GLP-1 Receptionist — Privacy Policy & HIPAA Notice
Effective Date
This Privacy Policy & HIPAA Notice ("Policy") is effective as of April 27, 2026. Maps Health Network LLC will post any updates at GLP1Receptionist.com/privacy. Material changes will be communicated by email to registered Subscribers and by a notice posted on the site.
1. Scope
This Policy applies to:
(a) Visitors to GLP1Receptionist.com ("Site"), including individuals who browse the Site, submit contact forms, request information, or register for a subscription;
(b) Subscribers — healthcare providers, clinics, and medical practices that register for and use the GLP-1 Receptionist Service; and
(c) End Users / Patients — individuals who call Subscriber clinics and interact with Grace, the AI voice receptionist, in connection with the Service.
Important distinction regarding patient PHI: When Maps Health Network LLC processes Protected Health Information ("PHI") on behalf of a Subscriber clinic as a HIPAA Business Associate, that processing is governed by the Business Associate Agreement ("BAA") executed between the parties and by the clinic's own Notice of Privacy Practices ("NPP"), not by this Policy. This Policy describes the Company's own data practices. Patients seeking to understand how their PHI is used and protected should refer to their clinic's NPP and contact their clinic directly.
This Policy does not apply to third-party websites, products, or services linked from the Site.
2. Information We Collect
2.1 Information Collected from Site Visitors
When you visit GLP1Receptionist.com, we may collect:
- Usage data: pages viewed, time on page, referral URL, browser type, operating system, and general geographic location (city/country level), collected via server-side analytics;
- Contact form submissions: name, email address, and any information you voluntarily provide when requesting a demo or more information; and
- Session data: session identifiers managed through first-party cookies for the purpose of maintaining site functionality (see Section 6).
We do not collect Sensitive Personal Information (as defined under Cal. Civ. Code § 1798.140(ae)) from Site visitors unless you voluntarily provide it.
2.2 Information Collected from Subscribers
When a clinic registers for or uses the Service, we collect:
- Account information: clinic name, physical address, billing address, National Provider Identifier (NPI) if provided, contact name, phone number, and email address;
- Billing information: payment method details processed exclusively through Stripe (the Company does not store full card numbers; Stripe's privacy policy governs payment data handling);
- Configuration data: information about how the Subscriber has configured Grace, including clinic hours, service descriptions, medications prescribed (e.g., Ozempic, Wegovy, Mounjaro, Zepbound), and staff routing preferences;
- Usage logs: records of Service usage, including call volumes, feature usage, and administrative actions; and
- Communications: emails, support tickets, and other correspondence with the Company.
2.3 Patient Call Data Collected as Business Associate
When a patient calls a Subscriber's clinic and Grace answers, the following data may be generated:
- Voice recordings of the call;
- Transcripts of the call, which may include PHI such as the patient's name, date of birth, medication information, and reason for calling;
- Call metadata: call date/time, duration, caller ID (if transmitted), and routing outcome; and
- Structured intake data: information collected by Grace during the call per the Subscriber's configured intake flow.
This data is collected and processed solely on behalf of the Subscriber clinic (as Covered Entity) and is governed by the BAA. Maps Health Network LLC processes this data only as a Business Associate acting on the Subscriber's behalf and subject to the Subscriber's instructions, to the extent consistent with HIPAA.
3. How We Use Information
3.1 Site Visitor Data
We use visitor data to: - Operate and improve the Site; - Respond to inquiries and demo requests; - Analyze Site performance using server-side, privacy-preserving analytics; and - Comply with legal obligations.
We do not use visitor analytics to build individual behavioral profiles or serve targeted advertising.
3.2 Subscriber Data
We use Subscriber data to: - Provision, operate, and support the Service; - Process billing and communicate about the subscription; - Send service-related communications (e.g., usage alerts, security notices, product updates); - Improve the Service in aggregate, de-identified form; and - Comply with legal and regulatory requirements.
We do not sell Subscriber data to third parties. We do not use Subscriber data for advertising.
3.3 Patient Call Data (Business Associate Processing)
Patient call data is used exclusively to: - Perform the contracted Service (call answering, scheduling, refill routing, warm transfer) on behalf of the Subscriber; - Fulfill BAA obligations; and - Comply with HIPAA, legal process, or direction from the Secretary of Health and Human Services.
