EligiVue

Privacy Policy

Effective Date: April 26, 2026 | Last Updated: May 7, 2026

1. Introduction

EligiVue LLC ("EligiVue," "we," "us," "our") operates a web-based vision insurance eligibility verification platform available at eligivue.com (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our Service.

EligiVue provides business-to-business services primarily to licensed optometry and optical practices ("Customers"). We also operate a patient-facing feature called EligiVue PreCheck, which allows patients to submit their insurance information directly to their healthcare provider through our platform (see Section 2.3).

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, you must discontinue use of the Service.

2. Information We Collect

2.1 Account and Practice Information

When a Customer registers for the Service, we collect:

Practice name, address, phone number, and website
Contact name and email address for authorized users
Billing and payment information (processed by Stripe; see Section 6.2)
Login credentials (email and password, stored in hashed form using bcrypt)
Optional 4-digit PIN (stored in hashed form) for quick user switching

2.2 Protected Health Information (PHI) — Staff-Initiated

When Customer staff perform eligibility verifications, we collect and process limited patient information, including:

Patient first and last name
Date of birth
Last four digits of Social Security Number (optional)
Insurance carrier and plan information
Insurance member or subscriber ID
Date of service
Dependent information (name, DOB, relationship)
Eligibility verification results (coverage status, benefit details, effective dates)

This information constitutes Protected Health Information under the Health Insurance Portability and Accountability Act ("HIPAA"). Our handling of PHI is governed by the applicable Business Associate Agreement ("BAA") between EligiVue and the Customer. See Section 9 for additional detail.

2.3 Protected Health Information (PHI) — EligiVue PreCheck (Patient-Initiated)

EligiVue offers EligiVue PreCheck, a patient-facing eligibility submission feature. Through EligiVue PreCheck, patients may voluntarily submit the following information via a web form (accessible by QR code, text message, email, or direct link) without creating an account:

First and last name
Date of birth
Last four digits of Social Security Number (optional)
Insurance member or subscriber ID (optional)
Phone number (optional)
Date of service (optional)
Message to their healthcare provider (optional)
Dependent information (optional)

How PreCheck data is handled:

Patient submissions are processed solely to perform eligibility verification on behalf of the healthcare practice.
Results are delivered only to the Customer (the healthcare practice), not to the patient.
The patient does not create an account and does not receive access to verification results through EligiVue.
All PreCheck data is encrypted at rest using AES-256-GCM and is subject to the same HIPAA protections as staff-initiated verifications.
Where a Customer has an applicable BAA with EligiVue, that agreement governs the use and protection of PHI submitted through EligiVue PreCheck.
We apply anti-fraud measures (honeypot fields, submission timing checks, deduplication) to protect against automated abuse of the public form.

Notice at collection: When a patient accesses an EligiVue PreCheck form, the form must display a notice stating that the information is being submitted to the patient's healthcare provider for insurance eligibility verification, that EligiVue processes the information on the provider's behalf, and that the provider is the Covered Entity responsible for its Notice of Privacy Practices and patient privacy rights under HIPAA.

Source channel tracking: We record how the patient reached the PreCheck form (e.g., QR code, text message, email, or direct link) for aggregate analytics provided to the Customer. This tracking does not include patient-identifying information in analytics views.

2.4 Usage and Analytics Data

We automatically collect certain technical and usage information when you access the Service, including:

IP address and approximate geographic location
Browser type, version, and operating system
Pages visited, features used, and actions taken within the Service
Date and time of access
Referring URL
Session duration and frequency of use
Error logs and performance data

2.5 Cookies and Similar Technologies

We use cookies and similar tracking technologies to maintain session state, remember user preferences, and collect analytics data. See Section 10 for details.

2.6 Communications

When you contact us for support or other inquiries (including through our in-app feedback system), we collect the content of those communications along with your name, email address, page URL, and browser information to assist with troubleshooting.

