This Privacy Policy ("Policy") explains how Lopcha Services LLC ("we," "us," "our," or "Company") collects, uses, processes, and protects your personal information when you access and use the Ensuro platform ("Service"). Ensuro is a Medicare Intelligence Platform designed for certified insurance agents in Florida.
Please read this Privacy Policy carefully. By accessing or using Ensuro, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with our practices, please do not use the Service.
We are committed to protecting your privacy and complying with all applicable data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA) for users on our Professional tier.
We collect information in the following ways:
When you register for Ensuro, we collect: - Full name - Email address - Phone number - Mailing address (street, city, state, ZIP code) - National Producer Number (NPN) - Agency affiliation - Preferred language(s) - Professional licenses by state - Password (hashed and encrypted)
We automatically collect information about your interactions with the Service: - Pages and features accessed - Session duration and timestamps - Device information (browser type, operating system) - IP address - Clicks and navigation patterns - Time spent in each module - Feature adoption (Navigator, Comparator, Learning Center, CRM)
When you interact with Ensuro's AI-powered Case Navigator, the following information is processed: - Client information provided during conversation (age, Medicare coverage, Medicaid status, citizenship, medical conditions, current plan, etc.) - Conversation logs and queries - AI-generated recommendations and analysis - Retention depends on your service tier: * Essentials: Conversations are NOT stored. All beneficiary data is processed in real-time and discarded after session completion. * Professional: Conversations are retained per your organization's retention policy (default 1 year, configurable by admin). Stored with encryption.
Users on the Professional tier with CRM access may store detailed client information: - Beneficiary name, age, date of birth - Contact information (phone, email) - Medicare enrollment details (Part A/B dates, current plan, carrier) - Medicaid status and eligibility - Chronic conditions and medical history (if provided) - Notes and interaction history - Activity timeline and last contact date - This data is stored with encryption at rest and in transit, and is subject to HIPAA protections.
If you subscribe to a paid tier, payment processing is handled by Stripe. We do not store your full credit card details. Stripe securely processes and stores: - Last 4 digits of card - Card expiration date - Billing address - Subscription status and history - Invoices
We use the information we collect for the following purposes:
- To create and maintain your account - To deliver the Case Navigator, Plan Comparator, Learning Center, and CRM features - To process your requests and inquiries - To improve, optimize, and develop new features - To personalize your experience (e.g., language preference, saved searches) - To detect and fix bugs or technical issues
- To analyze your client profiles and generate case recommendations - To evaluate Medicare eligibility and Special Enrollment Periods (SEPs) - To suggest appropriate plans based on beneficiary circumstances - To generate educational content and comparative analysis - To log token usage for billing and analytics purposes
- To generate anonymized usage reports and performance metrics - To measure feature adoption and user engagement - To analyze case patterns and success rates - To monitor system performance and uptime - To calculate cost per case and return on investment for organizations - Note: All analytics are anonymized and do not identify individual users
- To send you transactional emails (welcome, password reset, confirmation) - To notify you of important service updates, maintenance, or policy changes - To respond to your support requests and inquiries - To send you educational content or tips (if opted in) - To remind you of renewal dates or expiring Special Enrollment Periods (if applicable to your clients)
- To comply with HIPAA and other health data protection regulations - To respond to lawful requests from government agencies or law enforcement - To establish, exercise, or defend legal claims - To prevent fraud, abuse, or unauthorized access - To enforce our Terms of Service and other agreements
Data Location and Infrastructure
- Ensuro is hosted on Vercel (US-based) for the application layer - Your database is stored in Supabase (PostgreSQL) with US region selection - All servers are located in the United States - Data is encrypted in transit using TLS 1.2 or higher
Essentials Tier: - Account information is stored encrypted - NO Protected Health Information (PHI) is stored - All Navigator conversations are ephemeral (not persisted) - No client/beneficiary data is retained after session - Suitable for exploratory use and learning Professional Tier: - All data is encrypted at rest using AES-256 - PHI is stored with HIPAA-compliant encryption - Row-Level Security (RLS) ensures users only access their own organization's data - Full audit logging of all data access and modifications - Backup and disaster recovery procedures in place (RTO <1 hour, RPO <15 minutes) - Business Associate Agreement (BAA) with Supabase and Vercel required
- Role-based access control (RBAC) enforces permissions by user role (Agent, Agency Admin, Super Admin) - Multi-factor authentication available (future enhancement) - Session management with automatic timeout after inactivity - All API requests require authentication tokens - Administrative access logged and audited - Super Admin can view audit logs of all system changes
- Passwords: Bcrypt hashing with salt (never stored in plain text) - Data in transit: TLS 1.2+ for all connections - Data at rest: AES-256 encryption for sensitive fields - Encryption keys managed by Supabase and Vercel - Regular security patches and updates applied
Our Case Navigator is powered by Anthropic's Claude API. Here's how your data is handled:
- When you enter client information into the Navigator, it is sent to Anthropic's API servers for processing - The AI analyzes your input to classify cases, evaluate SEPs, and suggest plans - The response is sent back to your session and may be stored (depending on tier) - Anthropic does NOT use your data to train or improve their AI models (per their published policy)
- Per Anthropic's Privacy Policy, conversation logs sent to their API are retained for: * 30 days for system improvement and abuse detection * 0 days for model training (conversations are NOT used to train Claude) - You may request deletion of your data from Anthropic directly - Anthropic's Privacy Policy: https://www.anthropic.com/privacy
- We log token usage (input + output) for billing, analytics, and monitoring - Token logs do NOT contain PHI or conversation content - Logs include: user ID, organization ID, timestamp, token count, model used - This data helps us measure platform efficiency and costs - Token logs are retained for 6 years (compliance requirement)
We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Policy.
