PRIVACY POLICY
CHC Evolved LLC
Effective Date: April 1, 2026
1. Introduction
CHC Evolved LLC (“we,” “our,” or “the Company”) operates the websites CHCEvolved.ai and CHCDocs.ai, and provides consulting services, AI-powered tools, and software products to Federally Qualified Health Centers (“FQHCs”). This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our websites, use our products (including the CHCDocs platform at chcdocs.ai), or engage our consulting services.
By accessing our websites or using our services, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our websites and services.
2. Scope
This Privacy Policy applies to information collected through:
• CHCEvolved.ai (our consulting and AI strategy website)
• CHCDocs.ai (our SaaS product website and application)
• Email communications sent by or on behalf of the Company
• Consulting engagements and advisory services
This Privacy Policy does not apply to third-party websites or services linked from our websites, nor does it apply to the internal data practices of organizations that use our products. We are not responsible for the privacy practices of third parties.
3. Important Notice Regarding Protected Health Information (PHI)
CHCDocs is designed for administrative document management, including policies, procedures, contracts, and compliance materials. CHCDocs is not designed to store, process, or transmit Protected Health Information (“PHI”) as defined by the Health Insurance Portability and Accountability Act (“HIPAA”).
Users are instructed not to upload documents containing PHI to the CHCDocs platform. This restriction is enforced through our Terms of Service (Section 9), in-product disclaimers displayed during document upload, and the platform’s intended use as an administrative compliance tool. We do not scan uploaded documents for PHI and have no obligation to detect or prevent PHI uploads.
Because the upload of PHI is expressly prohibited under our Terms of Service, we do not act as a Business Associate (as defined by HIPAA) with respect to your use of the CHCDocs platform. Organizations that require a Business Associate Agreement for specific consulting engagements should contact us at support@chcevolved.ai. BAAs are evaluated and provided on a case-by-case basis for qualifying engagements.
4. Information We Collect
4.1 Information You Provide
• Account registration information: name, email address, organization name, job title or role, and password.
• Billing information: payment method details are processed and stored exclusively by Stripe, Inc. We do not receive, store, or have access to your full credit card number, CVV, or bank account number. We receive only a truncated card identifier (last 4 digits), card brand, and billing address from Stripe for receipt and support purposes.
• Documents and content: documents uploaded to the CHCDocs platform, including policies, procedures, contracts, and related administrative materials.
• Communications: emails, support requests, and feedback you send to us.
• Consulting engagement data: financial data, operational data, and organizational information shared for advisory purposes during consulting engagements.
4.2 Information Collected Automatically
When you visit our websites or use our products, we may automatically collect:
• Device information: browser type, operating system, device type.
• Log data: IP address, pages visited, time spent, referring URL.
• Usage data: features used within the CHCDocs platform, actions taken (e.g., documents uploaded, analyses run, reports generated). This data is used for product improvement and is not shared with third parties for advertising purposes.
• Authentication cookies: session cookies required to maintain your logged-in state within the CHCDocs application. These are strictly necessary cookies and cannot be disabled without losing access to the platform. See Section 8 for details.
4.3 Information from Third Parties
We may receive limited information from third-party services integrated with our platform, specifically: authentication session data from Supabase (our infrastructure provider), and payment status information from Stripe (our payment processor). We do not purchase personal data from data brokers or other third-party sources.
5. How We Use Your Information
We use the information we collect for the following purposes:
• Provide, maintain, and improve our websites, products, and services
• Process transactions and manage subscriptions via Stripe
• Send transactional communications (account confirmations, billing notices, trial reminders, service updates, password resets, MFA enrollment notifications)
• Provide customer support and respond to inquiries
• Perform AI-powered analysis within the CHCDocs platform (compliance gap detection, document review, contract analysis, HRSA naming convention suggestions)
• Deliver consulting and advisory services
• Monitor and analyze usage trends to improve our products (aggregate, non-identifying analysis only)
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations and enforce our Terms of Service
We do not sell your personal information to third parties. We do not use your personal information for targeted advertising. We do not share your personal information with advertisers or advertising networks.
6. AI-Powered Processing
CHCDocs uses artificial intelligence to provide features such as compliance analysis, policy review, contract risk assessment, and HRSA naming convention suggestions.
6.1 How AI Processing Works
When you explicitly trigger an AI-powered feature (such as clicking “Analyze” on a document or running a compliance sweep), the text content of the relevant document(s) is extracted and sent to our AI service provider via their API. AI processing occurs only when you initiate it — documents are not passively scanned or analyzed upon upload. Results are returned to the CHCDocs platform, stored in your organization’s account, and displayed to you.
