BillTraq by SonaRev — Privacy Policy

Effective Date: 5/1/2026 Last Updated: 5/1/2026

SonaRev, LLC ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the information we collect through the BillTraq by SonaRev platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information and Protected Health Information (PHI).

This Policy applies to information collected through the Service. Our collection and use of PHI is also governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Business Associate Agreement ("BAA") between us and the applicable covered entity.

1. Scope and Applicability

This Privacy Policy applies to:

Users of the Service: Practice staff, Internal Staff, and Administrators who create accounts and interact with the platform.
Patient Information: Protected Health Information submitted to the Service by Customer practices in connection with verification of benefits, claims, and authorization workflows.
Visitors: Individuals visiting our public-facing pages (login, registration, password reset).

2. Information We Collect

2.1 Account Information

When you register or are invited to create an account, we collect:

Full name
Email address
Role (Practice User, Internal Staff, or Administrator)
Practice affiliation (if applicable)
Password (stored as a cryptographic hash — we never store passwords in plain text)
Multi-factor authentication details (phone number or authenticator app configuration, if enabled)

2.2 Protected Health Information (PHI)

In the course of providing the Service, Customer practices submit PHI to the platform. This may include:

Patient demographics (name, date of birth, address, contact information)
Insurance information (carrier, policy number, group number, subscriber details)
Verification of benefits results
Claims and prior authorization records
Clinical notes and call logs relevant to verification workflows

PHI is collected, stored, and processed strictly in accordance with HIPAA and the applicable BAA.

2.3 Usage Information

We automatically collect certain information when you use the Service:

IP address and general location (city/region level)
Browser type and version
Operating system
Pages visited and features used
Timestamps of actions performed
Session duration

2.4 Audit and Security Data

For security and compliance purposes, we maintain audit logs of significant actions, including login attempts, data access, record modifications, and administrative changes. These logs include user identifiers, timestamps, and IP addresses.

3. How We Use Information

We use the information we collect to:

Provide, maintain, and improve the Service;
Authenticate users and secure accounts;
Process verification of benefits, claims, and authorization requests;
Communicate with users about their accounts and the Service (invitations, approvals, status updates, support responses);
Comply with legal obligations, including HIPAA requirements;
Detect, prevent, and respond to fraud, security threats, and illegal activity;
Generate de-identified analytics to understand usage patterns and improve the Service;
Enforce our Terms of Service and other agreements.

We do not sell, rent, or trade personal information or PHI to third parties for marketing purposes.

4. How We Share Information

We share information only in the following circumstances:

4.1 With Service Providers

We use trusted third-party service providers to operate the Service. Each provider has access only to the information necessary to perform its function. Where Protected Health Information (PHI) is involved, the provider is contracted under a Health Insurance Portability and Accountability Act of 1996 (HIPAA) Business Associate Agreement (BAA). Our third-party service providers are listed below.

4.1.1 Amazon Web Services (AWS) — HIPAA Business Associate

AWS provides the cloud infrastructure that hosts BillTraq by SonaRev. All AWS services used by BillTraq by SonaRev are covered by a Business Associate Agreement between SonaRev and Amazon Web Services, Inc.

Amazon RDS (PostgreSQL): Primary application database. Stores all PHI (patient demographics, insurance information, verification results, claims data) and user PII (account details, audit logs). Data is encrypted at rest.
Amazon S3: Document storage with server-side encryption via AWS KMS. Stores insurance card images, uploaded documents, and generated PDF reports containing PHI.
Amazon Cognito: User authentication, password management, and multi-factor authentication (MFA). Stores user email addresses, password hashes, and MFA configuration including phone numbers if SMS MFA is enabled.
Amazon SES (Simple Email Service): Delivers transactional emails including invitations, welcome messages, password reset codes, and VOB status notifications. Email content is limited to user names, email addresses, status labels, and portal links — no PHI is included in emails.
Amazon SNS (Simple Notification Service): Delivers SMS messages containing multi-factor authentication codes, invoked indirectly through Amazon Cognito when SMS MFA is enabled. Receives phone numbers and one-time codes only.
AWS KMS (Key Management Service): Manages encryption keys used to protect data at rest in S3 and RDS. KMS does not receive customer data — only encryption key operations.
Amazon CloudWatch / CloudTrail: Operational logging and monitoring. Receives infrastructure metrics and API call metadata. Personal data is sanitized before logging.

4.1.2 Intuit QuickBooks Online — NOT a HIPAA Business Associate

QuickBooks Online is used by customer practices that choose to connect their QuickBooks account for optional invoice synchronization.

Purpose: Optional accounting and invoicing integration.
Data shared with QuickBooks: Practice (customer) name, invoice number, invoice dates, invoice amounts, and invoice line item descriptions.
Data NOT shared with QuickBooks: Patient names, dates of birth, insurance details, medical codes, or any other Protected Health Information. Invoice line items are designed to contain no patient identifiers.
Connection: QuickBooks sync is opt-in and requires a Customer administrator to explicitly authorize the connection via OAuth 2.0. The integration can be disconnected at any time from within the Service, which revokes our access and deletes the stored authorization tokens.
Third-party privacy policy: Data sent to QuickBooks is subject to Intuit's Privacy Policy, available at https://www.intuit.com/privacy/.

