Broker Book Xchange Privacy Policy

Effective Date: March 7, 2026
Last Reviewed: March 8, 2026
Applies to: The Medicare Book Exchange private marketplace connecting licensed Medicare brokers to buy and sell books of business (the "Service").

1. Who We Are and Scope

This Privacy Policy describes how Broker Book Xchange ("Broker Book Xchange," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Service, our websites, and related communications. If you do not agree with this Policy, please do not use the Service.

Controller/Business: Broker Book Xchange dba Medicare Book Exchange
Email: support@medicarebookexchange.com
Address: 418 Broadway STE R, Albany, NY 12207

2. What We Collect

We distinguish between Personal Information (about you) and Business Asset Data (about your book of business). We do not collect Protected Health Information (PHI). See §8.

A. Categories of Personal Information

• Account & Identity Data – first name, last name, email, bio/profile description, and state and county of operation.
• Authentication Data – OAuth identifiers and tokens (Google, Microsoft, LinkedIn, Facebook), and profile picture (avatar URL) provided by the OAuth provider. OAuth tokens are processed by Supabase Auth before reaching our application servers. We do not receive or store your password.
• Professional & Licensing Data – NPN and the state in which the NPN is licensed.
• NPN Verification Status – whether your National Producer Number has been verified through our internal licensing check (stored separately from payment identity verification).
• Escrow KYC Verification Status – the result returned by Escrow.com (e.g., "verified") following KYC. No ID images or biometric data reach us.
• Transaction Data – subscription, payments, refunds, offer amounts, counteroffers, offer status and expiry, and Escrow.com milestones. No bank or card information is stored by us. Email and phone number are only disclosed to a counterparty when an offer is accepted; they are not visible to other users before that point.
• Communications Data – messages, support tickets, notification settings, and unread message indicators.
• Behavioral Data – listings saved to your wishlist (used for platform analytics and personalization; not shared with third parties).
• Device & Technical Data – IP address, device type, operating system, browser, User-Agent string, timestamps, and logs.
• Cookies & Similar Technologies – session/security cookies and client-side preference cookies. See §7 for details.

B. Business Asset Data (Macro Only)

Number of lives, retention rate, carrier mix, product mix, geography (including county FIPS codes), cashflow data (annual revenue by year), and other macro-level valuation metrics.

We retain this data in pseudonymized form. While it is not directly linked to your name in analytics and market reports, it remains associated with your account in our database. Users may still request deletion under §12.

C. Sources of Information

Information comes from: you directly; your device; OAuth login providers; Supabase Auth; Stripe; Escrow.com (including KYC verification); MailerLite (for email subscriptions); and state licensing authorities.

D. Data Categories, Purposes & Disclosures

We do not use cross-site marketing pixels, and we do not sell or share personal information for cross-context behavioral advertising.

3. Social Logins (Google, Microsoft, LinkedIn, Facebook)

When you use a third-party login:

• We receive your name, email, profile picture (avatar URL), basic account identifier, and an OAuth token.
• We do not receive or store your password.
• OAuth tokens are processed by Supabase Auth before reaching our application servers. Supabase does not access your social login credentials.
• You may revoke access via your provider's account settings at any time.
• We use OAuth data only for authentication, security, fraud prevention, and profile setup.

Each provider processes your data under its own privacy policy:

• Google: https://policies.google.com/privacy
• Microsoft: https://privacy.microsoft.com/privacystatement
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Facebook (Meta): https://www.facebook.com/privacy/policy/

4. How We Use Information (Purposes)

We use information to:

• Provide and secure the Service
• Manage listings, matching, and the NDA gate
• Verify identity and licensing
• Process payments and escrow transfers
• Send account/security communications
• Comply with legal obligations
• Improve the Service using aggregated/pseudonymized analytics

5. Legal Bases for Processing (GDPR/UK GDPR)

Where applicable, we process Personal Information under the following legal bases:

• Contract – to create and maintain your account and deliver the Service.
• Legitimate Interests – security, fraud prevention, licensing verification, and efficient platform operation.
• Legal Obligation – to comply with regulatory, tax, and accounting requirements.
• Consent – e.g., OAuth login and email marketing (you may withdraw consent at any time).

