Privacy Policy

This Privacy Policy describes how Botmakers LLC (“Company,” “we,” “us,” or “our”), operating the Hipa.ai platform (“Service”), collects, uses, discloses, and protects your information. Botmakers LLC is a Delaware limited liability company located at 2093 Philadelphia Pike #1986, Claymont, DE 19703.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

What we collect depends on which part of Hipa.ai you use. Most people use the site without an account, and we want that path to be private by default.

1.1 If you have an ABA workforce account

Accounts exist only for the ABA workforce vertical. If you register on that side, you give us:

• Account information: name, email address, password, professional credentials (BCBA / RBT certification numbers), and organization details.
• Professional data: job search preferences, saved listings, and any career-related information you add yourself.
• Communications: anything you send us when contacting support or sharing feedback.

1.2 If you browse without an account

The clinical trials directory, drug history pages, news and research articles, the public MCP connector and API, and the browser extension all work without an account. We do not ask for your name or email. Our servers automatically see:

• Standard request data: the URL you requested, the timestamp, the response status, and how long the request took. We keep this for operational monitoring.
• A hashed client IP: we salt and hash your IP address so we can rate-limit abuse without storing the original address. The hash is not reversible.
• Approximate location: when you use the clinical trial application flow, we look up a coarse location (country, region or state, and city) from your IP address through a third-party lookup service, so we can understand which areas applicants come from. We store only this coarse location with the application, never the raw IP address, and it is not precise enough to identify a street or building.
• Your user agent: the browser and operating system string your browser sends with every request, used for diagnostics and rate-limit accounting.
• Aggregate usage signals: which pages get viewed and which API tools get called, in a form that does not identify you individually. The Hipa.ai browser extension also surfaces a per-trial view count, described in Section 8.
• Essential cookies (account-only): when you log into an ABA workforce account, we set a session cookie for authentication. We do not set cookies on the clinical trials directory, the public API, or anywhere the browser extension runs. See Section 6.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Display the clinical trials directory, drug history pages, FDA and trial update articles, state and condition research, NPI provider news, ABA workforce listings (job listings, salary data, company profiles), the public MCP connector and API, and the Hipa.ai browser extension.
• Maintain your account: Authenticate your identity, manage permissions, and process payments.
• Improve the Service: Analyze aggregate, de-identified usage patterns to improve features and performance.
• Understand reach: See which countries, regions, and cities clinical trial applicants come from, in the coarse form described in Section 1, so we can prioritise coverage.
• Communicate with you: Send account notifications, security alerts, and respond to support requests.
• Comply with legal obligations: Respond to lawful requests from regulatory authorities and enforce our Terms of Use.

3. Data Security

We implement administrative, physical, and technical safeguards to protect your data, including:

• Encryption: TLS 1.2+ encryption in transit for all data. Account data is encrypted at rest.
• Infrastructure: All data is hosted on Microsoft Azure with managed identity authentication.
• Access controls: Role-based access control, multi-factor authentication support, and session management with automatic expiration.
• Audit logging: Access to account data is logged and auditable.

While we take extensive measures to protect your data, no system is completely secure. We cannot guarantee absolute security but commit to promptly notifying affected users in the event of a data breach as required by law.

4. Data Retention

• Account data: kept while your account is active. When you close the account, we hold the data for another 30 days so you can export it, then delete it.
• Usage data: kept in aggregate, de-identified form for up to 24 months. We use it to understand how the site is used, not to track individuals.
• Backups: encrypted backups are kept for up to 30 days, then permanently destroyed.

5. Data Sharing and Disclosure

We do not sell your personal information or clinical data. We may share information only in the following circumstances:

• Service providers: With trusted third-party vendors who help us operate the Service (e.g., cloud hosting, payment processing, email delivery, IP geolocation). These vendors are contractually bound to protect your data.
• Legal requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, safety, or the safety of others.
• Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets. You will be notified of any such transfer.
• With your consent: When you explicitly authorize sharing with a specific third party.

6. Cookies and Tracking

We use a small number of cookies, only where they earn their place:

• Essential cookies: required to keep you logged into an ABA workforce account, and to protect that session. These cannot be disabled while you use the account.
• Analytics cookies: help us see how the site is used in aggregate, so we can improve it. You can disable these in your browser settings without losing access to anything.

We do not use advertising cookies. We do not run third-party trackers. We do not sell your data to advertisers or ad networks. The public clinical trials directory, the MCP connector and API, and the browser extension run without cookies.

7. MCP Connector and Public API

Hipa.ai operates a public Model Context Protocol (MCP) connector and API endpoint at hipa.ai/mcp. This endpoint is read-only and requires no account or authentication.

• Data served: The connector exposes only publicly available U.S. clinical trials information sourced from public datasets (ClinicalTrials.gov / AACT). It does not expose, access, or transmit account data, professional credentials, or any protected health information (PHI). MCP requests never reach our user database.
• Information collected:For each request we log a one-way hash of the client IP address (the raw IP address is never stored), the client’s user agent, and request metadata such as the tool invoked, timing, and a generated request identifier.
• Purpose: This information is used solely for rate limiting, abuse prevention, and operational monitoring of the endpoint.
• Retention: These logs are retained as Usage data under Section 4.
• Sharing: We do not sell or share connector logs. The disclosure rules in Section 5 apply.

8. Browser Extension

The Hipa.ai browser extension is a free Chrome and Microsoft Edge add-on that shows a small drug-history panel on clinicaltrials.gov study pages. When enabled, it sends only the trial’s public NCT identifier to our API. It sets no cookies, runs no analytics, and processes no health information.

The extension reads the URL of the active tab inside your browser so it can switch its toolbar icon between color (on a ClinicalTrials.gov study page) and grayscale (everywhere else). That URL is never sent to us, logged, or stored.

Our server logs the same request metadata it logs for the rest of the public API (a salted, non-reversible hash of your IP for rate-limiting and an anonymized view count per trial), retained per Section 4. The extension stores two on-or-off preferences in your browser’s local storage and reaches no other site. You can turn it off from its popup toggle or uninstall it at any time, which stops all requests immediately and deletes the local preferences.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Export: Request a machine-readable export of your data.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9.1 Self-service removal from directory listings

If you appear as an individual provider in any of our public directory listings sourced from CMS NPPES (for example, the city-level provider pages or the weekly behavioral-health reports) and would prefer your information not be displayed, you can submit a removal request through our dedicated form at hipa.ai/remove-my-information. Approved removals are applied within 24 to 48 hours and persist across future data refreshes.

10. Children’s Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children.

11. State-Specific Disclosures

11.1 California (CCPA / CPRA)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, contact [email protected].

11.2 European Economic Area (GDPR)

If you are in the EEA, our legal bases for processing include contract performance (providing the Service), legitimate interests (improving the Service), and consent (where applicable). You may lodge a complaint with your local data protection authority.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Botmakers LLC
2093 Philadelphia Pike #1986
Claymont, DE 19703
[email protected]