Account Information: - Retained while your account is active - Deleted 30 days after account termination or organization cancellation - Exception: Name and email retained in audit logs for 6 years Navigator Conversations: - Essentials Tier: NOT stored (ephemeral, deleted at end of session) - Professional Tier: Retained per organization's policy (default 1 year, configurable by admin) - Can be manually deleted by user or admin at any time Client/Lead Data (CRM): - Retained while associated with active client relationship - Deleted if client record is deleted - Exception: Anonymized lead records retained in Case Library may be retained indefinitely for training Activity Logs and Audit Logs: - Retained for 6 years (required for HIPAA compliance and legal requirements) - Accessible only to Super Admin and authorized personnel - May be longer if required by law or pending litigation Backups: - Supabase maintains automatic daily backups - Backups are retained according to Supabase's standard retention policy - Deleted data may remain in backups for up to 30 days
You may request deletion of your account and associated data by contacting privacy@lopcha.com. We will: - Verify your identity - Delete your account and associated data within 30 days - Retain only legally required information (audit logs, HIPAA-required records) - Confirm deletion in writing Note: Some data may be retained longer if required by law, regulation, or legal process.
You have the following rights regarding your personal information:
You have the right to request a copy of your personal information that we hold. Log into your Ensuro account to access your profile, conversation history, and client records. For additional access requests, contact privacy@lopcha.com.
You have the right to request correction of inaccurate information. You can update most profile information directly in your account settings. For other corrections, contact privacy@lopcha.com with details of the information to be corrected.
You have the right to request deletion of your personal information, subject to legal retention requirements. Contact privacy@lopcha.com to request deletion. We will comply within 30 days unless deletion would violate legal obligations.
You have the right to request your data in a portable, structured format (CSV or JSON). Contact privacy@lopcha.com and we will provide your data within 30 days.
- Marketing emails: Click "Unsubscribe" in any email to opt out - Service notifications: Must continue to receive transactional emails (password resets, billing, service alerts) - Educational tips/bulletins: Manage preferences in your account settings - You can contact privacy@lopcha.com to manage all communication preferences
If you are a covered entity or business associate subject to HIPAA, you have additional rights: - Right to access, amend, and delete PHI - Right to receive an accounting of disclosures - Right to request restrictions on use and disclosure - Right to request confidential communications - Right to be notified of breaches Contact privacy@lopcha.com to exercise these rights or for a full Notice of Privacy Practices.
If you subscribe to our Professional tier and store Protected Health Information (PHI) in Ensuro, we act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
A Business Associate Agreement is required between Lopcha Services LLC and covered entities or business associates. The BAA outlines: - Permitted uses and disclosures of PHI - Security safeguards and breach notification procedures - Subcontractor obligations - Access rights and audit procedures - Term and termination If you are a covered entity or business associate, a BAA will be executed before PHI is stored in Ensuro.
In the event of a breach of unsecured PHI, we will: - Notify you within 60 days of discovery - Notify affected individuals as required by law - Cooperate with law enforcement and regulatory agencies as required - Provide detailed information about the breach, including affected data and mitigation steps - Assist you in meeting your breach notification obligations
Ensuro implements the following HIPAA-required safeguards: - Administrative: Access controls, workforce security, training - Physical: Facility access, device and media controls, workstation security - Technical: Encryption, access logs, intrusion monitoring, secure communication - See Section 3 (Data Storage and Security) for detailed technical controls
Ensuro is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will promptly delete such information and terminate the child's account. If you believe a child has registered for Ensuro, please contact privacy@lopcha.com immediately.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: - Posting the updated Policy on this page with a new "Last Updated" date - Sending you an email notification (if the change materially affects how we process your data) - Requiring you to accept the updated Policy (for Professional tier users) We will provide at least 30 days' notice before material changes take effect. Your continued use of Ensuro after changes become effective constitutes your acceptance of the updated Policy. Version history: - v1.0 (March 27, 2026): Initial Privacy Policy for Ensuro launch
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:
Email: privacy@lopcha.com Mailing Address: Lopcha Services LLC Privacy Officer Florida, United States Response Time: We will respond to all privacy inquiries within 14 business days. For HIPAA-related questions (Professional tier users): Contact our HIPAA Compliance Officer at privacy@lopcha.com with subject line "HIPAA Request"
© 2026 Lopcha Services LLC. Ensuro is a tool of Lopcha Services LLC. All rights reserved. This Privacy Policy is provided as-is and may be updated without notice. Please review periodically for changes.