Privacy Policy

Evrcad provides the Service to licensed Medicare insurance agents and agencies. In many cases, Evrcad acts as a Business Associate or subcontractor Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) when handling Protected Health Information (“PHI”) on behalf of covered entities or other business associates.

This Privacy Policy applies to all information we collect through the Service, including PHI, non-PHI personal information, and usage data. It supplements, and does not replace, any Business Associate Agreement executed between Evrcad and your organization. This Privacy Policy is not a Business Associate Agreement (BAA) under HIPAA. For BAA inquiries, contact legal@evrcad.com.

We collect the following categories of information:

AI Providers and Scope. Evrcad uses AWS Bedrock to provide AI functionality such as drafting suggested responses or summarizing interactions. PHI used in AI prompts is limited to what is necessary for the feature (e.g., first name, context of prior messages, agent/agency name). We do not include Medicare Beneficiary ID numbers, dates of birth, diagnoses, or specific plan identifiers in AI prompts.

No Model Training on Your Data.Under AWS Bedrock’s policy, prompts and outputs sent through Bedrock are not used to train or improve the underlying foundation models used by other customers. Your AI usage is logically isolated to your AWS account.

AI Is Optional and Assistive. AI outputs are suggestions only. You retain control and responsibility for reviewing, editing, and approving all AI-generated content before sending it to clients.

We do not sell personal information.

BAA with Customers. Evrcad will enter into Business Associate Agreements with eligible covered entities and business associates upon request. Contact legal@evrcad.com to request a BAA. This Privacy Policy does not modify any BAA and is not a substitute for a BAA.

PHI Storage Locations. Evrcad stores PHI only in HIPAA-eligible AWS services under the AWS BAA, including RDS and S3. Call recordings and SOA documents are stored in encrypted S3 buckets. SMS content is stored in RDS. Logging systems may contain PHI as necessary for audit and security purposes.

Twilio as Conduit.Twilio is used solely to transmit voice calls and SMS messages and is configured so that call recordings are written directly to Evrcad’s S3 bucket via Twilio’s external storage configuration and are not retained by Twilio after transfer, and SMS message bodies are delivered to Evrcad’s systems by webhook and stored only on Evrcad’s AWS infrastructure; Twilio retains limited metadata such as from/to numbers and timestamps. Evrcad implements additional measures including disabling MMS and prohibiting PHI in SMS to further minimize PHI exposure in transit.

Multi-Tenant Data Isolation.Evrcad implements logical separation of customer data through tenant identifiers in the data model, Row-Level Security (RLS) rules in the database, and strict access controls in application logic. Agency administrators can access data for their organization’s users. Agents can access only clients and records to which their organization grants access. Users from one organization cannot access another organization’s data.

When an insurance agent using Evrcad documents your consent to receive SMS communications, your phone number is stored in Evrcad’s encrypted database and associated with that agent’s account. Your consent record includes the timestamp and method of consent.

Types of messages you may receive: appointment reminders, Scope of Appointment (SOA) document requests, policy update notifications, enrollment follow-ups, and general service communications from your insurance agent. Evrcad does not send promotional or marketing SMS on its own behalf to end-users.

Opt-out: Reply STOPto any message at any time to opt out of SMS from your agent’s Evrcad number. You will receive one final confirmation and no further messages. You may also contact support@evrcad.com to request removal from an agent’s messaging list.

Help: Reply HELPto any message for support contact information. Msg & data rates may apply.

No PHI in SMS:Evrcad’s Terms of Service prohibit agents from including Protected Health Information in SMS messages. Sensitive Medicare details are communicated by phone or in person only.

No third-party marketing use: Your phone number and SMS consent are never sold, rented, or shared with third-party marketers.

We retain information as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

• SOA Forms: At least ten (10) years to comply with CMS requirements.
• Call Recordings: At least ten (10) years for CMS compliance and carrier audit support.
• HIPAA Audit Logs: At least six (6) years, consistent with HIPAA documentation retention requirements.
• Client and PHI Data: For the duration of your subscription and any applicable retention period required by law or carrier contract. PHI is deactivated but not deleted while retention obligations remain active.
• Payment and Billing Records: As required by tax, accounting, and financial regulations and by Stripe’s retention policies.
• Support Communications and Usage Logs: As needed for security, support, and audit purposes.

Retention Following Service Discontinuation. If Evrcad discontinues the Service, regulatory records subject to mandatory retention periods including SOA forms, call recordings, and HIPAA audit logs will be maintained in a secure, accessible form for the remainder of their applicable retention periods. Evrcad may fulfill this obligation through a read-only archive, transfer to a compliant third-party custodian, delivery to customers, or other reasonable means communicated in any discontinuation notice. You are independently responsible for maintaining copies of your own compliance records.

Business Transfers. In the event of a merger, acquisition, or asset sale, Customer Data including PHI may be transferred to the acquiring entity subject to obligations no less protective than those in this Privacy Policy. We will provide notice of any such transfer consistent with applicable law. The acquiring entity will be bound by the same data retention and HIPAA obligations.

After applicable retention periods expire, Evrcad may securely delete or de-identify information consistent with HIPAA disposal standards and our data management policies.

Access and Correction.If you have an account, you may access and update profile information through the Service. End clients of an agency should direct requests for access or correction to the agency; Evrcad acts as a processor on the agency’s behalf.

Data Export and Portability.Agency administrators may request a comprehensive export of their organization’s data including client records, SOA forms, call recordings, SMS history, and audit logs at any time through account settings or by contacting support@evrcad.com. Exports will be provided in standard formats within a commercially reasonable time.

Deletion. Because Evrcad must comply with regulatory retention requirements (CMS and HIPAA), we cannot delete PHI or regulated records on request while mandatory retention periods remain active. Where deletion is legally permissible, we will honor requests from authorized account owners or administrators.

Retention Acknowledgment. When you download a data export, you agree to accept responsibility for the secure storage and maintenance of SOA forms, call recordings, and related compliance documentation for the full applicable retention period under CMS requirements and HIPAA.

Marketing Communications. Evrcad does not use PHI for marketing. For non-transactional product communications, you may opt out via unsubscribe links in those emails.

California Privacy Rights (CCPA/CPRA). California residents may have rights to know, access, delete, correct, and opt out of sale or sharing of personal information. Evrcad does not sell personal information. Because Evrcad functions primarily as a service provider to agencies, California residents who are end clients should direct requests to the agency that controls their data. Direct customers may contact privacy@evrcad.com with “CCPA Request” in the subject line and sufficient information to verify identity.

Privacy inquiries: privacy@evrcad.com

Legal / BAA requests: legal@evrcad.com

Support: support@evrcad.com