Overview
Verq, Inc. ("Verq," "we," "our," or "us") provides technology infrastructure that converts health plan documents — including Summary Plan Descriptions (SPDs), benefit schedules, and plan amendments — into version-controlled, executable logic, enabling Third-Party Administrators ("TPAs") and self-funded employer plans to produce reproducible, auditable claim decisions.
This Privacy Policy describes how Verq collects, uses, stores, and protects data received through its platform, including data submitted via our free plan document analysis tool and through direct integrations with TPAs and payment processors. It applies to all users of Verq's services, including visitors to verqhealth.com.
Plain-language summary: Verq is not a consumer-facing health insurer. We are a technology platform. We process plan documents and claim data on behalf of TPAs, not on behalf of individual members. We do not sell data. We do not use uploaded plan documents for any purpose other than delivering the analysis you requested.
Scope & Who This Policy Applies To
This Policy applies to:
- TPA clients who access Verq's platform under a written service agreement
- Self-funded employer plan administrators who use Verq directly
- Website visitors who use the free plan document analysis tool at verqhealth.com
- Demo requesters who submit contact information through the site
Where Verq acts as a Business Associate under HIPAA — processing Protected Health Information (PHI) on behalf of a Covered Entity or another Business Associate — the terms of the applicable Business Associate Agreement (BAA) govern PHI handling in addition to this Policy. See the HIPAA & PHI section below.
Data We Collect
Verq collects only the minimum data necessary to provide its services. The categories below describe what may be received depending on how you interact with us.
| Category | Examples | Source |
|---|---|---|
| Employer / TPA Account Data | Business name, bank account info, routing numbers, contact details | Onboarding API / direct submission |
| Employee / Member Data | Name, email (optional, for claim tracking), plan identifier | Employer benefits systems via TPA |
| Plan Documents | SPDs, benefit schedules, plan amendments, COB rules uploaded via the analysis tool or integration | User upload / TPA integration |
| Transaction Data | Claim IDs, payment amounts, dates, adjudication status | Payment processor gateway / TPA |
| Contact & Demo Data | Name, business email, company name submitted via demo request forms | Website forms |
| Technical Metadata | IP address, API keys, request timestamps, browser type (for web tool users) | Verq platform logs |
| Website Analytics | Page views, demo funnel interactions, scroll depth — aggregated and anonymized via Google Analytics 4 | verqhealth.com (GA4) |
Verq does not collect marketing data, cookie-tracking data unrelated to site functionality, or any sensitive personal information (e.g., Social Security numbers, financial account credentials) directly from website visitors.
Plan Document Uploads
The Verq free analysis tool allows users to upload plan documents — such as benefit schedules, SPD excerpts, or plan amendments — for automated analysis. The following applies specifically to these uploads:
- Purpose limitation: Uploaded documents are used solely to perform the analysis you requested and to generate your results report. They are not used to train AI models, shared with third parties for any commercial purpose, or retained for marketing.
- Retention: Uploaded documents are processed and then deleted within 24 hours of analysis completion. No copy is retained on Verq servers beyond that window.
- PHI in plan documents: SPDs and benefit schedules typically do not contain PHI. However, if a document you upload contains individually identifiable health information, it is handled in accordance with HIPAA and our BAA obligations. We strongly recommend uploading plan-level documents only — not documents containing individual member records or claim data.
- Email address: The email address you provide to receive your results is retained for the purpose of delivering that report and, with your consent, for follow-up communications about Verq's services. You may opt out at any time.
Important: Do not upload documents containing individually identifiable member data (e.g., EOBs with member names, claim files with SSNs) through the free analysis tool. The tool is designed for plan-level documents. If you need to analyze claim-level data, contact us to establish a BAA and a secure data transfer process.
How We Use Data
Verq uses data solely for the following purposes:
- Performing plan document analysis and generating audit-readiness reports
- Processing authorized ACH debits and credits on behalf of TPAs
- Facilitating claim adjudication and settlement logic
- Maintaining immutable, version-controlled audit records
- Fulfilling legal and financial reporting obligations (HIPAA, Nacha, IRS)
- Communicating with demo requesters and prospective clients
- Improving platform security and performance through aggregated, non-identifiable analytics
- Detecting and preventing fraud, abuse, or unauthorized access
Verq never sells, rents, or licenses personal data to third parties. Verq does not use personal data for behavioral advertising or cross-context behavioral tracking.
