Privacy Policy

Last Updated: July 3, 2026

MHC Information Services, LLC

Version: 2.0
Last Updated: July 3, 2026
Effective Date: July 3, 2026


Table of Contents

  1. Overview and Scope
  2. Information We Collect
  3. Cookies and Tracking Technologies
  4. How We Use Your Information
  5. Legal Bases for Processing
  6. Data Retention
  7. Data Sharing and Subprocessors
  8. International Data Transfers
  9. Security Measures
  10. Data Breach Notification
  11. Your Privacy Rights
  12. California Residents (CCPA/CPRA)
  13. Children's Privacy
  14. Third-Party Links
  15. Changes to This Privacy Policy
  16. Contact Us

1. Overview and Scope

Who We Are

MHC Information Services, LLC ("MHCIS," "we," "us," or "our") is a security and software engineering firm serving regulated industries, including financial services, insurance, and healthcare. We are committed to protecting your privacy and to handling personal information with care.

What This Policy Covers

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you:

  • Visit our website at www.mhcis.com (the "Site"), which is largely informational
  • Submit a contact or support request through a form on the Site
  • Engage our professional services
  • Communicate with us via email, phone, or other channels

Geographic Scope

We primarily serve clients within the United States, and our infrastructure is hosted in United States regions. Where we process personal data on behalf of clients who are themselves subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR, the additional protections described in this Policy and in our Data Processing Agreement (DPA) apply.

Key Definitions

  • Personal Information: Information that identifies, relates to, describes, or could reasonably be linked to you.
  • Processing: Any operation performed on personal information, including collection, storage, use, disclosure, or deletion.
  • Third Party: An entity other than MHCIS or you.
  • Subprocessor: A third party that processes personal information on our behalf.

2. Information We Collect

2.1 Information You Provide to Us

We collect personal information that you voluntarily provide when you interact with us. Forms on the Site are protected by Vercel BotID (an invisible bot-mitigation check with no user-facing challenge) and by server-side rate limiting.

Contact Form Submissions

When you submit our contact form, we collect:

  • Full Name: To address you appropriately
  • Email Address: For correspondence and follow-up
  • Phone Number (optional): For direct contact if needed
  • Subject: The nature of your inquiry
  • Message: The content of your inquiry or request
  • Timestamp: The date and time of submission

Support Request Submissions

When you submit our support form, we collect:

  • Full Name: To address you appropriately
  • Email Address: For correspondence and follow-up
  • Phone Number (optional): For direct contact if needed
  • Topic: The category of your support request
  • Urgency: The urgency level you select
  • Subject: A short summary of your message
  • Description: The detailed content of your support request
  • Timestamp: The date and time of submission

For both contact and support submissions, we record your IP address only as a salted SHA-256 hash, used for abuse prevention and rate limiting. We do not store your IP address in plain text with these submissions.

Email and Direct Communications

When you email us or communicate directly, we collect the content of your message, any attachments, and message metadata (such as sender, recipient, and timestamp). Our business email is operated on Microsoft 365.

Service Engagements

When you engage our professional services, we may collect billing and contract documentation, technical information necessary to perform the engagement, and, where applicable and with your authorization, access information. The specific handling of client data is governed by our engagement contract and DPA rather than by this Site policy.

2.2 Information We Collect Automatically

When you visit our Site, limited technical information is processed to deliver the Site and keep it secure:

  • Server logs: Requests to our hosting and edge infrastructure, including URLs, response codes, and timestamps. IP addresses may be processed transiently for security and rate limiting; where retained in association with your form submissions, an IP is stored only as a salted SHA-256 hash.
  • Error and exception data: When an error occurs, diagnostic information (which may include an IP address and technical environment details) is processed by our error-monitoring provider, Sentry, to help us diagnose and fix problems.
  • Cookieless first-party analytics (no consent required): We use Vercel Web Analytics (Vercel Inc., US), a privacy-friendly, cookieless first-party analytics tool that measures aggregate page views and a small number of custom events (such as phone and email link clicks and contact-form outcomes). It sets no cookies, performs no cross-site tracking, and does not require consent.
  • Consent-gated third-party analytics and advertising: A separate set of non-essential third-party trackers (Microsoft Clarity, the LinkedIn Insight Tag, and RB2B) load only after you opt in to the "analytics" category through our consent banner and are suppressed when your browser sends a Global Privacy Control (GPC) signal (see Section 3). These are off by default. None of them load before you opt in.

Our web fonts are self-hosted. The Site does not call any third-party font service.

2.3 Information from Third Parties

We may receive limited operational information from our infrastructure and email providers (for example, delivery status for email we send you) and publicly available business information used for ordinary client due diligence.


