MHC Information Services, LLC
Version: 2.0
Last Updated: July 3, 2026
Effective Date: July 3, 2026
Table of Contents
- Overview and Scope
- Information We Collect
- Cookies and Tracking Technologies
- How We Use Your Information
- Legal Bases for Processing
- Data Retention
- Data Sharing and Subprocessors
- International Data Transfers
- Security Measures
- Data Breach Notification
- Your Privacy Rights
- California Residents (CCPA/CPRA)
- Children's Privacy
- Third-Party Links
- Changes to This Privacy Policy
- Contact Us
1. Overview and Scope
Who We Are
MHC Information Services, LLC ("MHCIS," "we," "us," or "our") is a security and software engineering firm serving regulated industries, including financial services, insurance, and healthcare. We are committed to protecting your privacy and to handling personal information with care.
What This Policy Covers
This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you:
- Visit our website at www.mhcis.com (the "Site"), which is largely informational
- Submit a contact or support request through a form on the Site
- Engage our professional services
- Communicate with us via email, phone, or other channels
Geographic Scope
We primarily serve clients within the United States, and our infrastructure is hosted in United States regions. Where we process personal data on behalf of clients who are themselves subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR, the additional protections described in this Policy and in our Data Processing Agreement (DPA) apply.
Key Definitions
- Personal Information: Information that identifies, relates to, describes, or could reasonably be linked to you.
- Processing: Any operation performed on personal information, including collection, storage, use, disclosure, or deletion.
- Third Party: An entity other than MHCIS or you.
- Subprocessor: A third party that processes personal information on our behalf.
2. Information We Collect
2.1 Information You Provide to Us
We collect personal information that you voluntarily provide when you interact with us. Forms on the Site are protected by Vercel BotID (an invisible bot-mitigation check with no user-facing challenge) and by server-side rate limiting.
Contact Form Submissions
When you submit our contact form, we collect:
- Full Name: To address you appropriately
- Email Address: For correspondence and follow-up
- Phone Number (optional): For direct contact if needed
- Subject: The nature of your inquiry
- Message: The content of your inquiry or request
- Timestamp: The date and time of submission
Support Request Submissions
When you submit our support form, we collect:
- Full Name: To address you appropriately
- Email Address: For correspondence and follow-up
- Phone Number (optional): For direct contact if needed
- Topic: The category of your support request
- Urgency: The urgency level you select
- Subject: A short summary of your message
- Description: The detailed content of your support request
- Timestamp: The date and time of submission
For both contact and support submissions, we record your IP address only as a salted SHA-256 hash, used for abuse prevention and rate limiting. We do not store your IP address in plain text with these submissions.
Email and Direct Communications
When you email us or communicate directly, we collect the content of your message, any attachments, and message metadata (such as sender, recipient, and timestamp). Our business email is operated on Microsoft 365.
Service Engagements
When you engage our professional services, we may collect billing and contract documentation, technical information necessary to perform the engagement, and, where applicable and with your authorization, access information. The specific handling of client data is governed by our engagement contract and DPA rather than by this Site policy.
2.2 Information We Collect Automatically
When you visit our Site, limited technical information is processed to deliver the Site and keep it secure:
- Server logs: Requests to our hosting and edge infrastructure, including URLs, response codes, and timestamps. IP addresses may be processed transiently for security and rate limiting; where retained in association with your form submissions, an IP is stored only as a salted SHA-256 hash.
- Error and exception data: When an error occurs, diagnostic information (which may include an IP address and technical environment details) is processed by our error-monitoring provider, Sentry, to help us diagnose and fix problems.
- Cookieless first-party analytics (no consent required): We use Vercel Web Analytics (Vercel Inc., US), a privacy-friendly, cookieless first-party analytics tool that measures aggregate page views and a small number of custom events (such as phone and email link clicks and contact-form outcomes). It sets no cookies, performs no cross-site tracking, and does not require consent.
- Consent-gated third-party analytics and advertising: A separate set of non-essential third-party trackers (Microsoft Clarity, the LinkedIn Insight Tag, and RB2B) load only after you opt in to the "analytics" category through our consent banner and are suppressed when your browser sends a Global Privacy Control (GPC) signal (see Section 3). These are off by default. None of them load before you opt in.
Our web fonts are self-hosted. The Site does not call any third-party font service.
2.3 Information from Third Parties
We may receive limited operational information from our infrastructure and email providers (for example, delivery status for email we send you) and publicly available business information used for ordinary client due diligence.
3. Cookies and Tracking Technologies
3.1 What Are Cookies?
A "cookie" is a small text file that a website stores on your device. Some websites also use similar technologies such as localStorage. These technologies help a site function and, where enabled, help measure usage.
