Yundra
← Back to home

Privacy Policy

Last updated: April 2026

Yundra is a HIPAA compliance tool for solo therapists. We market ourselves on privacy and trust, so our privacy policy should hold up to the same standard. This page tells you exactly what data we collect, what we don't, who else sees it, and how to get rid of it.

What we collect

Your assessment answers

When you take the HIPAA Risk Assessment, we store your answers to the 40 assessment questions. These questions ask about your compliance setup — things like whether you have MFA enabled, whether your vendor agreements are signed, whether you have a written risk analysis. They do not ask about your patients, your session notes, your diagnoses, or any individual's health information.

Your email address

If you request your full report, we ask for your email address to send you a magic link. Your email is stored in your Yundra account and associated with your assessment session. We use it to authenticate you and to send the report link. We do not add you to a marketing list.

IP address hash

When you start an assessment, we store a one-way hash (HMAC-SHA256) of your IP address. This is used for spam and abuse detection only. The hash is non-reversible — your actual IP address is never stored in our database and cannot be recovered from the hash.

User agent string

We store the browser user agent string from when you start an assessment. This is used for spam detection only — it helps us distinguish real users from bots.

Authentication cookies

When you sign in via the magic link, Supabase Auth sets session cookies in your browser to keep you authenticated. These are standard authentication cookies — they contain your session token and are required for the sign-in flow to work. They are not used for tracking.

Analytics cookies (only with your consent)

We use Google Analytics to understand how people use the site — which pages are visited, how long people spend on the assessment, and where they drop off. Google Analytics cookies are only loaded if you click “Accept”on the cookie consent banner. If you click “Decline” or ignore the banner, no analytics cookies are set and no data is sent to Google.

What we do not collect

This matters, so we'll be specific:

  • No patient information of any kind. We never ask for it, we never store it, we never see it.
  • No session notes, diagnoses, or treatment records.
  • No information about your patients. The assessment asks about your compliance setup, not about any individual patient.
  • No protected health information (PHI). Yundra is a compliance management tool, not a clinical tool. PHI never enters our system.

Who else sees your data

We use four third-party services. Each one sees only the minimum data it needs to do its job.

Supabase

Our database and authentication provider. Supabase stores your assessment answers, email address, and authentication session. US-based, SOC 2 Type II compliant.

Resend

Our transactional email provider. Resend sees your email address when we send you the magic link email. That is the only email we send — one transactional email per assessment. No marketing, no newsletters, no follow-ups.

Vercel

Our web hosting provider. Vercel serves the website and runs the application code. Standard web hosting — Vercel sees the HTTP requests that any web host would see.

Google Analytics

Visitor analytics, loaded only if you accept cookies via the consent banner. If you decline, Google receives nothing. Google Analytics collects standard web analytics data — pages visited, time on page, referral source, browser type. It does not have access to your assessment answers, email address, or any data stored in our database.

How long we keep your data

Your assessment data is retained indefinitely so you can return to your report at any time. Your compliance posture changes over time, and having your previous assessment available helps you track progress.

If you want your data deleted, email hello@yundra.healthand we'll delete your account, assessment data, and any associated records. This is a manual process for now — we'll confirm deletion within 7 days.

Your choices

  • Cookie consent: You can accept or decline analytics cookies via the banner. Your choice is stored in your browser's localStorage and persists until you clear it.
  • Email: You can take the assessment without providing an email. The email is only required to receive your full report.
  • Data deletion: Email hello@yundra.health to request deletion of all your data.

Who we are

Yundra is a product of Acruxcap, registered in Dubai. If you have questions about this policy or about how your data is handled, email hello@yundra.health.

Changes to this policy

If we change what data we collect or how we use it, we'll update this page and note the date at the top. We won't retroactively change how we handle data you've already provided without telling you.

Legal Disclaimer

Yundra provides compliance documentation tools and educational resources for healthcare practices. We are not a law firm, a consulting firm, or a healthcare provider. Nothing on this site or in our products constitutes legal advice. Our tools are designed to help you document and manage your compliance programme, but they do not guarantee compliance with HIPAA or any other regulation. Consult a qualified healthcare attorney for specific legal compliance questions. Yundra does not accept liability for any regulatory action taken against your practice.