Privacy notice

The free risk assessment runs entirely in your browser. When you answer questions on any page under /assess/, your answers are saved to your browser’s local storage on the device you’re using. They are not transmitted to our servers. If you close the tab, switch to a different device, or clear your browser data, those answers are gone.

We designed it that way deliberately. A practice’s readiness posture is sensitive information, and we have no business reason to hold onto it unless you ask us to.

When you finish the free assessment and download the blank questionnaire PDF, that PDF is generated in your browser and saved to your device. We never see the file.

If you start a paid Digital Binder, the picture changes— because the Digital Binder is a server-backed product that holds your work for you across sessions and devices.

When you create a Digital Binder account, we receive and store:

• The risk-assessment answers you choose to save into your account.
• The text you type into binder templates (policies, procedures, inventories, training records).
• The actions you take on your Risk Management Plan (mark-as-done events, accepted-risk decisions, ownership assignments).
• Your account email address, billing identifiers from Stripe, and a record of when you signed in.

Your binder content is held by our cloud database vendor (Supabase), in US data centers, encrypted in transit (TLS) and encrypted at rest. Reports you can download from the binder — the Risk Analysis Report, the Risk Management Plan, and the 2026 Readiness Gap Report — are generated on our servers from your binder content and streamed to you on each download. We do not retain a copy of the rendered PDF.

What CoreFolio does not collect.The Digital Binder is designed for the documentation a practice keeps to satisfy the HIPAA Security Rule’s administrative requirements — risk analysis, policies, training records, inventories. It is not a place to store electronic protected health information (ePHI) about your patients, and the binder templates do not ask you to. CoreFolio is therefore not acting as your business associate. The full position is in the Terms of service.

On the marketing pages (the home page, learn articles, the CoreFolio Brief signup), the only data we receive when you submit a form is:

• Your email address
• Your opt-in choice (which list you signed up for, if any)
• For the CoreFolio Brief: your US state, if you choose to provide it, so we can include state-relevant updates

We use your email to send the confirmation or summary you requested, to send the CoreFolio Brief if you subscribed (with a one-click unsubscribe in every issue), and to send the account-related messages tied to your Digital Binder subscription if you have one.

We do not sell your email address. We do not share it with third-party marketers. Transactional and list mail is delivered through our email vendor, which processes your address only to send the messages you requested.

We use Plausible Analytics on our home page, the full-assessment notification page, and every page under /learn/. Plausible is cookieless and does not build a cross-site visitor profile. It collects: page URL, referrer, approximate geographic region (country and US state, derived from IP address and immediately discarded), browser family, and device type. No personally identifiable information is collected or stored.

Plausible does not load on any /assess/* route. When you are inside the free assessment, no analytics provider receives any signal about which page you are on or what you are doing.

Because Plausible is cookieless, we do not display a cookie consent banner.

We use Sentry for application error monitoring and performance diagnostics. Sentry loads on all pages, including assessment routes. Its purpose is operational: when a JavaScript error occurs, Sentry sends a report to Sentry, Inc. so we can identify and fix the problem.

We configure Sentry with sendDefaultPii: false. This means Sentry does not transmit IP addresses, cookie headers, or request bodies. It does not record what you type, what assessment answers you select, or any content from your Digital Binder. It captures: the URL of the page where an error occurred, the JavaScript error message and stack trace, and basic browser/device context needed to reproduce the problem.

Your assessment answers are stored only in your browser’s local storage and are never read by Sentry. Sentry’s privacy policy is available at sentry.io/privacy.

Every page under /assess/* loads no advertising pixels, no behavioral analytics, no chat widgets, and no fonts from external CDNs at runtime. We build fonts into the application at deploy time so no font request leaves your browser during an assessment session.

The only third-party data transmission on assessment routes is the operational error monitoring described in the section above (Sentry, errors only, no PII).

CoreFolio sets a small number of functional cookies. None of them carry advertising identifiers, and we set no advertising cookies or tracking pixels on marketing pages.

• corefolio_internal— used only to unlock extended assessment routes when your workspace has been granted access. Carries no personal information.
• corefolio_account— set when you sign in to a Digital Binder account. Identifies your session so the server knows which account’s data to load. Cleared when you sign out or when the session expires.

All CoreFolio cookies are HttpOnly, Secure, and scoped to the paths that need them.

This section applies to the paid Digital Binder only. Your free assessment answers never reach our servers and are never used for any of the purposes below.

When you fill in your Digital Binder, we use what you put in to deliver the service to you (render your templates, generate your dated reports, keep your account in sync). With your permission, we also use de-identified patterns across many practices to make CoreFolio better.

Concrete examples of what we do with de-identified binder data:

• Revise templates and assessment questions based on which fields practices most often edit.
• Improve product features based on aggregate template- acceptance and gap-frequency patterns.
• Train CoreFolio’s own machine-learning features on de-identified text and structure (only if you have opted into the relevant layer).
• Publish industry benchmarks computed across practices (only if you have opted into the relevant layer).

The bright lines— what we do not do, ever:

• We do not sell data that identifies you or your practice.
• We do not share identified data with third-party marketers, data brokers, or research firms.
• We do not publish any benchmark statistic computed over fewer than 20 distinct practices. See the Data Processing Addendum for the full methodology.
• We do not allow any third party (including any of our subprocessors) to train its own model on identified binder content.

De-identification meets or exceeds the HIPAA Safe Harbor standard at 45 CFR § 164.514(b)(2), even though the Digital Binder does not carry electronic protected health information. Holding to the strictest published standard means every state privacy regime is satisfied without per-state branching.

The legal grant is in the Terms of service; the operational detail is in the Data Processing Addendum.

CoreFolio uses three opt-out / opt-in toggles to govern how we use your paid Digital Binder content:

• Help us improve CoreFolio (de-identified, internal). On by default for new accounts; off by default at re-prompt for existing accounts. You can turn this off at any time.
• Include my practice in published industry benchmarks (de-identified, published). Off by default. Opt in to participate.
• Open to a named case study. Off by default.Even when on, every named case study still requires a separate written consent for that specific case study — this toggle only records your in-principle willingness to be approached.

Change these settings at any time from the data-use settings page in your Digital Binder, or write to us at the address in the footer.

Email addresses are retained in our transactional email provider until you unsubscribe or request deletion. To request deletion, email us at the address in the footer or click “Unsubscribe” in any email we send you. We will process deletion requests within 30 days.

Raw binder content (typed into the paid Digital Binder) is retained while your subscription is active. After cancellation, you have 30 days to request an export; the raw content is then permanently deleted.

De-identified derivatives created from your binder content while your consent covered the relevant layer are no longer your data after Safe Harbor de-identification and are retained. The DPA documents the methodology in full.

Questions about this notice? We’re a small team and we read every message. Use the contact link in the footer or reply to any email we’ve sent you.