3. Cookies and Tracking Technologies

3.1 What Are Cookies?

A "cookie" is a small text file that a website stores on your device. Some websites also use similar technologies such as localStorage. These technologies help a site function and, where enabled, help measure usage.

3.2 Essential vs. Consent-Gated Technologies

We divide the technologies we use into two categories: strictly necessary technologies that are always active because the Site cannot function or honor your choices without them, and consent-gated analytics and advertising trackers that are off by default and load only after you opt in.

Separately, we run Vercel Web Analytics, a cookieless first-party analytics tool. Because it sets no cookies and does not track you across sites, it is not part of the consent-gated category and runs without requiring your consent (see Section 2.2).

Our web fonts are self-hosted; we do not load fonts from any third-party font service, so no font-CDN requests are made from your browser.

Strictly Necessary Storage

Name Type Set By Purpose Duration
cookieConsent localStorage MHCIS (first party) Records your analytics consent choice Until cleared
cookieConsentDate localStorage MHCIS (first party) Records the date of your consent choice Until cleared

These consent values are stored in your browser's localStorage, not as cookies, and are required for the Site to honor your privacy preferences.

Consent-Gated Analytics and Advertising

In addition to our cookieless first-party analytics, we use the following non-essential third-party trackers, which make up the "analytics" category in our consent banner. These technologies:

  • Are non-essential and off by default (consent is opt-in)
  • Load only after you affirmatively opt in through our consent banner
  • Are not loaded at all when GPC is active, regardless of any prior consent choice
  • Stop loading if you later withdraw consent
Provider Set By Purpose
Microsoft Clarity Microsoft Corporation (US) Session replay and heatmaps to understand how visitors use the Site
LinkedIn Insight Tag LinkedIn Corporation, a Microsoft company (US) B2B advertising and conversion measurement (active only when configured)
RB2B RB2B, Inc. (US) Business website-visitor identification (identifies the company or associated business contact for a visit) for sales and marketing

Withdrawing analytics consent, or enabling Global Privacy Control (GPC), prevents all three of these trackers from loading. Because RB2B and the LinkedIn Insight Tag involve sharing online identifiers with those providers for analytics and advertising, declining analytics consent or sending a GPC signal is also how you opt out of that sharing.

3.3 How to Manage Cookies

You can control cookies and similar storage through your browser settings. Most browsers (including Chrome, Safari, Firefox, and Edge) let you view, block, or delete cookies and site data under their privacy or security settings. You can also change your analytics choice at any time through the consent controls on the Site.

3.4 Impact of Declining

If you decline analytics consent (or send a GPC signal), you can still browse the Site and access its content. Non-essential analytics simply will not load. The strictly necessary storage that records your choice remains in place so that we can honor it.

3.5 Consent, Do Not Track, and Global Privacy Control

Analytics Consent (Opt-In): Analytics are off by default and load only after you affirmatively opt in.

Do Not Track (DNT): We do not use tracking that would follow you across other websites.

Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we treat it as an opt-out and suppress all non-essential analytics, regardless of any prior consent choice.


4. How We Use Your Information

We use the personal information we collect for the following purposes:

Communication and Service Delivery

  • Respond to your contact and support inquiries
  • Provide information, quotes, and proposals for our services
  • Deliver and administer contracted services and communicate about them

Security and Fraud Prevention

  • Mitigate bots and abuse (for example, via Vercel BotID and rate limiting)
  • Monitor for security threats and investigate suspicious activity
  • Protect our legal rights and enforce our Terms of Service

Diagnostics and Improvement

  • Identify and fix technical issues and errors (via Sentry)
  • Measure aggregate, consent-gated usage and performance to improve the Site

Legal and Compliance

  • Comply with applicable laws, regulations, and legal process
  • Respond to lawful requests from authorities
  • Establish, exercise, or defend legal claims and maintain required records

Note: We do not sell your personal information.


Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract

Processing necessary to respond to your inquiries, provide information you request, and deliver services you have contracted for.

Legitimate Interests

Processing necessary for our legitimate business interests, including securing the Site, preventing abuse and fraud, and diagnosing and improving our services, balanced against your rights and interests.

Consent

Processing based on your consent, such as loading non-essential analytics. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Legal Obligation

Processing necessary to comply with legal requirements, such as tax and accounting obligations and responses to lawful government requests.


6. Data Retention

Contact and Support Form Submissions

  • Retention Period: Retained for as long as necessary to respond to your inquiry, deliver support, and maintain reasonable business records.
  • Deletion: We delete this data upon verified request or when it is no longer needed for the purposes described above.

Server and Access Logs

  • Retention Period: Approximately 90 days.
  • Rationale: Security monitoring and diagnostics.
  • Deletion: Rotated and deleted on a rolling basis.