3.2 Essential vs. Consent-Gated Technologies
We divide the technologies we use into two categories: strictly necessary technologies that are always active because the Site cannot function or honor your choices without them, and consent-gated analytics and advertising trackers that are off by default and load only after you opt in.
Separately, we run Vercel Web Analytics, a cookieless first-party analytics tool. Because it sets no cookies and does not track you across sites, it is not part of the consent-gated category and runs without requiring your consent (see Section 2.2).
Our web fonts are self-hosted; we do not load fonts from any third-party font service, so no font-CDN requests are made from your browser.
Strictly Necessary Storage
| Name | Type | Set By | Purpose | Duration |
|---|---|---|---|---|
cookieConsent |
localStorage | MHCIS (first party) | Records your analytics consent choice | Until cleared |
cookieConsentDate |
localStorage | MHCIS (first party) | Records the date of your consent choice | Until cleared |
These consent values are stored in your browser's localStorage, not as cookies, and are required for the Site to honor your privacy preferences.
Consent-Gated Analytics and Advertising
In addition to our cookieless first-party analytics, we use the following non-essential third-party trackers, which make up the "analytics" category in our consent banner. These technologies:
- Are non-essential and off by default (consent is opt-in)
- Load only after you affirmatively opt in through our consent banner
- Are not loaded at all when GPC is active, regardless of any prior consent choice
- Stop loading if you later withdraw consent
| Provider | Set By | Purpose |
|---|---|---|
| Microsoft Clarity | Microsoft Corporation (US) | Session replay and heatmaps to understand how visitors use the Site |
| LinkedIn Insight Tag | LinkedIn Corporation, a Microsoft company (US) | B2B advertising and conversion measurement (active only when configured) |
| RB2B | RB2B, Inc. (US) | Business website-visitor identification (identifies the company or associated business contact for a visit) for sales and marketing |
Withdrawing analytics consent, or enabling Global Privacy Control (GPC), prevents all three of these trackers from loading. Because RB2B and the LinkedIn Insight Tag involve sharing online identifiers with those providers for analytics and advertising, declining analytics consent or sending a GPC signal is also how you opt out of that sharing.
3.3 How to Manage Cookies
You can control cookies and similar storage through your browser settings. Most browsers (including Chrome, Safari, Firefox, and Edge) let you view, block, or delete cookies and site data under their privacy or security settings. You can also change your analytics choice at any time through the consent controls on the Site.
3.4 Impact of Declining
If you decline analytics consent (or send a GPC signal), you can still browse the Site and access its content. Non-essential analytics simply will not load. The strictly necessary storage that records your choice remains in place so that we can honor it.
3.5 Consent, Do Not Track, and Global Privacy Control
Analytics Consent (Opt-In): Analytics are off by default and load only after you affirmatively opt in.
Do Not Track (DNT): We do not use tracking that would follow you across other websites.
Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we treat it as an opt-out and suppress all non-essential analytics, regardless of any prior consent choice.
4. How We Use Your Information
We use the personal information we collect for the following purposes:
Communication and Service Delivery
- Respond to your contact and support inquiries
- Provide information, quotes, and proposals for our services
- Deliver and administer contracted services and communicate about them
Security and Fraud Prevention
- Mitigate bots and abuse (for example, via Vercel BotID and rate limiting)
- Monitor for security threats and investigate suspicious activity
- Protect our legal rights and enforce our Terms of Service
Diagnostics and Improvement
- Identify and fix technical issues and errors (via Sentry)
- Measure aggregate, consent-gated usage and performance to improve the Site
Legal and Compliance
- Comply with applicable laws, regulations, and legal process
- Respond to lawful requests from authorities
- Establish, exercise, or defend legal claims and maintain required records
Note: We do not sell your personal information.
5. Legal Bases for Processing
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
Contract
Processing necessary to respond to your inquiries, provide information you request, and deliver services you have contracted for.
Legitimate Interests
Processing necessary for our legitimate business interests, including securing the Site, preventing abuse and fraud, and diagnosing and improving our services, balanced against your rights and interests.
Consent
Processing based on your consent, such as loading non-essential analytics. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Legal Obligation
Processing necessary to comply with legal requirements, such as tax and accounting obligations and responses to lawful government requests.
6. Data Retention
Contact and Support Form Submissions
- Retention Period: Retained for as long as necessary to respond to your inquiry, deliver support, and maintain reasonable business records.
- Deletion: We delete this data upon verified request or when it is no longer needed for the purposes described above.
Server and Access Logs
- Retention Period: Approximately 90 days.
- Rationale: Security monitoring and diagnostics.