We do not use your uploaded documents, document content, or AI analysis results to train AI models. Your document content is not retained by our AI service provider after the API request is processed.
6.2 AI Service Provider
Our AI features are powered by Anthropic’s Claude API. Key facts about Anthropic’s data handling:
• Anthropic does not use commercial API inputs or outputs to train their models (governed by their Commercial Terms of Service)
• API data is processed transiently and is not stored by Anthropic beyond the duration of the API request, except for Trust & Safety purposes as described in their usage policy
• Anthropic’s data processing practices are governed by their Data Processing Addendum, available at: https://www.anthropic.com/policies/data-processing-addendum
7. Data Subprocessors
We use the following third-party service providers (“subprocessors”) to operate our products and services. Each subprocessor processes data only as necessary to provide their respective services:
Anthropic, PBC — AI model provider (Claude API) for document analysis and compliance features. Location: United States. DPA: https://www.anthropic.com/policies/data-processing-addendum
Supabase, Inc. — Database hosting, authentication, and file storage infrastructure for CHCDocs. Location: United States (AWS us-east-1).
Render Services, Inc. — Application hosting and deployment for CHCDocs. Location: United States.
Resend, Inc. — Transactional email delivery (account notifications, trial reminders, acknowledgment reminders, password resets). Location: United States.
Stripe, Inc. — Payment processing, subscription billing, and tax calculation. Location: United States. DPA: https://stripe.com/privacy
Sentry (Functional Software, Inc.) — Error monitoring and application performance tracking. May receive error context including IP addresses and request metadata. Location: United States.
We will update this list if we add or change subprocessors. Material changes to subprocessors will be communicated via email or an update to this Privacy Policy with at least thirty (30) days’ notice before the new subprocessor begins processing your data.
8. Cookies and Tracking Technologies
8.1 CHCDocs Application (chcdocs.ai)
The CHCDocs application uses only strictly necessary cookies required for authentication and session management. These cookies are:
• Supabase authentication cookies: Encrypted session tokens that maintain your logged-in state and multi-factor authentication status. These cookies are essential for the application to function and cannot be disabled.
The CHCDocs application does not use analytics cookies, advertising cookies, or any third-party tracking technologies. We do not use Google Analytics, Facebook Pixel, or any similar tracking service within the CHCDocs application.
8.2 CHCEvolved.ai Marketing Website
The CHCEvolved.ai marketing website may use cookies for:
• Essential cookies: session management and basic website functionality.
• Analytics cookies: if implemented, website traffic analysis to understand how visitors interact with our marketing content. Any analytics implementation will be disclosed here before deployment.
We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies on any of our websites.
You can control cookie preferences through your browser settings. Disabling essential cookies on chcdocs.ai will prevent you from using the application.
9. How We Share Your Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising or targeted advertising purposes. We may share information only in the following limited circumstances:
• With subprocessors listed in Section 7, solely to provide our services as described in this Privacy Policy
• To comply with applicable law, regulation, legal process, or governmental request
• To enforce our Terms of Service or protect the rights, property, or safety of the Company, our users, or others
• In connection with a business transfer, such as a merger, acquisition, or sale of all or a portion of our assets (with at least thirty (30) days’ advance notice to affected users and the opportunity to export data before the transfer)
• With your consent or at your explicit direction
10. Data Retention
We retain your information as follows:
Active accounts: Account information and uploaded documents are retained for the duration of your active subscription.
Cancelled subscriptions: Upon cancellation, your account transitions to read-only status at the end of the billing period. Uploaded documents and account data are retained for ninety (90) days following the start of read-only status to allow for data export. After the ninety-day retention period, data is permanently deleted. See Terms of Service Section 6.3 for full details.
Trial accounts (not converted): If a free trial is not converted to a paid subscription, the account transitions to read-only on day thirty-one (31). Data is retained for ninety (90) additional days and then permanently deleted.
Billing records: Transaction records are retained by Stripe as required by applicable tax and accounting laws. We retain invoice and subscription metadata for our own accounting purposes for a period of seven (7) years.
Consulting engagements: Data shared during consulting engagements is retained in accordance with the terms of the applicable engagement agreement. In the absence of a specific engagement agreement, consulting engagement data is retained for one (1) year following completion of the engagement and then deleted.
Audit logs: Application audit logs (recording who accessed, modified, or approved documents) are retained for the duration of the active subscription plus the ninety-day post-cancellation retention period, and are then deleted with all other account data.
Error monitoring data: Error reports sent to Sentry may contain request metadata (IP addresses, user agent strings) and are retained by Sentry according to their data retention policy (typically 90 days).