6. Disclosure of Information

We do not sell or share Personal Information for cross-context behavioral advertising.

We disclose data to:

• Service Providers – each bound by contract:
  • Supabase – primary database, authentication (Supabase Auth), and real-time messaging infrastructure. All user data resides in Supabase's SOC 2-compliant, US-hosted environment. See https://supabase.com/privacy.
  • Stripe – payment processing. We transmit user ID and subscription product type to Stripe as payment metadata for reconciliation purposes.
  • Escrow.com – KYC verification and protected fund transfers for closings. Buyer and seller names and emails are shared with Escrow.com when a closing is initiated or when KYC is required.
  • MailerLite – email marketing notifications (receives name and email; not used for behavioral advertising).
  • Resend – transactional email delivery (receives recipient email and notification content).
  • Google Maps API – receives listing latitude/longitude coordinates solely for rendering maps within the Service.
  • Census.gov API – receives state/county codes for geographic lookups; no personal data is transmitted.
  • Hosting, logging, and support tools.
• Professional Advisors – attorneys, accountants, and compliance consultants under confidentiality.
• Regulators & Law Enforcement – when required by law or to protect the Service and users.
• Corporate Transaction Parties – if Broker Book Xchange participates in a merger or acquisition, data will transfer under this Policy or an equivalent safeguard.

7. Cookies, Tracking, and Do Not Track

httpOnly / Secure Cookies (set by Supabase Auth):

• Session tokens (sb-* prefix) – authenticate your session on every request. Cannot be accessed by client-side JavaScript.

Client-Accessible Cookies (set by us):

• mx_profile – caches your display name and avatar URL for fast page rendering (non-httpOnly; 60-second lifetime).

• Third-Party Cookies. Stripe, Escrow.com, and OAuth providers may set their own essential cookies; their policies apply.
• No Marketing Pixels. We do not use third-party marketing pixels or cross-site trackers for anonymous visitors.
• Browser Controls. You may block cookies in your browser settings, but some features may degrade.
• Do Not Track. We do not respond to DNT signals as no industry standard currently exists.

8. No PHI and No Beneficiary PII (Zero-PHI Architecture)

• KYC: Escrow.com performs verification; we receive only a status result.
• Due Diligence: All client-file transfers occur outside the Service through HIPAA-compliant channels.
• Enforcement: Messages are automatically checked against PHI patterns at the time of submission and rejected if prohibited content is detected — PHI never reaches our database. Accounts may be suspended for repeated violations.

CMS & Carrier Compliance

All Medicare-related transactions on this platform are subject to CMS regulations (42 CFR Parts 422 and 423), applicable CMS Medicare Marketing Guidelines, carrier/FMO/GA contracts, and state Department of Insurance rules. Users are solely responsible for ensuring their own compliance with these requirements. Broker Book Xchange does not provide CMS, legal, or carrier-contract compliance advice.

NDA Execution & Identity Disclosure

Upon execution of a Non-Disclosure Agreement through the platform, limited identifying information — including name and National Producer Number (NPN) — is shared with the counterparty solely for due-diligence purposes. Users who have purchased the NDA-bypass product may proceed directly to making offers without executing a per-listing NDA; their identity is still disclosed to the counterparty upon offer acceptance. The NDA governs the counterparty's use and retention of that information. If a transaction does not close, parties are expected to destroy or return any identifying information received, as set forth in the NDA. Broker Book Xchange is not responsible for a counterparty's handling of disclosed information after NDA execution.

Seller Liability Acknowledgment

IMPORTANT — Sellers are solely responsible for the obligations listed below. Broker Book Xchange facilitates the connection only and assumes no liability for a Seller's failure to comply with.