- Deletion: Rotated and deleted on a rolling basis.
Email Communications
- Retention Period: For the duration of the business relationship plus a limited period thereafter, consistent with our records and legal obligations.
Service Engagement Data
- Retention Period: For the duration of the engagement plus the period required by contract, professional-liability considerations, and tax and audit obligations.
Backups
- Retention Period: Disaster-recovery backups are retained for a limited rotation window and are overwritten on rotation.
Criteria for Determining Retention: We set retention periods based on legal and regulatory requirements, applicable limitation periods, and reasonable operational needs.
7. Data Sharing and Subprocessors
We do not sell, rent, or trade your personal information. We share information only with the subprocessors and recipients described below.
Subprocessors
We engage the following subprocessors to operate the Site and our business. This is the complete list of subprocessors that may process personal information in connection with the Site; a current version is also maintained with our Data Processing Agreement (DPA), available on request.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, CDN/edge, bot mitigation (BotID), and cookieless Web Analytics | United States |
| Microsoft Azure | Cloud hosting / infrastructure | United States |
| Microsoft 365 | Business email | United States |
| Sentry (Functional Software, Inc.) | Error / exception monitoring | United States |
| Microsoft Corporation (Microsoft Clarity) | Consent-gated session replay and heatmap analytics | United States |
| LinkedIn Corporation (LinkedIn Insight Tag), a Microsoft company | Consent-gated B2B advertising and conversion measurement | United States |
| RB2B, Inc. | Consent-gated business website-visitor identification for sales and marketing | United States |
Contractual Safeguards: Subprocessors are bound by contract to use information only for the specified purposes, implement appropriate security measures, comply with applicable privacy laws, and delete or return data on termination.
Legal Requirements
We may disclose information when required or permitted by law, including in response to lawful requests from authorities, to comply with court orders or legal process, to enforce our agreements, or to protect the rights, property, or safety of MHCIS, our clients, or others.
Business Transfers
If MHCIS is involved in a merger, acquisition, asset sale, or similar transaction, your information may be transferred to the successor entity, which will be required to honor commitments consistent with this Policy. We will provide notice where required.
With Your Consent
We may share information for other purposes with your consent.
Selling and Advertising: We do not sell your personal information for money. However, if you opt in to analytics consent, our consent-gated third-party trackers involve sharing online identifiers with their providers for analytics and advertising: the LinkedIn Insight Tag shares identifiers with LinkedIn for B2B advertising and conversion measurement, and RB2B shares identifiers used to identify the business associated with a visit. Under some privacy laws this kind of sharing may be treated as "sharing" for cross-context behavioral advertising or as a "sale." You can opt out at any time by declining or withdrawing analytics consent or by sending a Global Privacy Control (GPC) signal, which suppresses these trackers.
8. International Data Transfers
Primary Data Location
Our hosting infrastructure is located in United States regions, and Site data is stored in the United States.
Safeguards for International Transfers
Our subprocessors are United States entities. To the extent any personal data protected under the GDPR or UK GDPR is transferred outside the EEA or the UK, we rely on appropriate safeguards, which may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum where applicable)
- Data Processing Agreements that incorporate transfer mechanisms and security requirements
- Adequacy decisions where available
For clients with specific data-residency requirements, we can discuss suitable arrangements. Please contact us at contact@mhcis.com.
9. Security Measures
We are a security and software engineering firm, and we apply administrative, technical, and organizational measures appropriate to the largely informational nature of the Site. A fuller description of our security posture is available at /security.
Technical Controls
- Encryption in transit: Traffic between your browser and our infrastructure is encrypted using TLS/HTTPS, enforced site-wide, with HTTP Strict Transport Security (HSTS).
- Encryption at rest: Data at rest is protected by the encryption provided by our underlying cloud platforms (Vercel and Microsoft Azure).
- Content Security Policy and security headers: We apply a Content Security Policy and modern security response headers.
- Bot mitigation and rate limiting: Forms are protected by Vercel BotID, and endpoints apply server-side rate limiting.
- IP hashing: IP addresses associated with form submissions are stored only as salted SHA-256 hashes, not in plain text.
- Self-hosted fonts: Fonts are served from our own infrastructure, avoiding third-party font-CDN requests.
- Error monitoring: We use Sentry to detect and diagnose application errors.
Engineering and Access Controls
- Secure software development lifecycle (SDLC) and code review practices
- Infrastructure as code for consistent, reviewable configuration
- Least-privilege access to systems handling personal information
- Dependency review to manage third-party software risk
Limitations
While we work to protect your information using reasonable measures, no method of transmission over the internet or electronic storage is completely secure. We cannot promise absolute security, but we continue to improve our posture and respond to emerging risks.