3. How We Use Your Information

3.1 Eligibility Verification

We use patient PHI solely to submit eligibility verification requests to vision insurance provider and plan administrator portals supported by the Service from time to time (currently including, for example, VSP, EyeMed, Spectera, and MetLife Vision plans accessed via the VSP portal) on behalf of our Customers and to return the results to the requesting Customer.

3.2 Account Management

We use account and practice information to create and maintain Customer accounts, authenticate users, manage subscriptions, process payments, and communicate account-related notices.

3.3 Service Operations and Improvement

We use usage and analytics data to operate, maintain, monitor, and improve the Service, including identifying and resolving technical issues, analyzing usage patterns, and developing new features.

3.4 Customer Support

We use contact information and communication records to respond to inquiries, provide technical assistance, and resolve issues.

3.5 Legal and Compliance

We use information as necessary to comply with applicable laws, regulations, and legal processes, including HIPAA requirements, and to enforce our Terms of Service.

4. What We Do NOT Do With Your Information

EligiVue is committed to responsible data practices. We want to be clear about what we do not do:

We do not sell your data. We have never sold personal information or PHI and will not do so.
We do not share data with advertisers. Your information is never provided to advertising networks, data brokers, or marketing platforms.
We do not use PHI for marketing. Patient information is used exclusively for the eligibility verification purpose for which it was provided.
We do not market to patients. We do not contact patients whose information is submitted through EligiVue PreCheck or any other channel.
We do not provide verification results to patients. PreCheck submissions are returned only to the Customer's staff.
We do not use your data to build profiles for third parties. Your data is yours. We do not aggregate or de-identify your data for sale or distribution to others.
We do not share data with third parties beyond what is described in Section 6. The external parties that receive data are insurance carrier portals (to perform verifications), our payment processor (to process payments), and service providers necessary to operate the Service, as described in Section 6.

5. Legal Bases for Processing

We process information based on the following legal grounds:

Contract performance: Processing necessary to provide the Service under our agreement with Customers.
Legal obligation: Processing required to comply with HIPAA and other applicable laws.
Legitimate interest: Processing for Service improvement, security, and fraud prevention, where such interests are not overridden by your rights.

6. Data Sharing and Disclosure

6.1 Insurance Carrier Portals

We transmit limited patient information (name, date of birth, member ID, and carrier details) to insurance carrier portals solely to perform eligibility verification requests on behalf of our Customers. This transmission is necessary to provide the core Service.

6.2 Payment Processing

We use Stripe as our payment processor. When you provide payment information, it is transmitted directly to Stripe and processed in accordance with Stripe's privacy policy and PCI DSS standards. EligiVue does not store full credit card numbers on our systems. For more information, see Stripe's Privacy Policy.

6.3 Service Providers

We may disclose personal information and, where applicable, Protected Health Information, to third-party service providers that perform services on our behalf and only to the extent reasonably necessary to operate, secure, support, and improve the Service. Depending on the nature of the service provider relationship, such providers may include cloud hosting and infrastructure providers, backup and disaster recovery providers, customer support tools, security and monitoring vendors, payment processors, and professional advisors. Service providers are contractually obligated to protect information in accordance with applicable law and their role in supporting the Service. Where a service provider creates, receives, maintains, or transmits Protected Health Information on our behalf, EligiVue requires an appropriate Business Associate Agreement before production PHI processing occurs on that provider's infrastructure.

6.4 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, including in response to:

Court orders or subpoenas
Law enforcement requests
Regulatory inquiries or audits
HIPAA breach notification obligations

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected Customers before their information becomes subject to a different privacy policy.

6.6 With Your Consent

We may share information with third parties when you have provided explicit consent to do so.

