Privacy Policy

Last updated: March 26, 2026

1. Introduction

Lapseproof Inc. (“we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Lapseproof platform (“the Service”).

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

When you create an account, we collect your name, email address, organization name, and role within your practice. If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe); we do not store full credit card numbers on our servers.

2.2 Practice and Clinician Data

You may input information about your clinicians, including names, license types, license numbers, states of licensure, expiration dates, and continuing education records. This data consists of professional license information, which is generally a matter of public record. We do not collect or store Protected Health Information (PHI) as defined by HIPAA.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, device type, and IP address. We use this data to improve the Service and diagnose issues.

2.4 Cookies and Tracking Technologies

We use essential cookies to maintain your session and preferences. We may use analytics cookies (such as Google Analytics or similar services) to understand usage patterns. You can disable non-essential cookies through your browser settings.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Send license expiration alerts and renewal reminders
  • Process payments and manage subscriptions
  • Communicate with you about your account, updates, and support requests
  • Analyze usage patterns to improve the Service
  • Detect and prevent fraud, abuse, or security incidents
  • Comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We may share information with:

  • Service providers — third-party vendors who help us operate the Service (hosting, email delivery, payment processing, analytics), under contracts that require them to protect your data
  • Your organization — if you are part of a multi-user team, other authorized members of your organization can view practice and clinician data
  • Legal requirements — if required by law, subpoena, or court order, or to protect our rights, safety, or property
  • Business transfers — in connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity

5. Data Security

We implement industry-standard and healthcare-grade security measures to protect your data, including:

  • Encryption at rest — Sensitive data (credentials, payment card details, phone numbers, addresses) is encrypted using AES-256-GCM with unique initialization vectors per field before storage
  • Encryption in transit — All connections use TLS 1.2+ with HTTP Strict Transport Security (HSTS) enforcement
  • Row-Level Security — Database-level access controls ensure each organization can only access its own data
  • Multi-factor authentication — MFA via authenticator apps, enforced at the application layer
  • Bot defense — Request scoring, CAPTCHA challenges, honeypot fields, and progressive account lockout protect against automated attacks
  • Rate limiting — Per-route request limits prevent abuse of sensitive endpoints
  • Security headers — Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers protect against common web attacks
  • Audit logging — Security-relevant actions are logged for accountability and compliance

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your data within 30 days, except where we are required to retain it for legal or compliance purposes. Activity logs may be retained for up to 12 months for security purposes.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Export your data in a portable format
  • Opt out of non-essential communications
  • Withdraw consent where processing is based on consent

You can exercise your right to data access and data portability directly from your account at Settings → Privacy & Data, where you can download a full export of your data or permanently delete your account. For all other requests, contact us at privacy@lapseproof.com. We will respond within 30 days.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

9. Children’s Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States, where data protection laws may differ from your jurisdiction.

11. Third-Party Services

The Service may contain links to or integrations with third-party services. This Privacy Policy does not apply to those services. We encourage you to review their privacy policies before providing them with your information.

Key third-party services we use include:

  • Supabase (database and authentication hosting)
  • Vercel (application hosting)
  • Stripe (payment processing)
  • Resend (transactional email delivery)
  • Sentry (error monitoring and performance)
  • Cloudflare (DNS, CDN, and bot protection)

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before the changes take effect. Your continued use of the Service after updates constitutes acceptance.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Lapseproof Inc.
Email: privacy@lapseproof.com
General inquiries: hello@lapseproof.com