Privacy Policy — Ben (Velora)

This Privacy Policy describes how Velora Partners, Inc. (“Velora,” “we,” “us”) collects, uses, and protects information when you use Ben, our employee benefits administration and enrollment platform (the “Service”). The Service is offered to employers (our “Customers”) who in turn make it available to their employees and dependents.

1. Who this policy applies to

Employer administrators and brokers who sign in to manage benefits programs.
Employees and dependents who use the Service to review plans, complete enrollment, and manage their benefits.
Website visitors to helloben.ai and related marketing pages.

If you are an employee of a Customer, the information you provide through the Service is controlled by your employer under our Business Associate Agreement (“BAA”) with them. Velora acts as a HIPAA Business Associate when processing Protected Health Information (“PHI”).

2. Information we collect

2.1 Information you provide

Account and profile: name, work email, employer, role, and (for Google sign-in) the basic Google profile information Google returns to us (email, name, account ID).
Enrollment data: date of birth, Social Security Number (required for some carriers), address, dependents, beneficiaries, and the plan elections you make.
Health-related information: answers to wellness or benefits-eligibility questions, tobacco status when your employer collects it, and other information needed to administer the elected plans. This is PHI under HIPAA.
Communications: questions you ask Ben (our AI-assisted counselor), feedback, and support requests.

2.2 Information we collect automatically

Device, browser, and IP address for security, rate-limiting, and fraud-prevention purposes.
Application usage — pages visited, features used, and error diagnostics — for operating and improving the Service.
Required security headers and audit logs of access to sensitive records.

2.3 Information we receive from third parties

Your employer and their payroll / HRIS systems (when your employer connects them) for roster, eligibility, and payroll deductions.
Insurance carriers via EDI 834 enrollment transactions and, where authorized, membership and plan feedback files.
Googlewhen you sign in using Google — see “Google sign-in” below.

3. Google sign-in

When you sign in to Ben with your Google account, we request the standard openid, email, and profile scopes. We receive your email address, your name, your Google account ID, and — if you have one set — your profile photo. We do notrequest access to Gmail, Calendar, Drive, Contacts, or any other sensitive Google scope. We use this information solely to authenticate you and associate your session with your employer's account in Ben.

4. How we use information

To operate the Service: authenticate you, enroll you in benefits, send 834 files to carriers, and show you your current coverage.
To respond to you through Ben, our AI-assisted counselor, including answering benefits questions and helping you complete enrollment.
To communicate with you about service updates, security notices, and (with your employer's direction) enrollment deadlines.
To maintain security, detect abuse, and comply with legal obligations including HIPAA audit-log requirements.
To improve the Service using de-identified or aggregated data. PHI is never used for AI model training.

5. How we share information

With your employer, who is the plan sponsor and the entity we serve.
With insurance carriers to whom your employer has elected to send enrollment data.
With infrastructure providersunder appropriate written agreements, including: Vercel (hosting), Neon (database), Anthropic (large language model powering Ben), Deepgram (speech services for Ben's voice channel), Resend (email delivery), and Upstash (rate limiting). Where these providers handle PHI, we maintain a Business Associate Agreement (BAA) or equivalent agreement that requires them to protect PHI consistent with HIPAA.
When legally required, such as in response to a subpoena, court order, or other lawful process, or to protect our rights or the safety of our users.

We do not sell personal information. We do not share PHI for marketing. We do not use PHI to train AI models.

6. Security

We implement administrative, physical, and technical safeguards designed to protect PHI and other sensitive data, including:

Encryption of sensitive fields (e.g., Social Security Numbers) at the application layer using AES-GCM authenticated encryption, with keys managed outside the database.
TLS 1.2+ for data in transit on all public endpoints.
Database-level encryption at rest provided by our cloud database provider.
Role-based access control and tenant isolation so that users of one employer cannot see another employer's records.
Audit logs of access to and changes in PHI records, retained consistent with HIPAA §164.312(b).
Rate limiting and anomaly monitoring on API endpoints.

Note: Velora Partners maintains HIPAA Business Associate status and technical safeguards designed to meet the HIPAA Security Rule. We do not claim any third-party certification (e.g., SOC 2, HITRUST) except where specifically represented to a Customer in writing.

7. Data retention

We retain your information for as long as your employer's account is active and as needed to provide the Service. After account termination, we retain enrollment and audit records for the period required by the HIPAA Security Rule and applicable state law, typically six (6) years from the later of the record's creation or its last use, then delete or de-identify them on a scheduled cadence. Audit logs of PHI access are retained for at least six years.

8. Your rights and choices

Where applicable law grants you rights over your personal information (for example, under HIPAA, California's CCPA/CPRA, or similar state laws), you may have the right to:

Access the personal information we hold about you.
Request correction of inaccurate information.
Request deletion, subject to legal retention obligations (including HIPAA's six-year audit-log retention).
Request a copy of your data in a portable format.

For PHI, these requests are typically fulfilled through your employer's plan administrator. For other personal information, you may contact us using the details below, or through your account's privacy controls where available.

9. Children's information

The Service is not directed to children under 13. We do collect information about dependents of employees (including minor dependents) to administer their benefits coverage, in which case the information is provided by the enrolling adult and is governed by the employer's plan documents.

10. International users

The Service is operated from the United States and is intended for U.S.-based employers, employees, and dependents. If you access the Service from outside the U.S., your information will be processed in the U.S.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date at the top and, where changes are material, provide notice through the Service or to your account email.

12. Contact

Questions about this Privacy Policy or our handling of your information:

Email: privacy@helloben.ai
HIPAA requests (for PHI access, amendment, or accounting of disclosures): privacy@helloben.ai

Velora Partners, Inc. is the entity providing the Ben Service.