Privacy policy

Privacy policy

Last updated · 1 May 2026

This policy explains what we collect when you visit precisioncompliancegroup.com, the third party tools we use, and the choices you have. We are Precision Compliance Group ("PCG", "we", "us"). Questions: support@PrecisionComplianceGroup.onmicrosoft.com.

1. What we collect

• Information you submit. If you contact us or request a demo, we get the name, work email, company, and any message you send. We use it only to reply.
• Information collected automatically. Standard server logs (IP address, browser type, pages viewed, timestamps) and information collected by the third party services listed below.

2. Third party services

Google Analytics 4

We use Google Analytics 4 (GA4) to measure traffic and understand how visitors use the site. GA4 sets first party cookies (such as _ga and _ga_<id>) and collects pseudonymous identifiers, page activity, device and browser information, and a truncated IP address. Data is processed by Google. See the Google Privacy Policy. You can opt out across all sites with the Google Analytics Opt-out Browser Add-on, or only this site using the controls below.

RB2B

We use RB2B to identify business visitors. RB2B operates only for visitors located in the United States and matches device and network signals against its identity graph to provide us with the visitor's name, company, work email, and LinkedIn profile when a match is available. RB2B may set cookies or use local storage on your browser. Under California law (CCPA / CPRA), this activity may qualify as a "sale" or "share" of personal information. See the RB2B Privacy Policy and use the controls below to opt out for this site, or visit rb2b.com/opt-out to opt out across all sites that use RB2B.

3. How we use information

• To respond to inquiries and demo requests.
• To measure and improve the performance of the site.
• To identify the businesses visiting our site for B2B sales outreach.
• To meet our legal obligations and protect against fraud or abuse.

We do not sell personal information for monetary consideration. We do share visitor data with RB2B as described above, which may be considered a "sale" or "share" under California law.

4. Your rights and choices

Depending on where you live, you may have the right to access, correct, delete, or port your personal information, and to opt out of the sale or sharing of your personal information. To exercise any of these rights, email us at support@PrecisionComplianceGroup.onmicrosoft.com.

Global Privacy Control (GPC)

If your browser sends a Global Privacy Control signal, we treat it as a valid opt-out request and will not load Google Analytics or RB2B for your visit.

5. Do Not Sell or Share My Personal Information

Use the buttons below to opt this browser out of analytics and B2B identification on this site. Your choice is stored locally in your browser. Clearing your browser data will reset it.

6. Data retention

Inquiry emails are kept for as long as needed to maintain the customer relationship and meet legal obligations. Analytics data is kept per Google's default GA4 retention setting (currently 14 months) and per RB2B's standard retention.

7. Children

This site is intended for business users. We do not knowingly collect personal information from anyone under 16.

8. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change.

Platform privacy: for organizations using the PCG Core compliance platform

The sections above describe how we handle data collected from visitors to our marketing website. The sections below describe how PCG handles data submitted by our customers (Medicare Advantage organizations and their workforce) when using the PCG Core compliance platform. If you are a workforce member of a PCG customer, your covered entity's HIPAA Notice of Privacy Practices applies first; PCG processes your information as a Business Associate.

9. What customer data we process

When a customer organization uses PCG Core, we process the following categories of information on the organization's behalf:

• Workforce account data. Name, work email, role, organization, department, and authentication metadata for each user the customer invites.
• Compliance work product. Regulatory memos, policies, corrective action plans, audit findings, risk assessments, network adequacy files, and the audit trail of every action taken on them.
• Submission files. CMS Program Audit universes (ODAG, CDAG, SNPCC, CPE, FA), HPMS reporting submissions, provider and facility files for Network Adequacy, and FDR oversight records, uploaded by the customer or by a delegated First-tier, Downstream, or Related entity (FDR) via a secure portal.
• Protected Health Information (PHI). Where a customer's universe files contain PHI (for example, member identifiers within an ODAG universe), PCG processes that PHI as a HIPAA Business Associate under a signed Business Associate Agreement (BAA).
• Logs and telemetry. System logs, audit events, and operational telemetry necessary to operate, secure, and improve the platform. Logs are redacted of sensitive payload content per our Data Classification and Handling policy.

