Privacy Policy

Last Updated: October 10, 2025

Jump to Section

  1. Who We Are
  2. What We Collect
  3. How We Use Your Data
  4. How We Share Your Data
  5. PHI & the 835 Verifier
  6. Cookies & Tracking
  7. Data Retention
  8. Security
  9. Your Rights & Choices
  10. Children’s Privacy
  11. Oregon & State Privacy Rights
  12. Changes to This Policy
  13. Contact Us

1. Who We Are

Contract Rates Inc (“Contract Rates,” “we,” “us,” or “our”) operates a web-based healthcare contract rate intelligence platform at contractrates.org. We are headquartered at 1215 NE 7th Street Suite E, Grants Pass, OR 97526.

This Privacy Policy describes how we collect, use, share, and protect information when you visit our website, use our portal, or interact with our services (collectively, the “Services”). It applies to all users including practice managers, administrators, and API partners.

By using the Services, you agree to the practices described in this Policy. If you do not agree, please do not use the Services.

2. What We Collect

Information You Provide Directly

  • Account registration: practice name, your name, email address, role, and password.
  • Billing information: payment card details and billing address, processed by our PCI-compliant payment processor. We do not store full card numbers.
  • Support communications: messages, emails, chat transcripts, and any information you include when contacting us.
  • Setup selections: the counties, taxonomies, and competitor practices you select during onboarding and portal use.

Information Collected Automatically

  • Log data: IP address, browser type and version, operating system, pages viewed, features accessed, date and time of access, and referring URLs.
  • Device information: device type, screen resolution, and connection type.
  • Session data: how you navigate the portal, features you use, and actions you take within the Services.
  • Cookies and similar technologies: as described in Section 6.

Information From Third Parties

  • Payment processors: transaction confirmation and billing status from our payment processor.
  • Public data sources: Transparency in Coverage machine-readable files published by insurance companies as required by federal law. This data does not contain personal information about you.

Information We Do Not Collect

  • We do not collect patient names, patient Social Security numbers, dates of birth, or any other patient-level protected health information through the core Services.
  • The 835 ERA Verifier feature processes a limited amount of PHI solely as described in Section 5.

3. How We Use Your Data

We use the information we collect to:

  • Provide the Services: process your account, deliver rate intelligence, process payments, and fulfill your subscription.
  • Personalize your experience: remember your county, taxonomy, and competitor selections; tailor dashboard views to your setup.
  • Communicate with you: send account confirmations, payment receipts, renewal notices, service updates, and responses to your support requests. Where you have opted in, we may also send marketing communications about new features, educational content, and promotional offers via Mailchimp or similar email service provider. You may opt out of marketing emails at any time.
  • Improve the Services: analyze usage patterns to identify bugs, improve features, and develop new capabilities.
  • Ensure security: detect, investigate, and prevent fraudulent activity, unauthorized access, and abuse.
  • Comply with law: meet our legal obligations, respond to lawful requests from authorities, and enforce our Terms of Service.

We do not use your data to train AI or machine learning models, sell to data brokers, or share with insurance companies or other healthcare payors.

4. How We Share Your Data

We do not sell your personal information. We share data only in the following limited circumstances:

Service Providers

We engage third-party vendors to help operate the Services. These providers access your data only as necessary to perform services on our behalf and are contractually required to protect it. Current vendors include:

  • Cloud hosting and infrastructure: servers and storage that power the platform.
  • Payment processing: PCI-compliant processor handling billing transactions. We do not store full card numbers.
  • Analytics: Google Analytics (Google LLC) to help us understand website and portal usage. Google may collect and process data in accordance with their own privacy policy at policies.google.com/privacy.
  • Email communications: Mailchimp (Intuit Inc.) or similar email service provider used to send account notifications, service updates, and marketing communications where you have opted in. These providers process your email address and communication preferences on our behalf.
  • Customer support tools: platforms used to manage support tickets and communications.

Legal Requirements

We may disclose your information if required by law, regulation, subpoena, court order, or government request, or where we believe disclosure is necessary to protect the rights, safety, or property of Contract Rates, our users, or the public.

Business Transfers

If Contract Rates is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

With Your Consent

We may share your information for purposes not described here when you have provided explicit consent.

What We Never Do

  • We do not sell personal information to third parties.
  • We do not share your data with insurance companies, payors, or competitors.
  • We do not share your practice selections, negotiation strategies, or portal activity with any other user or third party.

5. Protected Health Information & the 835 ERA Verifier

The core rate intelligence Services operate exclusively on public Transparency in Coverage data and do not involve protected health information (PHI) as defined under HIPAA.

✓  835 ERA Verifier Exception. This feature processes a limited amount of PHI incidentally present in 835 Electronic Remittance Advice files — specifically claim identifiers, dates of service, CPT codes, and minimal patient identifiers. Use of this feature requires execution of our Limited Purpose Business Associate Agreement, presented for electronic signature within the portal before the upload tool is accessible.

