Privacy Policy

Last updated: March 2026

Overview

Cord Health ("Cord," "we," "our," or "us") provides payment processing and FSA/HSA documentation services for wellness and allied health practices. This Privacy Policy describes how we handle information — including limited health information — in connection with our services. Our registered office is in Delaware.

Our Approach to Data

  • We collect only what we need. We limit data collection to what is necessary to provide our services.
  • We never sell your data. We do not sell personal information or health information to any third party, ever.
  • We don't store sensitive payment data. Payment card information is processed by PCI-DSS Level 1 compliant processors. We do not store credit card numbers or bank account details on our systems.
  • Health information is protected at every layer. All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS server-side encryption). Health information is accessed in cleartext only by Cord's application server when generating your receipt or practitioner recommendation letter, and only for the duration of that request. It is never stored in logs, shared with advertisers, or used for any purpose beyond completing your provider's transaction.
  • We maintain HIPAA-grade safeguards. Cord implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule and executes Business Associate Agreements with healthcare provider customers.

Information We Collect

If you are a healthcare provider or practice:

  • Business contact information (name, email, phone, address)
  • Account credentials
  • Information needed to verify your practice and connect your payment account
  • Transaction records processed through our platform

If you are a patient paying through Cord or receiving FSA/HSA documentation:

  • Name and email address (for receipt and document delivery)
  • Payment information (processed directly by our PCI-DSS compliant payment processor — we do not store card numbers)
  • Health information your provider shares with Cord solely to generate your FSA/HSA documentation — see the Health Information section below

Collected automatically from all users:

  • Basic usage data to maintain and improve our services (aggregated and de-identified)
  • Session identifiers and authentication tokens

Health Information

When a healthcare provider uses Cord to process FSA/HSA-eligible payments or generate practitioner recommendation letters, Cord may receive limited health information about you — specifically, the reason for your visit and relevant condition information needed to document FSA/HSA eligibility under IRS Publication 502.

How we protect it: This information is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256 via AWS server-side encryption. Cord's application accesses your health information in cleartext only when generating your receipt or practitioner recommendation letter, and only for the duration of that request. Your health information is never written to application logs or cached outside the database. Even in the unlikely event of a storage-level breach, your health information cannot be read without access to AWS-managed encryption keys.

How we use it: Health information is used exclusively to:

  • Generate itemized receipts and FSA/HSA documentation for your records
  • Prepare practitioner recommendation letters at your provider's direction
  • Deliver those documents to you by email (under a secure email agreement)
  • Comply with applicable law

What we never do with health information: We do not sell it, use it for advertising, share it with payment processors, or use it for any purpose beyond the specific service your provider engaged us to perform.

How We Use Information

We use information to:

  • Provide and maintain our payment processing and FSA/HSA documentation services
  • Process transactions and generate receipts
  • Generate and deliver FSA/HSA documentation and practitioner recommendation letters
  • Communicate with you about your account or transaction
  • Comply with legal obligations (including tax and HIPAA record-keeping requirements)
  • Prevent fraud and abuse
  • Improve our platform using aggregated, de-identified analytics

We do not use your personal information or health information to train AI models, build advertising profiles, or for any purpose unrelated to providing our services to your healthcare provider.

Encryption and Security

We take security seriously, particularly for health information. Our key protections:

  • Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS 1.3. Older, less secure protocols are disabled.
  • Encryption at rest. Health information stored in our database is encrypted using AES-256 via AWS server-side encryption. Encryption keys are managed entirely by AWS and are never accessible to Cord's application code.
  • Minimal cleartext exposure. Cord's application accesses health information in cleartext only when generating receipts or practitioner recommendation letters. This occurs in ephemeral server memory during the request and is never written to logs or cached.
  • Payment data. Credit and debit card information is processed directly by our PCI-DSS Level 1 compliant payment processor. Cord does not store card numbers, CVV codes, or bank account details.
  • Access controls. Access to systems containing personal data is limited to authorized personnel on a need-to-know basis, with multi-factor authentication required.

HIPAA Compliance

Cord operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) when processing health information on behalf of healthcare provider customers (who are Covered Entities under HIPAA).