Legal Basis for Processing
Verq processes personal data under the following legal authorities:
- Contractual necessity — processing required to perform services under a TPA Agreement or service contract
- Legitimate interests — operating and securing the platform, communicating with prospective clients, and improving services, where those interests are not overridden by individual privacy rights
- Legal obligation — compliance with applicable law, including HIPAA (45 CFR Part 164), Nacha Operating Rules, ERISA, IRS record-keeping requirements, and state breach notification statutes
- Consent — for email communications to website visitors who submit demo requests or use the analysis tool, where consent is the appropriate basis under applicable law (e.g., CCPA § 1798.100 et seq.; CAN-SPAM Act)
Where Verq processes PHI as a HIPAA Business Associate, processing is authorized under the applicable BAA and 45 CFR § 164.504(e).
Data Sharing
Verq may share data only in the following circumstances:
- Payment processors and partner banks — for ACH transmission and settlement, under contractual data protection obligations
- Cloud infrastructure providers — such as AWS, under confidentiality agreements and, where applicable, BAAs
- AI / LLM inference services — plan document content submitted through the analysis tool is processed by third-party AI infrastructure under data processing agreements that prohibit training on submitted data
- Legal and regulatory authorities — when required by law, court order, or regulatory demand, including HIPAA-required disclosures to the Department of Health and Human Services (HHS)
- Successors in interest — in the event of a merger, acquisition, or asset sale, subject to equivalent data protection obligations
All data transfers use TLS-encrypted channels. All third parties with access to PHI are required to execute a BAA with Verq prior to access.
Security
Verq implements technical and organizational safeguards appropriate to the sensitivity of the data processed, including:
- AES-256 encryption at rest; TLS 1.2+ in transit
- Role-based access control (RBAC) and multi-factor authentication (MFA) for all staff with data access
- Continuous monitoring, intrusion detection, and logging
- Annual penetration testing by qualified third-party assessors
- Vendor security review prior to onboarding any subprocessor with access to personal data or PHI
- NIST SP 800-88 compliant data destruction upon retention expiration
No system is perfectly secure. If you believe your data has been compromised in connection with Verq's platform, contact us immediately at privacy@verqhealth.com.
Retention & Deletion
| Data Type | Retention Period | Basis |
|---|---|---|
| Uploaded plan documents (analysis tool) | 24 hours after analysis completion | Purpose limitation; data minimization |
| ACH authorizations | 2 years after account termination | Nacha Operating Rules § 2.3.2 |
| Transaction records | 7 years | IRS record-keeping; audit requirements |
| PHI / claims data | 6 years from creation or last effective date | HIPAA § 164.316(b)(2) |
| Demo / contact form data | 3 years from last interaction, or upon opt-out request | Legitimate interest; CAN-SPAM compliance |
| Website analytics data | 26 months (GA4 default; configurable) | Legitimate interest; aggregated analytics |
| Audit logs and technical metadata | 7 years | ERISA; DOL audit requirements |
Upon expiration of applicable retention periods, data are permanently deleted using NIST SP 800-88 compliant methods. Backup copies are purged on the same schedule.
Individual Rights
Because Verq operates primarily as a subprocessor or Business Associate behind TPAs — not as a direct controller of member data — individual rights requests (access, correction, deletion, portability) should generally be directed to the TPA or employer plan sponsor that holds the primary relationship with the member.
Where Verq does hold data directly (e.g., demo request data, analysis tool email addresses), individuals may exercise the following rights by contacting privacy@verqhealth.com:
- Right to access — request a copy of personal data Verq holds about you
- Right to correction — request correction of inaccurate or incomplete data
- Right to deletion — request deletion of personal data, subject to legal retention obligations
- Right to opt out of communications — unsubscribe from marketing or follow-up emails at any time
- Right to data portability — request your data in a structured, machine-readable format where technically feasible
Verq will respond to all lawful privacy requests within 30 days. Where Verq receives a request that relates to data controlled by a TPA, Verq will promptly refer the request to the appropriate TPA and assist in fulfillment as required by applicable law and the BAA.
