentiality agreements and, where applicable, Business Associate Agreements)
  • Legal Requirements: When required by law, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to affected users and appropriate BAA transfers for PHI)
  • With Your Consent: When you explicitly authorize us to share your information

7.1 Our Subcontractors and Service Providers

We may use the following categories of service providers:

  • Cloud hosting and infrastructure (Microsoft Azure, Vercel)
  • Authentication services (Auth0)
  • Payment processing (Stripe)
  • Document intelligence and OCR (Microsoft Azure AI)
  • Error monitoring (Sentry - with PHI/PII scrubbing enabled)
  • Communication services (Microsoft 365)

8. Your Privacy Rights

You have the following rights regarding your personal information:

  • Access: Request access to the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal obligations)
  • Opt-Out: Unsubscribe from marketing communications at any time
  • Data Portability: Request a copy of your data in a structured, machine-readable format
  • Restrict Processing: Request that we limit how we use your information
  • Accounting of Disclosures: For PHI, request an accounting of disclosures as required by HIPAA

To exercise these rights, contact us at privacy@docucenterhq.com

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Remember your preferences and settings
  • Maintain your authenticated session
  • Analyze website traffic and user behavior
  • Improve website functionality and user experience

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our website.

10. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable data protection laws.

13. Security Incident Response

We maintain documented incident response procedures. In the event of a security incident:

  • Detection: Continuous monitoring and audit log review for anomalies
  • Containment: Immediate isolation of affected systems
  • Investigation: Root cause analysis and impact assessment
  • Notification: Affected parties notified per legal requirements and BAA terms
  • Remediation: Implementation of corrective measures
  • Documentation: Comprehensive incident documentation maintained for 6 years

To report a security concern, contact: security@docucenterhq.com

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For clients with executed BAAs, we will provide direct notification of material changes affecting PHI handling. Your continued use of our services after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

DocuCenter

Privacy Officer: privacy@docucenterhq.com

Security Team: security@docucenterhq.com

General Inquiries: Contact Form

Website: docucenterhq.com