10. How we use customer data

We use customer data only to:

• Provide the platform features the customer subscribes to.
• Maintain the security, availability, and integrity of the platform.
• Generate audit evidence and compliance reports for the customer.
• Meet our legal obligations.

We do not use customer data to train general-purpose AI models. Where AI assists the customer's work (for example, classifying an inbound regulatory document), the AI runs in PCG's Microsoft Azure environment under the same Microsoft Business Associate Agreement, with no data shared outside Azure boundaries.

11. Sub-processors

PCG uses a small set of vetted sub-processors to operate the platform. Every sub-processor that may process customer data is governed by a BAA where PHI is involved and is listed in our Vendor BAA Inventory, which is reviewed annually.

• Microsoft Azure: cloud infrastructure (compute, storage, database, secrets management, monitoring). HIPAA BAA in place via the Microsoft Online Services Terms.
• Microsoft Azure OpenAI Service: AI-assisted classification and summarization. Operated inside the same Microsoft Azure environment under the same BAA. No data sent to OpenAI, Inc.

We will provide a current sub-processor list to any customer or auditor on request.

12. How we protect customer data

• Encryption in transit: TLS 1.2 or higher on every connection to the platform.
• Encryption at rest: Azure-managed encryption on the database, file storage, and backups.
• Secrets: all secrets and signing keys held in Azure Key Vault with managed identity.
• Authentication: multi-factor authentication required for every user account.
• Tenant isolation: each customer's data is logically isolated; access controls prevent cross-tenant reads.
• Audit logging: every action is captured in an append-only log with a cryptographic hash chain (HMAC) so that tampering is detectable.
• Workforce access: PCG personnel access to customer data is limited, role-based, logged, and subject to quarterly access review.

13. Data subject rights (for individuals)

Where required by law (GDPR, CCPA/CPRA, HIPAA, or applicable U.S. state privacy laws), individuals whose personal information PCG processes have the following rights:

• Access: request a copy of personal information PCG processes about you.
• Correction: request that inaccurate information be corrected.
• Deletion: request deletion of personal information, subject to legal retention obligations.
• Portability: receive personal information in a portable format.
• Restriction: request that PCG restrict processing in certain circumstances.
• Withdrawal of consent: where processing is based on consent.

If you are a workforce member of a PCG customer, direct your request to your employer (the covered entity) first, as PCG processes the data on their behalf. PCG will assist the customer in responding within statutory timeframes. For direct requests, email support@PrecisionComplianceGroup.onmicrosoft.com with subject line "Privacy Request"; we acknowledge within 5 business days and respond within 30 days (extendable once by 30 days where permitted by law).

14. Retention

PCG retains customer data for the duration of the customer agreement. Audit-trail and compliance evidence is retained for the 10-year period required by federal Medicare Advantage regulations (42 CFR §422.504). On contract termination, the customer may request return or deletion of their data; PCG will fulfill the request within 60 days unless a longer retention period is required by law. Backups are retained for 7 days on a rolling basis (Postgres point-in-time recovery window).

15. Breach notification

If PCG discovers an actual or suspected breach of unsecured PHI, we notify the affected customer (covered entity) without unreasonable delay and in no case later than 60 days after discovery, per 45 CFR §164.410. The notice includes the categories of information involved, the steps PCG has taken to investigate and mitigate, and the steps the customer should take to notify affected individuals. Our Incident Response Policy and tabletop drill records are available to customers and auditors on request.

16. International transfers

Customer data is hosted in Microsoft Azure data centers within the United States. PCG does not transfer customer data outside the United States.

17. Children

The platform is intended for compliance workforce members of regulated Medicare Advantage organizations and their delegated entities. Customers may submit personal information about Medicare beneficiaries (who are typically aged 65 and over or otherwise qualifying under federal law) in the course of compliance reporting; that information is governed by the customer's own HIPAA Notice of Privacy Practices.

18. Updates to this notice

We may update this notice from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes that affect customer obligations or rights are communicated to designated customer contacts in advance.

19. Contact

Precision Compliance Group
support@PrecisionComplianceGroup.onmicrosoft.com
HIPAA Privacy Officer: Mario Botana (Chief Compliance Officer)
HIPAA Security Officer: Mario Botana (Chief Technology Officer)
For privacy requests, use subject line "Privacy Request". For incident or breach reports, use subject line "Incident".