6.7 No Other Sharing

Beyond the categories listed in this Section 6, we do not share, rent, trade, or otherwise disclose your information to any third party.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your information:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: All stored data, including PHI, is encrypted at rest using AES-256-GCM encryption with versioned key rotation support.
Password security: User passwords are hashed using bcrypt (12 rounds). Optional PINs are separately hashed.
Access controls: Access to PHI and sensitive data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls (admin, manager, staff), multi-factor authentication (TOTP), and location-based access restrictions.
Session security: Sessions expire after 60 minutes of inactivity. Session tokens are cryptographically generated and stored as HMAC-SHA256 hashes. Cookies are HttpOnly, Secure, and SameSite.
HIPAA compliance: Our infrastructure and operations are designed to meet the requirements of the HIPAA Security Rule, including administrative, physical, and technical safeguards.
Monitoring and logging: We maintain audit logs of access to PHI and monitor our systems for unauthorized access or security incidents.
Multi-tenant isolation: Each Customer's data is logically isolated by organization. Server-side query guards enforce tenant boundaries.
Content Security Policy: We implement per-request CSP nonces, X-Frame-Options, and other security headers to prevent cross-site attacks.
Incident response: We maintain a documented incident response plan for security events and potential breaches.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain different categories of information for different periods based on the purpose of collection and legal requirements:

Data Category	Retention Period
Account profile and login credentials	Duration of the Customer relationship plus 30 days after account termination
Protected Health Information (PHI) — eligibility records and associated portal evidence (screenshots, captured PDFs)	Per the Customer's configured retention period (default: 90 days). Customers may configure retention to 30, 90, 180, or 365 days. Portal evidence (screenshots and captured PDFs) is retained according to the same configured retention period, subject to a 30-day floor and a 365-day ceiling. After the retention period, PHI and associated portal evidence are securely purged and aggregate statistics are preserved without patient-identifying information.
Audit logs and compliance records	6 years, consistent with HIPAA retention requirements (45 CFR 164.530(j))
Payment and billing records	7 years, consistent with IRS record-keeping requirements
Usage and analytics data	2 years from collection
Support communications	3 years from resolution
Cookies and session data	See Section 10

Upon termination of a Customer account, account profile and login credentials are removed within 30 days. However, certain records — including audit logs, payment records, BAA records, and HIPAA compliance documentation — are retained for the longer periods stated above, as required by law or necessary for legal, tax, or compliance purposes. These retained records remain subject to the protections described in this Privacy Policy and the applicable BAA.

Upon expiration of the applicable retention period, data is securely deleted or de-identified in accordance with NIST guidelines. Where aggregate or de-identified analytics are derived from Customer Data, such information is maintained only in de-identified or aggregated form and does not contain identifiable patient records after the underlying data has been purged. Customers may request earlier deletion of their data subject to our legal and regulatory obligations (see Sections 8 and 14 of the Terms of Service and the applicable BAA).

9. HIPAA Obligations

EligiVue operates as a Business Associate under HIPAA when handling PHI on behalf of our Customers (who are Covered Entities or Business Associates themselves).

Business Associate Agreement (BAA): For HIPAA-regulated customer use, EligiVue provides a Business Associate Agreement governing the permitted uses and disclosures of PHI, security obligations, breach notification procedures, and related matters. Customer use of the Service with Protected Health Information is subject to completion of required contracting steps. In the event of a conflict between this Privacy Policy and the BAA with respect to PHI, the BAA controls.
Minimum Necessary Standard: We limit our use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the eligibility verification.
Breach Notification: In the event of a breach of unsecured PHI, we will notify affected Customers in accordance with the BAA and applicable HIPAA Breach Notification Rule requirements (45 CFR 164.400-414).
Patient Rights: Patients whose PHI is processed through our Service (whether submitted by staff or through EligiVue PreCheck) should direct requests regarding access, amendment, or accounting of disclosures to the Customer (their healthcare provider), who is the Covered Entity responsible for fulfilling such requests under HIPAA.
EligiVue PreCheck and HIPAA: Where PHI is processed for a HIPAA-regulated customer, PHI submitted by patients through EligiVue PreCheck is subject to the same applicable BAA and HIPAA protections as staff-initiated verifications. The Customer is the Covered Entity responsible for providing patients with a Notice of Privacy Practices that covers this data collection.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential/Session	Authentication, session management, CSRF protection, location selection	Duration of session
Functional	User preferences (e.g., last selected user for quick login)	Up to 90 days

10.2 What We Do Not Use

We do not use third-party advertising cookies.
We do not use tracking pixels for ad retargeting.
We do not participate in cross-site tracking networks.
We do not currently use third-party analytics services (e.g., Google Analytics).

