Terms of Service

By accessing or using the SecurePHI analytics platform ("Service"), you agree to be bound by these Terms of Service ("Terms"). If you are accepting on behalf of an organization, you represent that you have authority to bind that organization. If you do not agree to these Terms, do not use the Service.

The Service is provided by SecurePHI, based in Scranton, Pennsylvania ("SecurePHI," "we," "us," or "our").

SecurePHI provides a cookieless, zero-PII web analytics platform designed for HIPAA-regulated healthcare entities. The Service consists of:

• A lightweight JavaScript tracker ("Ghost Script") for embedding on customer websites
• An edge-based anonymization pipeline that processes visitor data via SHA-256 hashing
• A web dashboard for viewing de-identified traffic analytics
• A Business Associate Agreement (BAA) executed between SecurePHI and the customer

You must be at least 18 years old and authorized to enter contracts on behalf of your organization to use the Service. You are responsible for maintaining the security of your account credentials and for all activity that occurs under your account.

You agree to provide accurate, current, and complete information during registration and to keep your account information updated.

Access to the Service requires a paid subscription. Subscriptions are billed on a recurring monthly basis through Stripe. By subscribing, you authorize SecurePHI to charge the payment method on file at the start of each billing cycle.

Plan limits. Each subscription tier includes a maximum number of tracked sites as stated on the Pricing page at the time of purchase. Exceeding your plan limit will prevent the creation of additional sites until you upgrade.

Cancellation. You may cancel your subscription at any time from your Stripe billing portal. Cancellation takes effect at the end of the current billing period. No refunds are issued for partial billing periods except where required by applicable law.

Price changes. We reserve the right to change subscription pricing with at least 30 days' notice to active subscribers via email.

SecurePHI is designed to support HIPAA compliance. However, compliance is a shared responsibility. You acknowledge that:

• SecurePHI is a tool — not a legal guarantee. Using our Service does not automatically make your organization HIPAA-compliant.
• You are responsible for ensuring the Ghost Script is correctly embedded and that no other analytics tools on your site collect PHI without appropriate safeguards.
• A BAA must be signed before processing data from patient-facing pages. The BAA is available in your dashboard and outlines our obligations as a Business Associate.
• SecurePHI's SHA-256 hashing pipeline is designed to satisfy the HIPAA Safe Harbor de-identification standard (45 CFR §164.514(b)). The 24-hour daily salt rotation ensures no cross-day visitor re-identification is possible from our stored data.

You agree not to:

• Use the Service to collect data from websites you do not own or have authorization to track
• Reverse-engineer, decompile, or attempt to extract source code from our systems
• Use the Service to circumvent any applicable law or regulation
• Resell, sublicense, or transfer access to the Service to third parties
• Conduct load testing or automated attacks against our infrastructure
• Embed the Ghost Script on sites that knowingly collect PHI through other means

Our Privacy Policy, available at /privacy, describes in full what data we collect, how it is anonymized, and how it is stored. Key points:

• No PII is stored. Visitor IP addresses and User-Agent strings are processed in-memory on our edge function and immediately discarded after hashing. Only the resulting 64-character SHA-256 hex digest is persisted.
• No cookies. The Ghost Script does not set, read, or modify any browser cookie or web storage entry.
• Salt rotation. A new HMAC-derived salt is generated every UTC midnight, making cross-day visitor linking cryptographically infeasible.

The Service, including the Ghost Script, dashboard, anonymization pipeline, and all associated software, is and remains the exclusive intellectual property of SecurePHI. These Terms grant you a limited, non-exclusive, non-transferable license to use the Service during your active subscription. No other rights are granted.

Your analytics data — the de-identified event records generated from your sites — belongs to you. You may export it at any time by contacting support.

We aim to keep the Service available and operational but do not guarantee any specific uptime SLA on standard plans. We may perform scheduled maintenance with reasonable notice. We are not liable for analytics events that fail to record during outages.

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. SECUREPHI DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR-FREE, UNINTERRUPTED, OR THAT RESULTS OBTAINED WILL BE ACCURATE OR COMPLETE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SECUREPHI SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATED TO YOUR USE OF THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SECUREPHI'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS SHALL NOT EXCEED THE AMOUNTS PAID BY YOU TO SECUREPHI IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

You agree to indemnify, defend, and hold harmless SecurePHI and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to your use of the Service, your violation of these Terms, or your violation of any applicable law or third-party right.

These Terms are governed by the laws of the Commonwealth of Pennsylvania, without regard to its conflict-of-law principles. Any dispute arising out of or related to these Terms shall be resolved exclusively in the state or federal courts located in Lackawanna County, Pennsylvania, and you consent to the personal jurisdiction of those courts.

We may revise these Terms at any time. If we make material changes, we will notify active subscribers by email at least 14 days before the new Terms take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Terms.

SecurePHI
Scranton, Pennsylvania
legal@securephi.app