PHI is never used for marketing, advertising, AI model training outside the contracted Service, or any purpose other than providing the Service to the Subscriber clinic.
4. HIPAA Notice
4.1 Business Associate Status
Maps Health Network LLC is a HIPAA Business Associate as defined at 45 CFR § 160.103 with respect to PHI it handles on behalf of Subscriber clinics. As a Business Associate, the Company is subject to the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C) with respect to PHI and ePHI it creates, receives, maintains, or transmits on behalf of a Covered Entity.
4.2 PHI Handling Principles
The Company handles PHI consistent with the following principles:
(a) Minimum Necessary: The Company accesses and uses PHI only to the minimum extent necessary to perform the Service, as required by 45 CFR § 164.502(b).
(b) Purpose Limitation: PHI is used and disclosed only for permitted purposes as set forth in the BAA and as required or permitted by HIPAA.
(c) No Sale or Marketing: PHI is never sold (45 CFR § 164.514(e)(3)) and never used for marketing purposes (45 CFR § 164.514(e)) without a valid HIPAA authorization.
(d) Security Safeguards: The Company implements administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect ePHI.
4.3 Encryption
- In transit: All PHI transmitted between systems (including call audio, transcripts, and API calls) is encrypted using TLS 1.2 or higher.
- At rest: Call recordings and transcripts are stored using AES-256 encryption on encrypted storage volumes.
4.4 PII and PHI Redaction
The Company applies automated redaction and de-identification processes to stored transcripts where technically feasible, consistent with the de-identification standards at 45 CFR § 164.514(b). Fully de-identified data is not PHI under HIPAA and may be used for aggregate analytics and Service improvement.
4.5 Configurable Retention; Default 90-Day Purge
Call recordings and transcripts are retained for a default period of ninety (90) days from the date of the call, after which they are automatically and permanently purged from the Company's systems. Subscribers may configure a shorter retention period through the account dashboard. Retention and destruction obligations are further specified in the BAA.
4.6 Breach Notification
In the event of a Breach of Unsecured PHI (as defined at 45 CFR § 164.402), Maps Health Network LLC will notify the affected Subscriber (as Covered Entity) without unreasonable delay, and in no event later than sixty (60) days after the Company discovers the Breach, in accordance with 45 CFR § 164.410. Notification will include the information required by 45 CFR § 164.410(c). The Covered Entity retains responsibility for notifying affected individuals and the Secretary of HHS pursuant to 45 CFR §§ 164.404 and 164.408.
5. Cookies & Analytics
5.1 Cookies Used
GLP1Receptionist.com uses the following types of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session management, security | Session |
| Analytics | Aggregate site usage (server-side) | Up to 12 months |
| Preference | Remembering user preferences | Up to 12 months |
We do not use advertising or tracking cookies. We do not permit third-party advertising networks to place cookies on GLP1Receptionist.com.
5.2 Server-Side Analytics
The Company uses server-side analytics to measure Site performance and visitor behavior. Server-side analytics process request data on Company infrastructure rather than injecting client-side scripts that send PII to third-party servers. This approach limits transmission of PII to external analytics platforms.
5.3 No Client-Side PII Transmission to Google
The Site does not use Google Analytics in a manner that transmits personally identifiable information to Google's client-side tracking systems. Any analytics integrations are configured to anonymize IP addresses and are subject to data processing agreements.
5.4 Opt-Out
You may opt out of non-essential cookies by: - Adjusting your browser's cookie settings; - Using a browser privacy extension (e.g., uBlock Origin); or - Contacting us at markshepmv@gmail.com to request opt-out of any analytics associated with your account.
Disabling cookies may affect the functionality of certain Site features.
6. Third-Party Subprocessors
Maps Health Network LLC uses the following categories of subprocessors to provide the Service. Each subprocessor is bound by a data processing agreement or business associate agreement as applicable.
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Stripe, Inc. | Payment processing | Billing information, payment card data |
| Voice AI Platform (third-party) | AI voice infrastructure for Grace | Call audio, transcripts |
| Render Services, Inc. | Application hosting | Subscriber data, application logs |
| Amazon Web Services (AWS S3) | Encrypted storage for call recordings and transcripts | Call recordings, transcripts (ePHI) |
| Email service provider | Transactional email | Subscriber email address |
| Analytics platform | Server-side site analytics | Anonymized usage data |
For a current, complete list of subprocessors, see: GLP1Receptionist.com/subprocessors.