How We Handle 835 PHI

  • Purpose limited: PHI is used solely to parse and analyze payment compliance against your contracted rates.
  • Immediate deletion: uploaded 835 files are deleted automatically upon completion of parsing — before your results are displayed. No PHI is retained in any database, log, or backup.
  • Five-minute sweep: as a secondary safeguard, an automated process deletes any remaining upload directory files within five minutes under all scenarios.
  • No further use: PHI from 835 files is never used for analytics, marketing, product improvement, or any purpose beyond the compliance analysis you requested.

6. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Services.

Types of Cookies We Use

  • Essential cookies: required for the Services to function — session management, authentication, and security. These cannot be disabled without breaking core functionality.
  • Preference cookies: remember your settings and selections within the portal so you do not have to re-enter them.
  • Analytics cookies: we use Google Analytics (GA4) to collect information about how visitors use our website and portal — pages visited, time spent, traffic sources, and actions taken. This data is aggregated and used to improve the Services. Google Analytics may set cookies including _ga and _gid. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.
  • Marketing cookies: if you interact with email campaigns sent via Mailchimp or similar platforms, cookies or tracking pixels may be used to measure open rates and link clicks. These help us understand what content is useful to our audience.

Your Cookie Choices

You can control cookies through your browser settings. Disabling essential cookies will prevent the Services from functioning correctly. Most browsers allow you to view, manage, and delete cookies through their settings menus.

Do Not Track

Some browsers send “Do Not Track” signals. Our Services do not currently respond to Do Not Track signals but we do not sell personal information regardless.

7. Data Retention

We retain your account information and usage data for as long as your subscription is active and for a reasonable period afterward to allow for account reactivation, dispute resolution, and compliance with legal obligations.

  • Active accounts: retained for the duration of your subscription.
  • Cancelled accounts: account data retained for up to three years following cancellation for legal and business purposes, then deleted or de-identified.
  • Payment records: retained as required by applicable financial and tax regulations.
  • 835 ERA files: deleted immediately upon parse completion as described in Section 5. No retention period applies.
  • Support communications: retained for up to two years to support ongoing service quality.
  • Cancellation of a subscription: does not constitute a deletion request. Users wishing to request deletion of personal information should contact privacy@contractrates.org as described in Section 9.
  • Formal deletion requests: Upon a verified deletion request submitted to privacy@contractrates.org, we will delete or de-identify personal profile information within 30 days. Financial transaction records, BAA execution records, Terms of Service acceptance records, and data required for legal compliance or dispute resolution will be retained in secure archive for the applicable legal retention period and are not used for any active processing or marketing purpose.

8. Security

We implement administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, or destruction. These include:

  • Encrypted transmission via HTTPS/TLS for all data in transit
  • Encryption at rest for sensitive stored data where applicable
  • Role-based access controls limiting data access to authorized personnel
  • Regular security reviews and vulnerability management
  • No PHI logging in application, web server, or error logs for the 835 Verifier feature

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but we are committed to protecting your information using industry-standard practices. If we become aware of a security breach that affects your data we will notify you as required by applicable law.

9. Your Rights & Choices

You have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request correction of inaccurate or incomplete information.
  • Deletion: request deletion of your personal information, subject to our legal retention obligations.
  • Portability: request your data in a commonly used, machine-readable format where technically feasible.
  • Objection: object to certain uses of your data, including direct marketing.
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@contractrates.org. We will respond within 30 days. We may need to verify your identity before processing your request.

Marketing Communications

If we send marketing emails, you may opt out at any time using the unsubscribe link in any email or by contacting us directly. We will still send transactional communications necessary to your account.

10. Children’s Privacy

The Services are intended for use by healthcare professionals and practice administrators. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected information from a minor, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us at privacy@contractrates.org.

11. Oregon & State Privacy Rights

Oregon

Contract Rates is headquartered in Oregon. Oregon residents may have additional rights under the Oregon Consumer Privacy Act (OCPA) including the right to know, correct, delete, and opt out of certain data uses. To exercise these rights contact privacy@contractrates.org.

California

California residents may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We do not sell personal information as defined under California law. California residents may submit rights requests to privacy@contractrates.org.

Other States

Residents of other states with applicable privacy laws may exercise similar rights by contacting us directly. We will respond in accordance with applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes we will update the “Last Updated” date at the top of this page and provide notice via email or in-app notification where appropriate.

Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree to the updated Policy, you must stop using the Services.

13. Contact Us

Questions, concerns, or requests regarding this Privacy Policy or your personal information:

Contract Rates Inc — Privacy

Email: privacy@contractrates.org

Legal: legal@contractrates.org

Website: contractrates.org

Mailing Address: 1215 NE 7th Street Suite E, Grants Pass, OR 97526

↑ Back to Top