10.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You may disable or delete cookies, but doing so may affect the functionality of the Service, including your ability to remain logged in.

11. Children's Privacy

The Service is designed for use by licensed healthcare practices and their authorized adult staff. We do not knowingly collect personal information from individuals under the age of 18. The Service requires all users to be at least 18 years of age.

While patient PHI processed through the Service (including through EligiVue PreCheck) may relate to minor patients, such data is provided by or on behalf of the Customer (the healthcare practice) in the course of treatment operations and is governed by HIPAA and the applicable BAA, not by children's privacy statutes such as COPPA.

If we learn that we have collected personal information from a user under 18, we will take steps to delete that information promptly.

12. Your Rights

12.1 All Customers

As a Customer, you have the right to:

Access the personal and practice information we hold about your account.
Correct inaccurate or incomplete information by updating your account settings or contacting us.
Delete your account and associated data, subject to our retention obligations under HIPAA and other applicable law.
Export your data in a standard, machine-readable format upon request.
Withdraw consent for any optional data processing activities to which you have affirmatively consented.

To exercise any of these rights, contact us at the information provided in Section 15.

12.2 California Residents — CCPA/CPRA Rights

If you are a California resident and applicable law grants you privacy rights with respect to information we collect about you, you may have the rights described in this section, subject to statutory exemptions and limitations, under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). Certain rights under the CCPA/CPRA may not apply to Protected Health Information governed by HIPAA, or to other information exempt under applicable law. Where PHI is involved, the applicable privacy rights are governed by HIPAA and the applicable Business Associate Agreement between EligiVue and the Customer (Covered Entity).

Subject to the foregoing:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (including legal and compliance obligations).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor such requests regardless.
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information, we do so only for purposes permitted under the CCPA/CPRA (specifically, to perform the Service you have requested).
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

How to Submit a Request: You may submit a verifiable consumer request by emailing us at legal@eligivue.com. We will verify your identity before processing the request and respond within 45 days (with a possible 45-day extension if reasonably necessary).

Authorized Agents: You may designate an authorized agent to submit a request on your behalf by providing written authorization.

Categories of Personal Information Collected (past 12 months):

CCPA Category	Examples	Sold?	Shared for Advertising?
Identifiers	Name, email, IP address	No	No
Commercial information	Subscription plan, payment history	No	No
Internet/electronic activity	Usage logs, pages visited	No	No
Professional/employment information	Practice name	No	No
Sensitive personal information	Login credentials	No	No

13. International Users

The Service is hosted in the United States and is intended for use by healthcare practices located in the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this document.
We will notify Customers via email or an in-application notice at least 30 days before the changes take effect.
For material changes to how we handle Protected Health Information, we will provide specific notice describing the change and its effect. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms; however, material changes to PHI handling practices will not apply retroactively to PHI collected before the change without your affirmative consent or as required by law.

We encourage you to review this Privacy Policy periodically.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EligiVue LLC
1255 Landsburn Circle, Westlake Village, CA 91361
General inquiries: support@eligivue.com
Privacy and legal notices: legal@eligivue.com
Website: eligivue.com

For HIPAA-related inquiries or to report a potential data security concern, please email legal@eligivue.com with the subject line "Privacy/HIPAA Inquiry."

We will respond to all inquiries within 30 days.

This Privacy Policy is effective as of April 26, 2026.

Back to Home