The Company will provide Subscribers with at least thirty (30) days' advance written notice before adding or materially changing a subprocessor that processes PHI, allowing Subscribers the opportunity to object. This right is set forth in the BAA.
7. Data Security
7.1 Technical Safeguards
The Company implements the following technical safeguards consistent with 45 CFR § 164.312:
- TLS 1.2+ encryption for all data in transit;
- AES-256 encryption for all data at rest;
- Multi-factor authentication for all Company personnel who access PHI-containing systems;
- Role-based access controls (RBAC) limiting PHI access to authorized personnel on a minimum-necessary basis;
- Automated session timeouts for administrative interfaces;
- Vulnerability scanning and patching on a defined schedule; and
- Intrusion detection and monitoring.
7.2 Administrative Safeguards
Consistent with 45 CFR § 164.308, the Company maintains:
- A designated Privacy and Security Officer;
- A workforce training program covering HIPAA obligations;
- Written policies and procedures for PHI access, use, disclosure, and incident response; and
- Annual risk analysis and risk management processes.
7.3 Physical Safeguards
Consistent with 45 CFR § 164.310, Company data is hosted in SOC 2 Type II certified data centers with physical access controls, environmental controls, and media disposal procedures.
7.4 Audit Logging
All access to systems containing PHI is logged. Audit logs are retained for a minimum of six (6) years consistent with HIPAA record retention requirements (45 CFR § 164.530(j)).
7.5 Incident Response
The Company maintains a written incident response plan. In the event of a security incident, the Company will: (a) investigate promptly; (b) take appropriate remediation steps; and (c) notify affected Subscribers as required by the BAA and applicable law, including within 60 days of breach discovery for HIPAA Breaches per 45 CFR § 164.410.
8. Data Retention & Deletion
| Data Type | Default Retention | Basis |
|---|---|---|
| Call recordings (audio) | 90 days | BAA; configurable by Subscriber |
| Call transcripts | 90 days | BAA; configurable by Subscriber |
| Subscriber account data | Duration of subscription + 3 years | Legal/business records |
| Billing records | 7 years | Tax and financial record requirements |
| Visitor analytics (aggregated) | 12 months, then aggregated/purged | Legitimate interest |
| Contact form submissions | 2 years or until request fulfilled | Legitimate interest |
| Audit logs | 6 years | 45 CFR § 164.530(j) |
Subscribers may request earlier deletion of call recordings and transcripts by adjusting retention settings in the account dashboard or by contacting markshepmv@gmail.com. Deletion requests for PHI are governed by the BAA.
Upon termination of a subscription, the Company will delete or return PHI as specified in the BAA within sixty (60) days, subject to any legal holds.
9. Your Rights
9.1 Rights of Site Visitors and Subscribers
Subject to applicable law, you have the right to:
- Access: Request a copy of personal information we hold about you;
- Correction: Request correction of inaccurate personal information;
- Deletion: Request deletion of your personal information, subject to legal retention requirements;
- Portability: Request your personal information in a portable, machine-readable format;
- Opt-out of sale: The Company does not sell personal information, so this right is not applicable; and
- Restriction: Request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at: markshepmv@gmail.com. We will respond within forty-five (45) days (or within the period required by applicable law). We may request identity verification before processing your request.
9.2 Patient Rights (PHI)
Patients who wish to exercise their HIPAA rights — including the right to access, amend, or obtain an accounting of disclosures of their PHI under 45 CFR §§ 164.524, 164.526, and 164.528 — must contact their clinic (the Covered Entity) directly. Maps Health Network LLC, as a Business Associate, will cooperate with Covered Entities to facilitate the exercise of patient rights as required by the BAA and 45 CFR § 164.504(e)(2)(ii)(E)–(G).
9.3 California Residents — CCPA/CPRA
California residents have rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act ("CPRA"), including:
- Right to Know: the categories and specific pieces of personal information we collect, use, disclose, and sell;
- Right to Delete: request deletion of personal information, subject to exceptions;
- Right to Correct: request correction of inaccurate personal information;
- Right to Opt-Out of Sale/Sharing: we do not sell or share personal information as defined under CCPA/CPRA;
- Right to Limit Use of Sensitive Personal Information: to the extent applicable;
- Right to Non-Discrimination: we will not discriminate against you for exercising your rights.