Email Communications

  • Retention Period: For the duration of the business relationship plus a limited period thereafter, consistent with our records and legal obligations.

Service Engagement Data

  • Retention Period: For the duration of the engagement plus the period required by contract, professional-liability considerations, and tax and audit obligations.

Backups

  • Retention Period: Disaster-recovery backups are retained for a limited rotation window and are overwritten on rotation.

Criteria for Determining Retention: We set retention periods based on legal and regulatory requirements, applicable limitation periods, and reasonable operational needs.


7. Data Sharing and Subprocessors

We do not sell, rent, or trade your personal information. We share information only with the subprocessors and recipients described below.

Subprocessors

We engage the following subprocessors to operate the Site and our business. This is the complete list of subprocessors that may process personal information in connection with the Site; a current version is also maintained with our Data Processing Agreement (DPA), available on request.

Subprocessor Purpose Location
Vercel Inc. Application hosting, CDN/edge, bot mitigation (BotID), and cookieless Web Analytics United States
Microsoft Azure Cloud hosting / infrastructure United States
Microsoft 365 Business email United States
Sentry (Functional Software, Inc.) Error / exception monitoring United States
Microsoft Corporation (Microsoft Clarity) Consent-gated session replay and heatmap analytics United States
LinkedIn Corporation (LinkedIn Insight Tag), a Microsoft company Consent-gated B2B advertising and conversion measurement United States
RB2B, Inc. Consent-gated business website-visitor identification for sales and marketing United States

Contractual Safeguards: Subprocessors are bound by contract to use information only for the specified purposes, implement appropriate security measures, comply with applicable privacy laws, and delete or return data on termination.

Legal Requirements

We may disclose information when required or permitted by law, including in response to lawful requests from authorities, to comply with court orders or legal process, to enforce our agreements, or to protect the rights, property, or safety of MHCIS, our clients, or others.

Business Transfers

If MHCIS is involved in a merger, acquisition, asset sale, or similar transaction, your information may be transferred to the successor entity, which will be required to honor commitments consistent with this Policy. We will provide notice where required.

With Your Consent

We may share information for other purposes with your consent.

Selling and Advertising: We do not sell your personal information for money. However, if you opt in to analytics consent, our consent-gated third-party trackers involve sharing online identifiers with their providers for analytics and advertising: the LinkedIn Insight Tag shares identifiers with LinkedIn for B2B advertising and conversion measurement, and RB2B shares identifiers used to identify the business associated with a visit. Under some privacy laws this kind of sharing may be treated as "sharing" for cross-context behavioral advertising or as a "sale." You can opt out at any time by declining or withdrawing analytics consent or by sending a Global Privacy Control (GPC) signal, which suppresses these trackers.


8. International Data Transfers

Primary Data Location

Our hosting infrastructure is located in United States regions, and Site data is stored in the United States.

Safeguards for International Transfers

Our subprocessors are United States entities. To the extent any personal data protected under the GDPR or UK GDPR is transferred outside the EEA or the UK, we rely on appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum where applicable)
  • Data Processing Agreements that incorporate transfer mechanisms and security requirements
  • Adequacy decisions where available

For clients with specific data-residency requirements, we can discuss suitable arrangements. Please contact us at contact@mhcis.com.


9. Security Measures

We are a security and software engineering firm, and we apply administrative, technical, and organizational measures appropriate to the largely informational nature of the Site. A fuller description of our security posture is available at /security.

Technical Controls

  • Encryption in transit: Traffic between your browser and our infrastructure is encrypted using TLS/HTTPS, enforced site-wide, with HTTP Strict Transport Security (HSTS).
  • Encryption at rest: Data at rest is protected by the encryption provided by our underlying cloud platforms (Vercel and Microsoft Azure).
  • Content Security Policy and security headers: We apply a Content Security Policy and modern security response headers.
  • Bot mitigation and rate limiting: Forms are protected by Vercel BotID, and endpoints apply server-side rate limiting.
  • IP hashing: IP addresses associated with form submissions are stored only as salted SHA-256 hashes, not in plain text.
  • Self-hosted fonts: Fonts are served from our own infrastructure, avoiding third-party font-CDN requests.
  • Error monitoring: We use Sentry to detect and diagnose application errors.

Engineering and Access Controls

  • Secure software development lifecycle (SDLC) and code review practices
  • Infrastructure as code for consistent, reviewable configuration
  • Least-privilege access to systems handling personal information
  • Dependency review to manage third-party software risk

Limitations

While we work to protect your information using reasonable measures, no method of transmission over the internet or electronic storage is completely secure. We cannot promise absolute security, but we continue to improve our posture and respond to emerging risks.