This means:

  • We execute a Business Associate Agreement (BAA) with each healthcare provider customer before processing health information on their behalf
  • We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 C.F.R. Part 164)
  • We limit our use and disclosure of health information to the purposes described in this policy and our provider agreements
  • We notify affected providers promptly in the event of a security incident involving health information

Your primary HIPAA relationship is with your healthcare provider, not with Cord. Your provider is responsible for their own Notice of Privacy Practices and for responding to most HIPAA rights requests on your behalf. See the Your Rights (Health Information) section below.

Information Sharing

We share information only when necessary to provide our services or as required by law:

  • AWS (Amazon Web Services). Health information is stored on AWS infrastructure under a HIPAA Business Associate Agreement. Data is encrypted at rest using AWS server-side encryption (AES-256).
  • Email delivery provider. When your provider sends you a receipt or practitioner recommendation letter by email, our email delivery provider processes that document under a HIPAA Business Associate Agreement.
  • Stripe (payment processing). Stripe processes payment card transactions. Stripe does not receive any health information. Diagnosis, condition, and reason-for-visit information is architecturally excluded from all data sent to Stripe. Stripe processes only payment amounts, currency, and anonymized transaction identifiers.
  • Your healthcare provider. We share your information with the healthcare provider through whose platform you are transacting. Your provider directed us to process this information on their behalf.
  • Legal requirements. We may disclose information when required by law, court order, or to protect the rights and safety of Cord, our customers, or the public.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, personal information may be transferred as a business asset. We will provide notice before any such transfer if it materially affects how your health information is handled.

We do not share your information with advertisers, data brokers, or any party for commercial purposes unrelated to providing our services.

Data Retention

We retain information for as long as required by law and no longer:

  • Health information (FSA/HSA documentation, practitioner recommendation letters): Retained for a minimum of 6 years from creation, as required by HIPAA. Certain FSA/HSA records are retained for 7 years to meet IRS documentation requirements.
  • Financial and transaction records: Retained for 7 years from the transaction date to meet federal and state tax record-keeping requirements.
  • Account and contact information: Retained for the duration of your account plus up to 5 years, or as otherwise required by law.
  • Non-required data: If you request deletion of data that Cord is not legally required to retain, we will delete it within 30 days of your verified request.

When retention periods expire, data is securely deleted from our systems in accordance with NIST SP 800-88 guidelines.

Your Rights

Depending on your location and the nature of the information, you may have the following rights. Contact us at privacy@cord.health to exercise any of these rights.

General rights (all users):

  • Access: Request a copy of personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of data we are not legally required to retain
  • Portability: Receive a copy of your data in a machine-readable format

Your rights regarding health information (HIPAA):

Your healthcare provider — not Cord — is primarily responsible for your HIPAA rights. Please contact your provider for most health information rights requests. Cord supports your provider in fulfilling those requests.

  • Right of access: Request a copy of health information Cord holds on your behalf (through your provider)
  • Right to amend: Request correction of inaccurate health information (through your provider)
  • Right to an accounting of disclosures: Request a record of how your health information has been disclosed
  • Right to request restrictions: Ask your provider to restrict certain uses or disclosures of your health information; Cord will honor restrictions your provider communicates to us
  • Right to file a complaint with HHS: If you believe your health information rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/hipaa/filing-a-complaint. Cord will not retaliate against you for filing a complaint.

California residents (CCPA / CPRA):

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • You may request to know what personal information we have collected about you
  • You may request deletion of personal information (subject to legal retention requirements)
  • You may request correction of inaccurate personal information
  • You may request a portable copy of your personal information
  • We do not use sensitive personal information (including health information) beyond what is necessary to provide our services
  • We will not discriminate against you for exercising any of these rights

To submit a California rights request, contact privacy@cord.health. We will respond within 45 days.

Changes to This Policy

We may update this policy from time to time to reflect changes in our services or applicable law. We will notify you of material changes by email and by posting the updated policy at cord.health/privacy with a new effective date. Your continued use of our services after the effective date of a material change constitutes acceptance of the updated policy.

Contact

For privacy questions, rights requests, or concerns about how we handle your information:

Privacy Officer, Cord Labs LLC

Email: privacy@cord.health

This policy is governed by the laws of the State of Delaware.