Shine the Light: California Civil Code § 1798.83 permits California residents to request information about third parties to whom we have disclosed personal information for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
To submit a California rights request, email markshepmv@gmail.com with the subject line "California Privacy Request." We will verify your identity before processing. You may designate an authorized agent to make a request on your behalf by providing written authorization.
California Note on Patient PHI: PHI subject to HIPAA is exempt from CCPA/CPRA to the extent provided in Cal. Civ. Code § 1798.145(c)(1)(A). Patient PHI is governed by HIPAA and the clinic's NPP.
10. Children's Privacy
GLP1Receptionist.com and the Service are not directed to children under the age of thirteen (13). The Company does not knowingly collect personal information from children under 13. The Service is designed for use by licensed healthcare clinics and their adult patients.
If you believe that we have inadvertently collected personal information from a child under 13, please contact us at markshepmv@gmail.com and we will promptly delete such information. This commitment is consistent with the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 ("COPPA").
11. State-Specific Disclosures
11.1 California (Cal. Civ. Code §§ 1798.100 et seq. — CCPA/CPRA)
See Section 9.3 above for a full description of California rights. Maps Health Network LLC does not sell or share personal information. The Company does not use automated decision-making that produces legal or similarly significant effects on California consumers in a manner that would require opt-out rights under the CPRA regulations.
11.2 Colorado (Colo. Rev. Stat. §§ 6-1-1301 et seq. — CPA)
Colorado residents have the right to: access, correct, delete, and obtain a portable copy of personal data; opt out of the sale of personal data (we do not sell personal data); opt out of targeted advertising (we do not engage in targeted advertising based on personal data); and opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling). To exercise rights, contact markshepmv@gmail.com.
11.3 Connecticut (Conn. Gen. Stat. §§ 42-515 et seq. — CTDPA)
Connecticut residents have the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions with legal or similarly significant effects. We do not sell personal data or engage in targeted advertising. To exercise rights, contact markshepmv@gmail.com.
11.4 Virginia (Va. Code Ann. §§ 59.1-571 et seq. — VCDPA)
Virginia residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data (we do not sell personal data) and targeted advertising. To exercise rights, contact markshepmv@gmail.com.
11.5 Utah (Utah Code Ann. §§ 13-61-101 et seq. — UCPA)
Utah residents have the right to access, delete, and obtain a portable copy of personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or engage in targeted advertising. To exercise rights, contact markshepmv@gmail.com.
11.6 Two-Party Consent States
With respect to call recording, the Subscriber is responsible for compliance with two-party (all-party) consent recording laws in the states where it operates. The Company configures Grace to provide a recording disclosure at the start of every call. Subscribers operating in California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, Washington, Connecticut, Delaware, Oregon, and Vermont bear responsibility for ensuring that the configured disclosure satisfies applicable state law requirements and for maintaining records of compliance.
12. Changes to This Policy
Maps Health Network LLC may update this Policy from time to time. The current version will always be posted at GLP1Receptionist.com/privacy with the Effective Date noted. For material changes, we will provide at least thirty (30) days' advance notice via email to Subscriber accounts. Continued use of the Service after the effective date of a change constitutes acceptance of the revised Policy. If you do not agree to a material change, you may cancel your subscription pursuant to the Terms of Service before the effective date of the change.
13. Contact
For privacy inquiries, rights requests, or data protection matters:
Maps Health Network LLC Attn: Mark "Shep" Shepherd, Founder / Privacy Contact Email: markshepmv@gmail.com Website: GLP1Receptionist.com Address: 30 N. Gould St, Ste N, Sheridan, WY 82801
For HIPAA-specific matters or BAA inquiries: markshepmv@gmail.com
For patient PHI rights: Contact your clinic directly. Your clinic will coordinate with Maps Health Network LLC as required by the BAA.
Cross-reference: This Policy should be read in conjunction with the GLP-1 Receptionist Terms of Service, the Business Associate Agreement, and your clinic's Notice of Privacy Practices.
Not medical advice. Always consult a licensed healthcare provider.
© 2026 Maps Health Network LLC. All rights reserved.
← Back to GLP1Receptionist.com home