T
TurboPA

Privacy Policy

Last updated: February 2026

1. Information We Collect

Account information

When you create an account, we collect your name, email address, practice name, and password (stored as a bcrypt hash). We never store plaintext passwords.

Prior authorization data

Data you enter into PA requests — including patient identifiers (MRN), diagnosis codes, medication names, payer information, clinical documentation, and uploaded files — is stored to provide the Service. This data may contain Protected Health Information (PHI) as defined by HIPAA.

Usage data

We collect standard web analytics: pages visited, features used, browser type, and IP address. This data is used to improve the Service and is not linked to patient data.

2. How We Use Your Data

  • To provide and operate the Service
  • To authenticate your identity and manage access
  • To generate analytics and reports visible only to your organization
  • To send transactional emails (password resets, notifications)
  • To improve the Service based on aggregated usage patterns

We do not sell your data. We do not use patient data for advertising. We do not share PHI with third parties except as necessary to provide the Service (e.g., Azure hosting infrastructure).

3. Data Storage and Security

  • All data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Database hosted on Azure Database for PostgreSQL with SSL-enforced connections
  • File uploads encrypted in Azure Blob Storage with server-side encryption
  • All infrastructure located in United States regions
  • Organization data isolation enforced via PostgreSQL Row-Level Security
  • Access controlled by role-based permissions (Admin, Staff, Provider, Viewer)

4. Data Retention

Your data is retained for as long as your account is active. Upon account termination, data is retained for 30 days to allow for recovery, then permanently deleted. Audit logs may be retained longer as required for compliance purposes.

5. Your Rights

You have the right to:

  • Access your data at any time through the Service
  • Export your PA request data
  • Request deletion of your account and associated data
  • Correct inaccurate information in your account or PA requests

6. Third-Party Services

TurboPA uses the following third-party services:

  • Microsoft Azure — cloud hosting, database, file storage, email delivery
  • Stripe — payment processing (Stripe receives billing information only, not PHI)

Each provider operates under their own privacy policies and, where applicable, Business Associate Agreements.

7. Cookies

TurboPA uses essential cookies for authentication (session tokens). We do not use advertising or tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies.

8. HIPAA

TurboPA is designed to comply with the HIPAA Security Rule and Privacy Rule. We implement administrative, technical, and physical safeguards to protect PHI. Enterprise customers may execute a BAA with TurboPA.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 30 days before taking effect. The “Last updated” date at the top reflects the most recent revision.

10. Contact

Questions about this Privacy Policy? Contact us at privacy@turbopa.com.