Privacy Policy

1. Who does this Privacy Policy cover?

This Privacy Policy applies to:

• Individual healthcare professionals who use self-managed accounts
• Organizational customers, coordinators, and administrators who manage workforce credentialing records
• Website visitors and prospective customers

"Personal data" and "consumer" are interpreted consistently with the definitions in the Texas Data Privacy and Security Act (TDPSA).

2. What personal information does CredentialTrack Pro collect?

Where third-party identifiers are collected, they are defined and maintained by their issuing authorities — for example, the CMS National Plan & Provider Enumeration System (NPPES) for the National Provider Identifier, and the DEA Diversion Control Division for DEA registration numbers.

2.1 Information You Provide Directly

(a) Account information, such as name, email address, phone number, role, specialty, and organization affiliation.

(b) Provider credentialing data — the core data of the Service. As a healthcare provider, you submit professional information to the Service, which may include:

• National Provider Identifier (NPI)
• State medical or nursing license numbers and expiration dates
• DEA registration number and schedule authorizations
• Board certification and recertification dates
• Hospital privilege application information
• Medicare PECOS enrollment data
• CAQH ProView profile information
• Continuing Education/Continuing Medical Education (CE/CME) records
• Malpractice history and insurance policy details
• Employment history relevant to credentialing

(c) Sensitive Personal Information: In certain credentialing workflows, you may be required to provide a Social Security number (SSN), collected only when strictly required for the specific credentialing function and with your affirmative authorization. SSNs are encrypted at rest and in transit using AES-256 encryption and are subject to the minimum necessary standard at all times.

(d) Payment Information: Billing information is collected by our payment processor, Stripe, Inc. CTP does not store full credit card numbers on its systems.

(e) Communications: Records of correspondence you send us, including support tickets, emails, and feedback.

2.2 Information Collected Automatically

• Log Data: IP address, browser type and version, operating system, access dates and times, pages visited, and referring URLs.
• Usage Data: Feature usage patterns, credential workflow completions, notification interactions, and session duration.
• Device Information: Device identifiers, hardware model, and operating system version (for mobile applications).

2.3 Information from Third Parties

We may receive information about you from third-party identity verification services, healthcare credentialing databases (e.g., CAQH, NPPES) when you authorize us to retrieve your information, Single Sign-On (SSO) providers, and your employer or credentialing organization if they have set up a coordinator account that includes you as a provider user.

3. How is your information used?

CTP uses information to:

• Provide, maintain, and improve the Service
• Authenticate users and secure accounts
• Track licenses, certifications, deadlines, expirations, and compliance requirements
• Generate reminders, dashboards, reports, and workflow outputs
• Process subscriptions and provide customer support
• Detect fraud, unauthorized access, abuse, and security incidents
• Comply with legal obligations and enforce contractual rights

CTP may use aggregated or de-identified information to analyze product performance, improve workflows, and develop new features. CTP does not use customer data to train third-party AI models. Our use limitations track the purpose-specification and data-minimization principles in the NIST Privacy Framework v1.0.

4. With whom is your information shared?

CTP may share information only as necessary to operate the Service or comply with law, including with:

• Hosting, database, infrastructure, email, analytics, and payment vendors subject to confidentiality and data protection obligations.
• Organizational administrators authorized to manage workforce credentialing records under their accounts.
• Government agencies, licensing boards, courts, or regulators when required by law.
• Successors in connection with a merger, acquisition, or sale of assets, subject to continued protection of customer data.

CTP does not sell personal information and does not share personal information for targeted advertising. Where vendors handle data on our behalf, the contractual safeguards we impose follow the structure recommended in the HHS sample Business Associate Contract provisions, even where a BAA is not formally required.

5. How is your data secured?

CTP maintains commercially reasonable administrative, technical, and physical safeguards designed to protect customer data and sensitive personal information. Our administrative, physical, and technical safeguards are modeled on the categories codified by the HHS HIPAA Security Rule and the implementation guidance in NIST Special Publication 800-66 Revision 2 (Feb. 2024). They may include:

• AES-256 encryption of data at rest (per NIST FIPS 197) and TLS 1.2 or higher for data in transit
• Role-based access controls and the principle of least privilege
• Multi-factor authentication for administrative access and other high-risk workflows
• Audit logging and access monitoring
• Secure backup and disaster recovery practices
• Vendor management and contractual data security obligations

No method of storage or transmission is completely secure. Users are responsible for maintaining the confidentiality of their credentials and notifying CTP promptly of suspected unauthorized access.

6. How long is your data kept?

CTP retains personal information and credentialing records only for as long as reasonably necessary to provide the Service, comply with law, resolve disputes, and enforce agreements. Retention periods may vary depending on the category of information, contractual commitments, customer instructions, audit needs, and legal requirements. Where data is de-identified, we apply the standards described in the HHS guidance on de-identification of protected health information (45 CFR 164.514).

After account termination, CTP may retain certain records for a limited period to support export, dispute resolution, fraud prevention, tax compliance, and legal obligations. Data no longer needed may be deleted, anonymized, or de-identified.

7. What privacy rights do you have?

Users may request access to, correction of, deletion of, or export of personal information, subject to legal and contractual limitations. Organizational account users may need to direct certain requests through their employer or account administrator where CTP acts only as a service provider to that organization.

Texas residents and other users with rights under the Texas Data Privacy and Security Act (effective July 1, 2024, with exclusive enforcement by the Texas Attorney General and civil penalties of up to $7,500 per violation) may submit requests to privacy@credentialtrackpro.com. We will respond to authenticated requests within 45 days.

8. Does CredentialTrack Pro sell your data?

CTP does not sell personal information. We do not sell, rent, or exchange your personal information to or with third parties for monetary or other valuable consideration, and we do not share personal information for purposes of targeted or behavioral advertising. The FTC Health Breach Notification Rule and the HHS HIPAA Breach Notification Rule together govern the unauthorized acquisition of identifiable health information; we treat both as binding floors on our handling of credentialing records.

"While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics."

9. Does CredentialTrack Pro use cookies?

CTP may use essential cookies and limited analytics tools to operate the Service, maintain sessions, improve functionality, and understand aggregate usage patterns. CTP does not use behavioral advertising cookies. For background on cookie disclosures and consumer rights, see the FTC Consumer Privacy business guidance.

10. Is the Service for children?

The Service is not directed to children under 18, and CTP does not knowingly collect personal information from children. Our approach is informed by the FTC Children's Online Privacy Protection Rule (COPPA).

11. How will Privacy Policy changes be communicated?

CTP may update this Privacy Policy from time to time. Material changes will be posted on the website and, where appropriate, provided by email or in-app notice. The notice approach is consistent with the FTC's ".com Disclosures" guidance.

12. How can you reach the CredentialTrack Pro privacy team?

Privacy questions, requests, or concerns may be directed to: