**Privacy Policy** **Effective Date: March 16, 2026** > **DRAFT --- For attorney review before publication. Not legal > advice.** 1\. Who We Are Vanguard Advisory LLC is an independent advisory consulting firm specializing in HIPAA security compliance services for healthcare organizations and business associates. We are not affiliated with The Vanguard Group, Inc. or its affiliates. References to \"we,\" \"us,\" or \"our\" in this Policy refer to Vanguard Advisory LLC. This Privacy Policy applies to information collected through: (a) the HIPAA Security Risk Assessment Tool available at vanguardadvisory.co; (b) the contact form on our website; and (c) any communications related to our advisory consulting services (collectively, the \"Services\"). 2\. Information We Collect 2.1 Information You Provide Directly When you use our Services, we collect the following categories of information: - Assessment Responses: Your answers to the security risk assessment questions, including any notes or contextual information you voluntarily enter into open-text fields; - Lead Form Information: Your first name, last name, company name, and work email address, submitted through the lead capture form on the analyzing screen to receive your results; - Contact Form Submissions: Your name, email address, and any message content you submit through the contact form on our website (vanguardadvisory.co). This information is used solely to respond to your inquiry; - Payment Information: Billing name, billing address, and payment card details, which are collected and processed directly by Stripe, Inc. on our behalf. We do not store full payment card numbers; - Full Engagement Information: For Full Risk Analysis Engagement clients, additional information including organizational documents, personnel information related to stakeholder interviews, and system configuration details provided during the engagement. This information is governed by the separate Consulting Services Agreement and Business Associate Agreement executed between the parties. 2.2 Information Collected Automatically When you access the Tool, we or our service providers may automatically collect: - Log Data: IP address, browser type, operating system, referring URLs, pages visited, and time and date of access; - Usage Data: How you interact with the Tool, including which sections you complete and time spent on the assessment; - Cookies and Similar Technologies: We may use cookies or similar tracking technologies to maintain session state and improve your experience. You may disable cookies in your browser settings, though this may affect the Tool\'s functionality. 2.3 Information We Do Not Collect The Tool is designed to assess organizational policies and practices --- not to process, store, or transmit actual patient data. We expressly prohibit and do not knowingly collect: - Actual Protected Health Information (PHI) as defined under 45 CFR § 160.103, including patient names, dates of service, medical record numbers, diagnosis codes, or any other individually identifiable health information; - Social Security numbers or government identification numbers; - Information from children under the age of 13. If you believe you have inadvertently submitted PHI through the Tool, please contact us immediately at faiz@vanguardadvisory.co. 3\. How We Use Your Information We use the information we collect for the following purposes: - To operate and provide the Tool, including generating your risk assessment report; - To transmit your assessment responses to Anthropic\'s AI API for analysis and report generation (see Section 5); - To deliver your free results summary by email upon submission of your lead form information; - To send you follow-up communications about Vanguard Advisory LLC\'s services, resources, and HIPAA compliance information, where you have consented by submitting your contact details (see Section 3.1); - To process payments through Stripe; - To respond to inquiries submitted through our website contact form; - To improve the accuracy, functionality, and user experience of the Tool; - To comply with applicable legal obligations; - To detect, prevent, or investigate fraud, security incidents, or violations of our Terms of Service. Vanguard Advisory LLC will not use your assessment responses to train AI models without your explicit consent. 3.1 Email Communications and Opt-Out By submitting your information through the lead capture form, you consent to receiving: (a) a free results summary email containing your readiness score, section breakdown, key findings, and top priorities; and (b) follow-up communications from Vanguard Advisory LLC relating to HIPAA compliance resources and our advisory services. You may unsubscribe from follow-up communications at any time by clicking the unsubscribe link in any email or by contacting us at faiz@vanguardadvisory.co. Transactional emails relating to a purchase or active engagement (such as report delivery or billing confirmations) are not affected by unsubscribe requests. 4\. Legal Basis for Processing (GDPR) If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases: - Contractual Necessity: Processing necessary to provide the Tool pursuant to our Terms of Service; - Legitimate Interests: Improving and securing the Tool, detecting fraud, and communicating service updates; - Legal Obligation: Compliance with applicable laws and regulations; - Consent: Where you have provided explicit consent, such as for marketing communications by submitting the lead form. You may withdraw consent at any time by contacting us at faiz@vanguardadvisory.co. 5\. Third-Party Data Processors We share your information with the following categories of third-party service providers who process data on our behalf: 5.1 Anthropic, PBC (AI Processing) Your assessment responses are transmitted to Anthropic\'s API to generate your risk assessment report. Anthropic processes this data as our sub-processor. We have entered into, or will enter into prior to processing any potentially sensitive data, a Business Associate Agreement (BAA) and Data Processing Agreement (DPA) with Anthropic. Anthropic\'s privacy practices are governed by their Privacy Policy at anthropic.com/privacy. 