You may request data export at any time during active, read-only, or retention period status by contacting support@chcevolved.ai or using the in-product export features described in our Terms of Service Section 12.
11. Data Security
We implement reasonable administrative, technical, and organizational safeguards to protect your information, including:
• Encryption of data in transit (TLS/SSL on all connections)
• Encryption of data at rest (via Supabase/AWS infrastructure)
• Multi-factor authentication (TOTP) enforced for all user accounts
• Role-based access controls limiting data access within each organization
• Application-level tenant isolation ensuring organizations cannot access each other’s data
• Row Level Security policies on the database as defense-in-depth
• Audit logging of document access, modifications, approvals, and administrative actions
• Private storage bucket with organization-scoped access policies for uploaded documents
• Error monitoring via Sentry for rapid detection of security-relevant application errors
• Regular security updates and monitoring of our infrastructure
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
12. Data Breach Notification
In the event of a security breach that results in the unauthorized access, disclosure, or loss of your personal information:
• Notification to affected users: We will notify affected account administrators by email within seventy-two (72) hours of confirming the breach, or as otherwise required by applicable state or federal law.
• Content of notification: Notifications will describe the nature of the breach, the categories of data affected, the measures taken to address the breach, and recommended steps for affected users.
• Regulatory notification: We will notify relevant regulatory authorities (including the Kentucky Attorney General, if applicable) as required by applicable law.
• Remediation: We will take prompt steps to contain and remediate the breach, including, where appropriate, resetting affected credentials and conducting a post-incident review.
This section applies to breaches of personal information within our systems. It does not apply to unauthorized access to your account caused by your failure to maintain the security of your credentials.
13. Your Rights
Regardless of your location, we provide all users with the following rights regarding their personal information:
• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request correction of inaccurate personal information. You can also update your name, title, and department directly in the CHCDocs application under Settings → Profile.
• Deletion: You may request deletion of your personal information, subject to our retention obligations for active subscriptions and legal requirements.
• Data portability: You may export your data using the in-product export features or by contacting support. See Terms of Service Section 12.
• Opt-out of non-essential communications: You can manage notification preferences within CHCDocs under Settings → Notifications. Transactional communications (billing, security, and account-related emails) cannot be opted out of while your account is active.
• Opt-out of targeted advertising: We do not engage in targeted advertising, so there is nothing to opt out of. If this changes in the future, we will update this Privacy Policy and provide an opt-out mechanism.
To exercise any of these rights, contact us at support@chcevolved.ai. We will respond to requests within thirty (30) days. If we need additional time, we will notify you within the initial thirty-day period.
14. State-Specific Disclosures
14.1 Kentucky Residents (KCDPA)
The Kentucky Consumer Data Protection Act (KCDPA), effective January 1, 2026, provides Kentucky residents with rights to access, correct, delete, and obtain portable copies of their personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. We honor all KCDPA rights as described in Section 13 above. We do not sell personal data (as defined by the KCDPA) and do not process personal data for targeted advertising.
14.2 California Residents (CCPA/CPRA)
If the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies to our processing of your personal information, you have additional rights, including the right to know what personal information we collect and how it is used, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell or share (as defined by the CCPA/CPRA) your personal information. To exercise your rights, contact support@chcevolved.ai.
14.3 Other State Privacy Laws
We are committed to honoring the privacy rights provided by applicable state privacy laws, including those in Virginia, Colorado, Connecticut, Indiana, Rhode Island, and other states with comprehensive privacy legislation. The rights described in Section 13 are provided to all users regardless of location. If your state’s privacy law provides additional rights beyond those listed, contact us and we will work to accommodate your request.
15. International Data Processing
All data collected through our websites and the CHCDocs platform is processed and stored in the United States. All of our subprocessors (listed in Section 7) are located in the United States. We do not transfer personal data outside the United States.
If you access our services from outside the United States, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection standards than your jurisdiction.
16. Children’s Privacy
Our websites and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at support@chcevolved.ai.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
• Non-material changes: We will update the “Effective Date” at the top of this page.
• Material changes: We will notify you by email at least thirty (30) days before the changes take effect. Material changes include adding new categories of data collection, adding new subprocessors, or changing how we use your data.
Your continued use of our websites or services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the revised Privacy Policy, you should discontinue use of the Services.
18. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise any of your rights, please contact us:
CHC Evolved LLC
Email: support@chcevolved.ai
Website: https://chcevolved.ai
Address: 212 N. 2nd St. STE 100 Richmond, KY 40475