10. Data Breach Notification

We maintain procedures to detect, respond to, and where required, notify affected parties of qualifying security incidents.

Notification Procedures

We will notify affected individuals and applicable authorities as required by law:

  • Affected Individuals: We will notify affected individuals without undue delay where a qualifying breach is likely to result in a risk to their rights, and no later than applicable law requires.
  • GDPR (where applicable): Notification to the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach involving EU or UK residents, where required.
  • U.S. State Laws: Notification as required by applicable state breach-notification laws.
  • HIPAA (where applicable): If we are acting as a business associate under a signed Business Associate Agreement (BAA), we will follow the HIPAA Breach Notification Rule, including notifying the covered entity without unreasonable delay and no later than 60 days after discovery.

HIPAA Applicability

MHCIS is not a HIPAA covered entity, and is not a business associate unless we have signed a specific BAA with a client. HHS/OCR does not certify anyone as "HIPAA compliant." Where an engagement involves protected health information (PHI), we engineer to the HIPAA Security Rule and will sign a BAA. The client remains responsible for its own risk analysis.

Notification Content

Where we notify you, we will describe the nature of the incident, the categories of data affected, the steps we have taken, recommended actions you can take, and how to contact us.

Your Responsibilities

If you believe there has been unauthorized access to your information, please contact us at contact@mhcis.com.


11. Your Privacy Rights

Depending on your location, you may have some or all of the following rights regarding your personal information.

  • Right to Access: Request the categories and specific pieces of personal information we hold about you, their sources, and the purposes of use.
  • Right to Rectification / Correction: Request correction of inaccurate or incomplete personal information.
  • Right to Deletion: Request deletion of your personal information, subject to legal exceptions.
  • Right to Restriction: Request that we limit processing in certain circumstances.
  • Right to Object: Object to certain processing, including where based on legitimate interests.
  • Right to Data Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
  • Right to Opt Out: Opt out of non-essential analytics, including by declining consent or sending a Global Privacy Control (GPC) signal, which we honor.

How to Exercise Your Rights

To exercise any of these rights, contact us:

  • Email: contact@mhcis.com with "Privacy Rights Request" in the subject line
  • Mail: MHC Information Services, LLC, Attn: Privacy, 1325 Park Street, Suite 200, Columbia, SC 29201

Verification and Timeline

To protect your privacy, we will verify your identity before acting on a request, which may involve confirming information you previously provided. We aim to acknowledge requests within five (5) business days and to respond substantively within 45 days of a verifiable request, extendable by up to an additional 45 days where permitted, with notice.

Limitations

We may decline requests that are manifestly unfounded or excessive, that would compromise others' rights, that are restricted by law, or that would require disclosure of confidential business information.


12. California Residents (CCPA/CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). We honor the following rights:

  • Right to Know: Request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell your personal information for money. If you opt in to analytics consent, our consent-gated third-party trackers (the LinkedIn Insight Tag and RB2B) share online identifiers with those providers for advertising and business-visitor identification, which some laws treat as "sharing" for cross-context behavioral advertising or as a "sale." You can opt out by declining or withdrawing analytics consent, and we honor the Global Privacy Control (GPC) as an opt-out signal that suppresses these trackers.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond the purposes permitted under CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

How to Exercise CCPA/CPRA Rights

Email: contact@mhcis.com with "California Privacy Request" in the subject line
Mail: MHC Information Services, LLC, Attn: Privacy, 1325 Park Street, Suite 200, Columbia, SC 29201

You may use an authorized agent to submit a request; we may require written authorization and verification. If we decline a request, you may appeal by contacting us with "Privacy Appeal" in the subject line.


13. Children's Privacy

Our Site and services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at contact@mhcis.com, and we will take steps to delete it promptly.


Our Site may contain links to third-party websites or resources that we do not own or control. We are not responsible for the content, privacy policies, or practices of third-party sites. We encourage you to review the privacy policy of any third-party site before providing information.


15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date and version above. Material changes will be communicated through prominent notice on the Site and, where appropriate, by other means. Your continued use of the Site after the Effective Date of an updated Policy constitutes acceptance of the changes.


16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MHC Information Services, LLC
Attn: Privacy
1325 Park Street, Suite 200
Columbia, SC 29201

Privacy, Security, and Legal Inquiries: contact@mhcis.com
Phone: +1 (803) 881-3889

This Policy is governed by the laws of the State of South Carolina, USA, without regard to its conflict-of-laws principles.

We aim to respond to privacy inquiries within five (5) business days. Complex requests may require additional time, and we will keep you informed of our progress.


MHC Information Services, LLC, a security and software engineering firm.