Sellers are solely responsible for:

• Confirming carrier/FMO/GA permission to sell or assign commissions before listing
• Maintaining active licenses in all applicable states through closing
• Accurately representing all book metrics on the platform
• Transferring beneficiary records exclusively via HIPAA-compliant channels outside the Service
• Conducting independent due diligence on buyers
• Complying with 42 CFR Parts 422/423 and applicable CMS Medicare Marketing Guidelines

9. Data Retention

• Account Data: Retained while your account is active.
• Compliance & Transaction Records: Minimum 7 years, consistent with CMS requirements, carrier contract obligations, and applicable state insurance regulations.
• Security Logs & Technical Data: Retained 12–24 months (default 18 months).
• Support Tickets: Retained 24 months after closure.
• NPN Verification Records: Your NPN and licensure state are stored on your account and cannot be changed after registration. Your NPN verification status (verified/unverified) is stored while your account is active. We do not store external licensing authority records or detailed data from state DOIs or NIPR.
• Escrow KYC Verification Records: Only verification results retained; Escrow.com stores underlying identity files.
• Business Asset Data: Pseudonymized and retained indefinitely for benchmarking and market analytics. Individual users may still request deletion under §12.
• Behavioral Data (Wishlist): Retained while your account is active; deleted upon account deletion.

Deletion requests may be submitted under §12.

10. Security

We use encryption in transit (TLS 1.2+) and at rest, including all database records — messages, offers, transaction data, and profile information. In-app messages are additionally protected by end-to-end encryption. Our infrastructure is provided by Supabase, a SOC 2-compliant platform hosted in the United States. We enforce strict role-based access controls, real-time monitoring and logging, and data minimization practices. No system is 100% secure.

Data Breach Notification: If we become aware of a data breach affecting your Personal Information, we will notify you within 72 hours where required by applicable EU/UK law (GDPR/UK GDPR), or within the timeframe required by applicable US state law (typically 30–45 days), whichever applies to your jurisdiction.

11. International Users & Data Transfers

Our systems are hosted in the United States via Supabase. If you access the Service from another country, your information will be transferred to and processed in the U.S., which may have different data-protection laws. Where required by applicable law, we apply appropriate safeguards for cross-border transfers.

12. Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

• Access the Personal Information we hold about you.
• Correct inaccurate or incomplete data.
• Delete your Personal Information.
• Portability – receive certain data in a portable format.
• Opt-Out of certain processing (we do not use cross-context behavioral advertising).
• Withdraw Consent where we rely on consent as the legal basis (including withdrawal from MailerLite marketing emails).

How to Submit a Request: Email support@medicarebookexchange.com with the subject line "Privacy Request" indicating your request type. We will respond within 30 days. We may ask you to verify your identity.

Authorized Agents (California)

You may designate an authorized agent to submit requests on your behalf by providing a signed written authorization or power of attorney.

Appeals

If we deny your privacy request, you may appeal within 30 days of receiving our decision by emailing support@medicarebookexchange.com with the subject line "Privacy Appeal." We will respond to your appeal within 45 days, as required under applicable state privacy laws (including Virginia VCDPA and Colorado CPA). If your appeal is denied, you may have the right to contact your state Attorney General.

13. California Privacy Notice (CCPA/CPRA)

This section supplements our Policy for California residents. Categories collected, sources, purposes, and disclosures are described in §§2–9.

• Sale or Sharing: We do not sell Personal Information and do not share it for cross-context behavioral advertising.
• Sensitive Information: Government ID and biometric data for KYC are processed by Escrow.com; we retain verification status only.
• Email Marketing: We use MailerLite to send account and marketplace notifications. MailerLite is a service provider acting on our behalf and is not permitted to use your data for its own marketing purposes.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request or designate an authorized agent, follow the instructions in §12.

14. Children's Privacy

The Service is intended exclusively for licensed insurance professionals who must be adults (18+). We do not knowingly collect information from individuals under the age of 18. If we become aware that we have collected such information, we will delete it promptly. