Privacy Policy

Last updated: February 15, 2026

1. Introduction

EnrollSure™ ("we," "us," or "our") operates the EnrollSure™ platform at enrollsure.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting the privacy and security of all personal and health-related information processed through our platform in compliance with applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA).

2. Information We Collect

Account Information

When you register for an account, we collect your name, email address, and password (stored in hashed form). Organization administrators may also provide agency names, office addresses, phone numbers, and professional license information.

Beneficiary Information

When a Medicare beneficiary completes an intake survey, we collect personal information including but not limited to: name, date of birth, phone number, email address, mailing address, prescription medications, healthcare providers (doctors, hospitals, pharmacies), and Medicare product preferences. We also collect digital signatures, consent timestamps, and IP addresses for compliance documentation.

Usage and Technical Data

We automatically collect certain technical information when you use our Service, including IP addresses, browser type, and timestamps of actions taken within the platform. This data is used for security, audit logging, and compliance purposes.

Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other sensitive financial information on our servers. We retain only Stripe customer and subscription identifiers for billing management.

3. How We Use Your Information

We use collected information for the following purposes:

  • To provide and maintain the EnrollSure™ platform and its features
  • To generate required Medicare compliance documents (Scope of Appointment, Permission to Contact, Client Summaries)
  • To authenticate users and manage account access
  • To process subscription payments through Stripe
  • To send transactional emails (survey links, verification codes, password resets)
  • To maintain audit trails as required for Medicare compliance
  • To sync submission data to configured CRM systems at the agent's direction
  • To facilitate provider lookups (doctors, hospitals, pharmacies) through the CMS National Provider Identifier (NPI) Registry
  • To improve and optimize the Service

4. Third-Party Services

We use the following third-party services to operate the platform. Each service processes data as described below:

ServicePurposeData Shared
VercelApplication hosting and deliveryAll platform traffic passes through Vercel's infrastructure
Neon (PostgreSQL)Database storageAll user accounts, submissions, and compliance data
StripePayment processingBilling name, email, and payment method (handled by Stripe)
ResendTransactional email deliveryRecipient email addresses and email content
CMS NPI RegistryProvider and facility searchSearch queries (names, zip codes) — no personal data sent

5. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • All data is encrypted in transit using TLS/SSL (256-bit encryption)
  • Passwords are hashed using bcrypt with a cost factor of 12
  • Authentication tokens are stored in secure, HTTP-only cookies
  • Multi-tenant data isolation ensures organizations can only access their own data
  • Role-based access controls limit data visibility (Superadmin, Admin, Agent)
  • Comprehensive audit logging tracks all significant platform actions
  • Two-factor authentication (2FA) is available for enhanced account security
  • Database hosted on Neon with encryption at rest

6. HIPAA Compliance

EnrollSure™ is designed with HIPAA compliance in mind. Protected Health Information (PHI) is handled according to the HIPAA Privacy Rule and Security Rule. We maintain audit trails of all access to PHI, implement access controls based on the minimum necessary standard, and use encryption for data in transit and at rest. Business Associate Agreements (BAAs) are available for covered entities upon request.

7. Data Retention

We retain beneficiary submission data, compliance documents (SOA PDFs, Client Summary PDFs), and audit logs for the duration required by CMS regulations and applicable state laws. Account data is retained for as long as the account is active. Upon account deletion or organization removal, associated data is permanently deleted from our systems.

8. Data Sharing and Disclosure

We do not sell personal information. We may share information in the following circumstances:

  • CRM Integrations: When an agent initiates a CRM sync, submission data is sent to the organization's configured CRM endpoint
  • Service Providers: With third-party services listed in Section 4, solely for operating the platform
  • Legal Requirements: When required by law, subpoena, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice provided to affected users

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Portability: Request your data in a structured, machine-readable format
  • Opt-Out: Opt out of non-essential communications

To exercise any of these rights, please contact us at the email address provided below.

10. Cookies and Tracking

EnrollSure™ uses essential cookies only for authentication (JWT session tokens). We do not use advertising cookies, tracking pixels, or third-party analytics tools. No personal data is shared with advertising networks.

11. Children's Privacy

Our Service is designed for licensed insurance agents and Medicare-eligible beneficiaries (generally age 65 and older). We do not knowingly collect information from children under the age of 13. If we become aware that we have collected information from a child under 13, we will take steps to delete that information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or a prominent notice on the platform. The "Last updated" date at the top of this page indicates when this policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@enrollsure.io
Website: https://enrollsure.io