Privacy policy.

We use the information we collect for the following purposes:

• To provide, operate, and maintain the EDI clearinghouse Service, including generating, validating, transmitting, and reconciling ANSI X12 834 enrollment transactions.
• To perform AI-driven error detection, correction, and resubmission of rejected transactions.
• To reconcile enrollment records against carrier eligibility data.
• To improve, personalize, and optimize the Service, including training our AI models on de-identified, aggregated transaction patterns (never on raw PHI).
• To communicate with you about your account, provide technical support, and send service-related notifications.
• To comply with legal obligations, including HIPAA, and to enforce our Terms of Service.

Velora EDI operates as a Business Associate under HIPAA. We process PHI solely as directed by our clients (Covered Entities or their Business Associates) and in accordance with executed Business Associate Agreements (BAAs). We maintain a comprehensive HIPAA compliance program that includes:

• Administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).
• Policies and procedures for breach notification in compliance with 45 CFR 164.410.
• Regular risk assessments and workforce training.
• Minimum necessary access controls to limit PHI exposure to authorized personnel and systems only.

We implement industry-leading security measures to protect all data processed through our Service:

• Encryption at Rest: All PHI and sensitive data is encrypted using AES-256-GCM encryption at rest.
• Encryption in Transit: All data transmitted between clients, our systems, and carrier endpoints is protected using TLS 1.2 or higher.
• SFTP Transmission: EDI file transmissions to carriers utilize secure SFTP connections with key-based authentication.
• Access Controls: Role-based access controls, multi-factor authentication, and complete audit logging of all system access.

We retain PHI and transaction records for a minimum of seven (7) years from the date of the transaction, in compliance with HIPAA record retention requirements and applicable state and federal regulations. Upon expiration of the retention period, data is securely destroyed using NIST 800-88 compliant methods.

Account and usage data is retained for the duration of your active account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements.

We do not sell, rent, or trade your information. We disclose information only in the following circumstances:

• To Carriers: We transmit enrollment data to insurance carriers solely as directed by our clients for the purpose of effectuating enrollment transactions.
• Subcontractors: We may engage subcontractors who require access to PHI to perform services on our behalf. All subcontractors are bound by Business Associate Agreements and are required to maintain equivalent security safeguards.
• Legal Requirements: We may disclose information when required by law, regulation, subpoena, court order, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to existing privacy commitments.

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• The right to access and receive a copy of the personal information we hold about you.
• The right to request correction of inaccurate personal information.
• The right to request deletion of your personal information, subject to legal retention requirements.
• The right to restrict or object to certain processing activities.
• The right to data portability where technically feasible.

With respect to PHI, individual rights are governed by HIPAA and should be directed to the applicable Covered Entity (your employer or plan sponsor). We will cooperate with Covered Entities to fulfill individual rights requests related to PHI.

We use strictly necessary cookies and similar technologies to operate the Service, maintain session state, and authenticate users. We do not use third-party advertising cookies or tracking pixels. Analytics cookies, if used, process only aggregated, de-identified data. You may configure your browser to refuse cookies, though this may limit your ability to use certain features of the Service.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on our website with an updated "Last updated" date and, where required, by providing direct notice via email. Your continued use of the Service after such changes constitutes acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

For HIPAA-related inquiries, including breach notifications or requests related to PHI, please contact our HIPAA Privacy Officer at the address above.