5.2 Stripe, Inc. (Payment Processing) Stripe collects and processes your payment information directly. Vanguard Advisory LLC does not store full payment card numbers. Stripe\'s privacy practices are governed by their Privacy Policy at stripe.com/privacy. 5.3 GoDaddy (Web Hosting) Our Tool is hosted on GoDaddy\'s infrastructure. GoDaddy may process server log data in the course of providing hosting services. Lead contact data (names, companies, email addresses, and risk scores) is stored in a secured, access-controlled file on our GoDaddy server. GoDaddy\'s privacy practices are governed by their Privacy Policy at godaddy.com/agreements/privacy. 5.4 Other Processors We may engage additional third-party processors for analytics, email delivery, or customer support. We require all processors to maintain appropriate data protection standards and to process data only on our documented instructions. 6\. Data Retention We retain your information for the following periods: - Assessment Responses: Retained for 24 months from the date of assessment to allow for comparison in subsequent assessments, then securely deleted; - Lead Contact Data (name, company, email, risk score): Retained for 36 months from the date of submission, or until you submit an unsubscribe or deletion request, whichever is earlier. Lead data is stored in a secured file on our GoDaddy server with restricted access; - Contact Form Submissions: Retained for 12 months from the date of submission, then deleted; - Full Engagement Files: Retained for 6 years from the date of delivery, consistent with HIPAA documentation retention requirements under 45 CFR § 164.316(b)(2), then securely destroyed; - Payment Records: Retained for 7 years as required by applicable tax and accounting laws; - Server Log Data: Retained for 90 days, then automatically purged. You may request earlier deletion of your data at any time (see Section 8). Note that we may be required to retain certain information for legal compliance purposes even following a deletion request. 7\. Data Security We implement appropriate technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, or destruction. These measures include: - Transmission of data over encrypted connections (TLS 1.2 or higher); - Encryption of data at rest on our hosting infrastructure; - Access controls and multi-factor authentication limiting data access to authorized personnel only; - Regular security assessments of our systems and processes; - Cyber liability insurance coverage maintained by Vanguard Advisory LLC. However, no method of transmission over the Internet or method of electronic storage is 100% secure. In the event of a data breach affecting your information, we will notify you as required by applicable law. 8\. Your Privacy Rights Depending on your jurisdiction, you may have the following rights with respect to your personal data: - Right of Access: Request a copy of the personal data we hold about you; - Right of Rectification: Request correction of inaccurate or incomplete personal data; - Right of Erasure (\"Right to be Forgotten\"): Request deletion of your personal data, subject to legal retention requirements; - Right to Restrict Processing: Request that we limit how we use your data; - Right to Data Portability: Request your data in a structured, machine-readable format; - Right to Object: Object to processing based on legitimate interests; - Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, including unsubscribing from email communications. California residents may also have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. Vanguard Advisory LLC does not sell personal information. To exercise any of these rights, please contact us as described in Section 10. We will respond to verifiable requests within 30 days (or 45 days where extended response time is permitted by law). 9\. International Data Transfers Vanguard Advisory LLC is based in the United States. If you access the Tool from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. If you are located in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for international data transfers where required. 10\. Contact Us For privacy-related inquiries, to exercise your data rights, to unsubscribe from communications, or to report a potential PHI entry, please contact Vanguard Advisory LLC at: **Vanguard Advisory LLC** **Email:** faiz@vanguardadvisory.co **Website:** vanguardadvisory.co **Date of Last Revision:** March 16, 2026 11\. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will notify you of material changes by updating the \"Effective Date\" at the top of this document and, where practicable, by sending notice to the email address associated with your lead form submission. Your continued use of the Tool after any changes constitutes your acceptance of the revised Policy.
Copyright © 2026 Vanguard Advisory - All Rights Reserved. Disclaimer: Vanguard Advisory is an independent consulting firm specializing in security and implementation services for healthcare and SaaS startups. We are not affiliated with, endorsed by, or in any way connected to The Vanguard Group, Inc., or its affiliates. All services, content, and expertise offered on this site are solely those of Vanguard Advisory.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.