4.1.3 Microsoft Clarity — NOT a HIPAA Business Associate

Microsoft Clarity is used for anonymous usage analytics on the application interface.

Purpose: Understand how users interact with the Service in order to improve usability and diagnose interface problems.
Data shared with Clarity: IP address (hashed by Clarity), browser type and version, operating system, device type, pages visited, click events, and scroll/navigation patterns. Sensitive form fields are automatically masked so their values are not captured.
Data NOT shared with Clarity: Patient names, dates of birth, insurance identifiers, medical codes, or any other Protected Health Information.
Third-party privacy policy: Data sent to Microsoft Clarity is subject to Microsoft's Privacy Statement, available at https://privacy.microsoft.com/.

4.1.4 Slack — NOT a HIPAA Business Associate

Slack is used as an internal notification channel for the SonaRev operations team.

Purpose: Notify internal staff of operational events including new user signups, invitation acceptances, user approvals, support ticket activity, and application errors.
Data shared with Slack: User names, email addresses, user roles, practice names, support ticket subjects and categories, and application error context (function names, sanitized error messages). This is considered PII.
Data NOT shared with Slack: Patient names, dates of birth, insurance identifiers, medical codes, clinical notes, or any other Protected Health Information.
Third-party privacy policy: Data sent to Slack is subject to Slack Technologies' Privacy Policy, available at https://slack.com/trust/privacy.

4.2 With Customer Practices

User account information and activity within a practice is visible to authorized Administrators and Internal Staff of that practice and of SonaRev as necessary to operate the Service.

4.3 Legal Compliance

We may disclose information if required by law, subpoena, court order, or other legal process, or to respond to a government request, protect our rights, enforce our Terms, or protect the safety of users.

4.4 Business Transfers

If Company is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and HIPAA requirements.

4.5 With Consent

We may share information with your consent or at your direction.

5. Data Security

We implement industry-standard administrative, physical, and technical safeguards to protect information:

Encryption in transit: All data transmitted to and from the Service is encrypted using TLS 1.2 or higher.
Encryption at rest: Data stored in our systems is encrypted using AES-256.
Access controls: Role-based access restricts data visibility to authorized users only.
Authentication: Strong password requirements and optional multi-factor authentication.
Audit logging: All access to PHI is logged and monitored.
Automatic session timeouts: Idle sessions expire after 15 minutes (staff/admins) or 30 minutes (practice users) to prevent unauthorized access.
Network security: Firewalls, intrusion detection, and regular security assessments.
Workforce training: Personnel with access to PHI receive HIPAA training and sign confidentiality agreements.

Despite these safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain personal information and PHI for as long as necessary to provide the Service and as required by law:

Active account data: Retained for the duration of the account.
PHI: Retained in accordance with HIPAA requirements and the applicable BAA, typically for at least six (6) years after the date of creation or the date last in effect, whichever is later.
Audit logs: Retained for at least six (6) years in accordance with HIPAA requirements.
Deactivated accounts: Account metadata is retained but access is disabled. PHI may be retained as required by law and the BAA.
Backups: Encrypted backups are retained for a rolling period of thirty-five (35) days for disaster recovery purposes.
QuickBooks authorization tokens: Stored while the QuickBooks integration is active. A Customer administrator may disconnect QuickBooks at any time from the practice settings, which revokes our access and deletes the stored authorization tokens.

Upon termination of the service agreement, we will return or destroy PHI in accordance with the BAA.

7. Your Rights and Choices

7.1 Access and Correction

Users can view and update their account information through the Settings page in the application. Patients with rights under HIPAA may contact the Customer practice (covered entity) to exercise their rights regarding their PHI.

7.2 Account Deactivation

Contact your practice Administrator or email privacy@billtraq.com to request account deactivation.

7.3 Communications

You can opt out of non-essential email notifications through the Settings page. Transactional emails (account, security, and billing notifications) are required and cannot be opted out of while your account is active.

7.4 Cookies and Tracking

The Service uses essential cookies for authentication and session management. These cookies are required for the Service to function. Microsoft Clarity uses cookies for anonymous behavior analytics; you may opt out through your browser settings.

8. HIPAA Rights

If you are a patient whose PHI is processed through the Service:

The Customer practice (covered entity) is the primary point of contact for HIPAA rights, including your right to access, amend, and request an accounting of disclosures of your PHI.
SonaRev acts as a Business Associate and will cooperate with the Customer practice to fulfill legitimate HIPAA requests.
Requests should be directed to the Customer practice that provided your information.

9. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information directly from children. Patient information about minors submitted by Customer practices is treated as PHI under HIPAA.

10. International Users

The Service is hosted in the United States and intended for use by audiology practices operating in the United States. By using the Service, you acknowledge that your information will be processed in the United States, which may have different data protection laws than your country of residence.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification with at least thirty (30) days' advance notice. The "Last Updated" date at the top of this Policy indicates when it was last revised.

Continued use of the Service after a revised Policy becomes effective constitutes acceptance of the revised terms.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact:

SonaRev Attn: Privacy Officer 6650 Rivers Ave Ste 100 Charleston, SC 29406-4809 Email: privacy@billtraq.com

For security incidents or suspected unauthorized access, please contact security@billtraq.com immediately.