California residents may exercise additional rights under the CCPA / CPRA, including the right to know, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising privacy rights. Submit CCPA requests to privacy@verqhealth.com.
HIPAA & Protected Health Information
Where Verq creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity or Business Associate, Verq acts as a HIPAA Business Associate as defined under 45 CFR § 160.103.
- Verq will not use or disclose PHI other than as permitted by the applicable BAA and 45 CFR Part 164 Subpart E
- Verq will implement appropriate safeguards as required by 45 CFR Part 164 Subpart C (Security Rule)
- Verq will report any Security Incident or Breach of Unsecured PHI to the covered entity within the timeframe specified in the BAA (no later than 72 hours of confirmed discovery)
- Verq will make its internal practices, books, and records relating to PHI available to HHS for purposes of determining compliance as required by 45 CFR § 164.504(e)(2)(ii)(I)
- Verq will ensure all subcontractors with PHI access execute a BAA
- Upon termination of a BAA, Verq will return or destroy all PHI as directed, and where return or destruction is not feasible, will extend BAA protections indefinitely to any retained PHI
All TPA clients processing PHI through Verq must execute a Business Associate Agreement prior to transmitting any PHI to Verq's platform. Contact privacy@verqhealth.com to initiate BAA execution.
Website Analytics
Verq uses Google Analytics 4 (GA4) on verqhealth.com to understand how visitors interact with the site and how the free analysis tool is performing. GA4 collects data such as pages visited, time on page, geographic region (country/city level), device type, and interactions with the analysis tool funnel (e.g., document upload, scenario selection, form submission).
This data is:
- Collected using first-party cookies and Google's measurement infrastructure
- Aggregated and used only for improving site performance and understanding product usage
- Not used to identify individual visitors or to build advertising profiles
- Subject to Google's data processing terms and privacy policy
We do not use GA4's advertising features, Google Signals, or cross-site tracking. IP anonymization is enabled. If you wish to opt out of GA4 tracking, you may use the Google Analytics Opt-Out Browser Add-On.
Verq does not use any other third-party tracking, retargeting, or advertising technology on its website.
Cross-Border Data Transfers
All Verq data is stored and processed in the United States. Verq does not transfer personal data or PHI internationally. Cloud infrastructure is hosted in U.S.-based AWS regions.
Breach Notification
In the event of a confirmed security incident that results in, or is reasonably likely to result in, unauthorized access to or disclosure of personal data or PHI, Verq will:
- Notify affected TPAs and, where applicable, covered entities within 72 hours of confirmed discovery, consistent with HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and applicable state breach notification laws
- Provide a description of the nature of the breach, the types of data involved, the number of individuals affected (if known), the steps Verq has taken to investigate and mitigate, and recommended steps for affected individuals
- Cooperate with the TPA and covered entity in any required notifications to individuals and to HHS
- Maintain a breach log as required by HIPAA § 164.408
To report a suspected security incident involving Verq data, contact privacy@verqhealth.com immediately.
Children's Privacy
Verq's platform is designed for use by healthcare administrators and business professionals. Verq does not knowingly collect personal information from individuals under the age of 18. If you believe a minor has submitted personal data to Verq, contact us at privacy@verqhealth.com and we will promptly delete it.
Policy Changes
Verq may update this Policy periodically to reflect changes in our services, legal requirements, or data practices. Material changes will be communicated to TPA clients and registered users at least 30 days before taking effect, via email or a prominent notice on the website. The revised Policy will be marked with a new effective date at the top of this page.
Continued use of Verq's services after the effective date of a revised Policy constitutes acceptance of the updated terms. TPA clients should distribute the current version of this Policy to employer clients as part of their onboarding documentation.
Contact
For privacy questions, data requests, BAA inquiries, or to report a suspected security incident:
- Email: privacy@verqhealth.com
- Mail: Verq Privacy Office, Verq, Inc., [Address]
This Privacy Policy does not constitute legal advice. Verq recommends that TPAs and covered entities consult qualified HIPAA counsel to assess their own compliance obligations.