Privacy.

Velora Billing handles personally identifiable information and protected health information (PHI) on behalf of our customers. We are a HIPAA business associate; we sign a mutual BAA before any PHI flows. Until that's signed, treat this page as a summary — the controlling document is the BAA + MSA.

What we collect

On behalf of customer tenants: carrier invoices, enrollment census files, and (where they appear in those files) member name, SSN last-4, date of birth, plan tier, dependents. We do not collect this data from end consumers directly — it arrives via the customer that contracted us as their billing-recon vendor.

How we protect it

• PHI fields are encrypted at rest (AES-256-GCM via @velora/crypto) with per-field HMAC indexing for searchable encryption.
• Multi-tenant isolation enforced at the SQL boundary — every query scopes by tenant; cross-tenant reads are tested and CI-gated.
• Append-only audit ledger — every mutation is chain-hashed (SHA-256, prevHash → hash); DB-level immutability triggers block UPDATE/DELETE.
• Access to production PHI is limited to engineering operators with MFA-required accounts and is itself audit-logged.
• Subprocessor list at /subprocessors. BAAs in place before PHI flows.

What we do NOT do

• Sell PHI or PII. Ever.
• Use customer PHI to train AI models. The Anthropic deployment we use carries zero-data-retention + BAA terms.
• Share customer data with other tenants — not aggregated, not anonymized, not for benchmarking.

Your rights

Customer tenants own their data. We honor deletion, export, and access requests under HIPAA, CCPA/CPRA, and applicable state privacy laws within the timelines those laws require — the customer (their privacy officer) is our point of contact, not the individual member.

Full policy

The full privacy policy + Data Processing Addendum is available under NDA. Email hello@hellovelora.com and we'll send the current revision within one business day.

Last updated: 2026-04-29 · Effective: 2026-04-29