Privacy Policy

Last updated: May 2026

1. Information We Collect

Karpa Health collects the following categories of information:

  • Practice information: Business name, contact details, provider credentials, and billing information provided during account setup.
  • Patient intake data: Health questionnaires, medical history, and demographic information submitted through forms embedded on practice websites. This data is collected and processed on behalf of the medical practice.
  • Usage data: Platform interaction data, session duration, and feature usage to improve our services.
  • Technical data: IP addresses, browser type, device information, and cookies.

2. HIPAA Compliance

Karpa Health is designed to support HIPAA-compliant workflows. We enter into Business Associate Agreements (BAAs) with medical practices that use our platform. Our infrastructure, access controls, and data handling procedures are built to meet the requirements of the HIPAA Security Rule and Privacy Rule.

Patient health information processed through our platform is handled in accordance with the terms of each BAA and applicable law.

3. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Stored data is encrypted using AES-256 encryption.
  • Access controls: Role-based access controls and audit logging are enforced across the platform.

4. Third-Party Services

Karpa Health uses the following third-party services:

  • Analytics: Google Analytics and Microsoft Clarity to understand how visitors interact with our marketing site. These tools do not have access to patient health information.
  • Pharmacy integrations: We integrate with licensed compounding pharmacies to fulfill prescriptions on behalf of practices. Patient data shared with pharmacies is limited to what is necessary for prescription fulfillment.
  • Infrastructure providers: Cloud hosting and database services that maintain SOC 2 compliance.

5. Data Retention and Deletion

We retain practice account data for the duration of the service relationship and as required by applicable law. Patient intake data is retained in accordance with medical record retention requirements and the terms of our BAA with each practice.

Practices may request data export or deletion by contacting us. Upon termination of a practice account, we will delete or return all protected health information within 30 days, unless retention is required by law.

6. Cookies

Our website uses cookies for the following purposes:

  • Essential cookies: Required for platform functionality and session management.
  • Analytics cookies: Used to measure site performance and understand visitor behavior on our marketing pages.
  • Preference cookies: Used to remember your settings and preferences.

You may disable non-essential cookies through your browser settings. Disabling cookies may affect certain features of the platform.

7. Contact Us

For privacy-related inquiries, data access requests, or concerns about our data practices, please contact us at:

[email protected]