10. Data Breach Notification
We maintain procedures to detect, respond to, and where required, notify affected parties of qualifying security incidents.
Notification Procedures
We will notify affected individuals and applicable authorities as required by law:
- Affected Individuals: We will notify affected individuals without undue delay where a qualifying breach is likely to result in a risk to their rights, and no later than applicable law requires.
- GDPR (where applicable): Notification to the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach involving EU or UK residents, where required.
- U.S. State Laws: Notification as required by applicable state breach-notification laws.
- HIPAA (where applicable): If we are acting as a business associate under a signed Business Associate Agreement (BAA), we will follow the HIPAA Breach Notification Rule, including notifying the covered entity without unreasonable delay and no later than 60 days after discovery.
HIPAA Applicability
MHCIS is not a HIPAA covered entity, and is not a business associate unless we have signed a specific BAA with a client. HHS/OCR does not certify anyone as "HIPAA compliant." Where an engagement involves protected health information (PHI), we engineer to the HIPAA Security Rule and will sign a BAA. The client remains responsible for its own risk analysis.
Notification Content
Where we notify you, we will describe the nature of the incident, the categories of data affected, the steps we have taken, recommended actions you can take, and how to contact us.
Your Responsibilities
If you believe there has been unauthorized access to your information, please contact us at contact@mhcis.com.
11. Your Privacy Rights
Depending on your location, you may have some or all of the following rights regarding your personal information.
- Right to Access: Request the categories and specific pieces of personal information we hold about you, their sources, and the purposes of use.
- Right to Rectification / Correction: Request correction of inaccurate or incomplete personal information.
- Right to Deletion: Request deletion of your personal information, subject to legal exceptions.
- Right to Restriction: Request that we limit processing in certain circumstances.
- Right to Object: Object to certain processing, including where based on legitimate interests.
- Right to Data Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
- Right to Opt Out: Opt out of non-essential analytics, including by declining consent or sending a Global Privacy Control (GPC) signal, which we honor.
How to Exercise Your Rights
To exercise any of these rights, contact us:
- Email: contact@mhcis.com with "Privacy Rights Request" in the subject line
- Mail: MHC Information Services, LLC, Attn: Privacy, 1325 Park Street, Suite 200, Columbia, SC 29201
Verification and Timeline
To protect your privacy, we will verify your identity before acting on a request, which may involve confirming information you previously provided. We aim to acknowledge requests within five (5) business days and to respond substantively within 45 days of a verifiable request, extendable by up to an additional 45 days where permitted, with notice.
Limitations
We may decline requests that are manifestly unfounded or excessive, that would compromise others' rights, that are restricted by law, or that would require disclosure of confidential business information.
12. California Residents (CCPA/CPRA)
If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). We honor the following rights:
- Right to Know: Request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: We do not sell your personal information for money. If you opt in to analytics consent, our consent-gated third-party trackers (the LinkedIn Insight Tag and RB2B) share online identifiers with those providers for advertising and business-visitor identification, which some laws treat as "sharing" for cross-context behavioral advertising or as a "sale." You can opt out by declining or withdrawing analytics consent, and we honor the Global Privacy Control (GPC) as an opt-out signal that suppresses these trackers.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond the purposes permitted under CCPA/CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
How to Exercise CCPA/CPRA Rights
Email: contact@mhcis.com with "California Privacy Request" in the subject line
Mail: MHC Information Services, LLC, Attn: Privacy, 1325 Park Street, Suite 200, Columbia, SC 29201
You may use an authorized agent to submit a request; we may require written authorization and verification. If we decline a request, you may appeal by contacting us with "Privacy Appeal" in the subject line.
13. Children's Privacy
Our Site and services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at contact@mhcis.com, and we will take steps to delete it promptly.
14. Third-Party Links
Our Site may contain links to third-party websites or resources that we do not own or control. We are not responsible for the content, privacy policies, or practices of third-party sites. We encourage you to review the privacy policy of any third-party site before providing information.
15. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date and version above. Material changes will be communicated through prominent notice on the Site and, where appropriate, by other means. Your continued use of the Site after the Effective Date of an updated Policy constitutes acceptance of the changes.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
MHC Information Services, LLC
Attn: Privacy
1325 Park Street, Suite 200
Columbia, SC 29201
Privacy, Security, and Legal Inquiries: contact@mhcis.com
Phone: +1 (803) 881-3889
This Policy is governed by the laws of the State of South Carolina, USA, without regard to its conflict-of-laws principles.
We aim to respond to privacy inquiries within five (5) business days. Complex requests may require additional time, and we will keep you informed of our progress.
MHC Information Services, LLC, a security and software engineering firm.