Privacy

Privacy Policy

How Claimaro collects, uses, shares, and protects information — including Protected Health Information handled under HIPAA Business Associate Agreements.

Last updated: April 24, 2026

Quick read: We're a HIPAA-compliant, SOC 2-compliant platform serving health plans and sharing ministries. We treat PHI under signed Business Associate Agreements. We don't sell personal data. You can request export or deletion of your data at any time.

1. Who we are

Claimaro ("Claimaro," "we," "us," or "our") is a software platform operated by Nexopic, Inc. that provides claims administration, enrollment, member portal, payments, and CRM tools to self-funded health plans, healthcare sharing ministries, third-party administrators (TPAs), and similar organizations ("Customers"). Members and other end users of our Customers' platforms are referred to as "Members."

This Privacy Policy describes how we collect, use, share, and protect information through (a) our marketing website at claimaro.com, (b) the Claimaro application at app.claimaro.com, and (c) any related services (collectively, the "Services").

2. Information we collect

From visitors and prospects

  • Contact details you submit through demo requests, sales inquiries, or newsletter signups (name, email, organization, role, member-count band).
  • Usage data from this website (pages viewed, referrer, approximate location derived from IP, device/browser type) collected via privacy-respecting analytics.

From Customer administrators

  • Account details (name, email, phone, role, organization).
  • Authentication data (hashed passwords, multi-factor tokens, session metadata).
  • Configuration data (plan setup, fee schedules, integrations).
  • Audit and access logs required for HIPAA and SOC 2 compliance.

From or about Members (PHI)

When a Customer uses Claimaro to administer benefits or process medical needs, we receive and process Protected Health Information ("PHI") on the Customer's behalf. This may include: name, date of birth, address, phone, email, government ID, dependent details, plan/group identifiers, eligibility, claims and Explanation of Benefits (EOBs), provider and procedure codes, payment instruments, and member communications.

We process PHI only as a Business Associate of the Customer (or its covered entity / health plan) under a signed Business Associate Agreement ("BAA"). The Customer is the data controller for Member PHI; we are the data processor.

3. How we use information

  • Operating the Services: hosting, processing claims, generating EOBs and remittances, running the member portal, sending plan communications, processing payments through our payment partners.
  • Customer support: responding to questions, troubleshooting, applying configuration changes you request.
  • Security: detecting and preventing fraud, abuse, and unauthorized access; maintaining audit logs; investigating incidents.
  • Compliance: meeting HIPAA, SOC 2, ACA, and other legal and regulatory obligations.
  • Service improvement: aggregated, de-identified usage analytics to improve the platform. We do not use Member PHI to train models or for marketing.
  • Marketing (visitors and prospects only): newsletters, demo follow-ups, and product updates. You can unsubscribe at any time.

4. Sharing and disclosure

We do not sell personal data. We share information only as follows:

  • Subprocessors we rely on to deliver the Services — including cloud hosting (Vercel, Supabase / AWS), email delivery (SendGrid), SMS (Twilio), payment processing (Stripe and bank gateways), error monitoring (Sentry), and analytics. All subprocessors that may access PHI sign a BAA with us. A current subprocessor list is available on request.
  • The Customer whose plan a Member is enrolled in (this is the whole point of the Service).
  • At your direction — e.g., when you connect a third-party integration (QuickBooks, Zapier, etc.).
  • Legal requirements — to comply with subpoenas, court orders, or applicable law; to protect rights, property, or safety; or in connection with a corporate transaction (merger, acquisition, financing) where the recipient is bound by terms at least as protective as this Policy.

5. HIPAA & PHI specifics

Claimaro acts as a Business Associate to Customers that are HIPAA-covered entities or to other Business Associates. For PHI:

  • We sign a BAA with every Customer whose data includes PHI.
  • PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access is gated by role-based access controls, least-privilege provisioning, and multi-factor authentication for administrative access.
  • Every access and modification of PHI is recorded in immutable audit logs.
  • We notify affected Customers without unreasonable delay and within the timelines required by HIPAA and the BAA in the event of a breach of unsecured PHI.

6. Security & SOC 2

Claimaro maintains a SOC 2-aligned control environment covering security, availability, confidentiality, and processing integrity. Controls include: encryption everywhere, secrets management, vendor risk reviews, change management, vulnerability scanning, third-party penetration testing, incident response procedures, employee background checks, and security awareness training. SOC 2 reports are available to qualified Customers under NDA.

7. Data retention

We retain Customer Data and PHI for as long as the Customer's account is active and as required to provide the Services. On termination, we follow the deletion or return obligations set out in the Master Subscription Agreement and BAA — typically returning a complete data export and then deleting Customer Data within 30–90 days, except where retention is required by law (e.g., financial records). Aggregated, de-identified data may be retained indefinitely.

8. Your rights

Customers and Members may exercise the following rights, subject to verification and applicable law (including HIPAA):

  • Access — request a copy of personal data we hold about you.
  • Correction — ask us to correct inaccurate information.
  • Deletion — request deletion of personal data, subject to retention requirements (e.g., we may need to retain claims records for compliance).
  • Portability — receive your data in a standard, machine-readable format.
  • Opt out of marketing communications at any time via the unsubscribe link.

For Member PHI, requests should generally be directed to the Customer (the covered entity / plan) — but you can also email us at privacy@claimaro.com and we'll route as appropriate.

9. Cookies & tracking

The marketing website uses essential cookies and privacy-respecting analytics. We do not use third-party advertising trackers or build cross-site profiles. You can disable cookies in your browser; some site features may not work correctly if you do.

10. Children

The Services are not directed to children under 13, and we do not knowingly collect personal data directly from children. PHI of dependents covered under a plan is provided by the plan administrator or member-parent under the Customer's authority.

11. International users

Claimaro's infrastructure is hosted in the United States. If you access the Services from outside the U.S., you understand that your information will be transferred to and processed in the U.S. We use contractual and technical safeguards consistent with applicable data protection laws.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email to account administrators or via an in-app notice at least 30 days before they take effect. The "Last updated" date at the top reflects the latest revision.

13. Contact us

Questions about this Policy, BAA requests, or data subject requests:

Note: This document is a starting template. Before publishing as your final policy, have it reviewed by qualified legal counsel familiar with HIPAA, your applicable state laws, and any other regulatory frameworks that apply to your business.