What we collect
We collect three categories of information.
Account information. Your name, email address, phone number, and password (stored as a one-way salted hash — we never see your plaintext password).
Order information. Billing and shipping addresses you enter at checkout. Payment details (card numbers, etc.) are collected directly by our payment processor (Stripe) and never touch our servers — we only receive the last four digits and a payment confirmation token.
Clinical intake (PHI). If you purchase a letter service, you complete a clinical questionnaire. This includes demographic information, mental-health history, current symptoms, medications, and details about your service or emotional support animal. See the dedicated Protected health information section below for how this is handled.
We also collect minimal technical information automatically: IP address, browser type, and pages visited — used to keep the site running and to detect abuse. We do not use third-party analytics tracking pixels on pages that handle protected health information.
How we use information
We use your information to:
- Create and maintain your account.
- Process your purchases and deliver the products and services you've ordered.
- Connect you with a licensed clinician in your state and process your clinical assessment.
- Send transactional emails (order confirmations, letter delivery, renewal reminders, etc.).
- Respond to your support inquiries.
- Detect and prevent fraud or abuse.
- Comply with legal obligations (subpoenas, valid law-enforcement requests, etc.).
We do not sell your personal information, and we do not share or rent your information for third-party advertising — including the “sharing for cross-context behavioral advertising” concept defined under the California Privacy Rights Act.
Protected health information
When you complete a clinical intake, the information you provide is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). NSAR operates as a Business Associate to the licensed clinicians who review your case, and we treat PHI with the following protections:
- Encryption at rest. Sensitive intake fields are encrypted in our database using AWS KMS (Key Management Service) envelope encryption.
- Access controls. Only the clinician assigned to your case and a small set of NSAR staff with operational need can read your intake.
- Audit logging. Every access to your PHI — including by you, your clinician, and our staff — is recorded in a tamper-resistant audit log.
- Limited disclosure. The letter your clinician issues states that you have a qualifying disability and that your animal ameliorates symptoms. It does not disclose your diagnosis or specific medical history to your landlord, airline, or any third party.
- Vendors with BAAs. Where a vendor processes PHI on our behalf (cloud database, email, error tracking), we have a signed Business Associate Agreement requiring the same HIPAA-grade protections. The current vendor list is in the Who we share with section below.
Your separate rights under HIPAA — including the right to access your records, request amendments, and receive an accounting of disclosures — are described in our Notice of Privacy Practices.
How we protect your information
Information security is a continuous practice, not a destination. Our current measures include:
- TLS encryption (HTTPS) for all traffic.
- Encryption at rest for sensitive fields and storage buckets.
- Multi-factor authentication available for staff accounts.
- Hashed passwords (argon2id) — we never store plaintext.
- Access controls based on the minimum-necessary principle — staff see only the information they need to do their job.
- Append-only audit logging for every PHI access.
- Regular security reviews and dependency updates.
No system is perfectly secure. If you believe your account has been compromised, contact security@nsarco.com right away.
Your rights
You have the right to:
Residents of California (CCPA / CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have additional state-specific rights — including the rights to opt out of targeted advertising and profiling. Because we do not sell or share PHI for advertising purposes and we do not engage in profiling for material decisions, the universal rights below satisfy these statutes for our service. To exercise any state-specific right, email privacy@nsarco.com and identify your state of residence so we can apply the correct response timeline.
- Access the information we hold about you. Email privacy@nsarco.com to request a copy.
- Correct inaccurate information. You can edit most account details directly from your account page; for anything you can't edit yourself, email us.
- Delete your account and associated information, subject to legal recordkeeping requirements (we must retain certain HIPAA records for at least six years).
- Withdraw consent for non-essential communications at any time. Transactional emails (order confirmations, etc.) cannot be turned off while your account is active.
For your HIPAA-specific rights — including the right to request an accounting of who has accessed your records — see our Notice of Privacy Practices.
Children
NSAR services are intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account with us, contact privacy@nsarco.com and we will delete the account.
Changes to this policy
We may update this policy from time to time. When we make material changes, we'll update the “Last updated” date above and, where significant, send a notice to your account email so you can review the change before it takes effect.
Contact
For privacy questions: privacy@nsarco.com.
For HIPAA-specific questions: contact our Privacy Officer at privacy@nsarco.com.
Mailing address:
National Service Animal Registry, LLC
PO Box 2901
Cleveland, TN 37320
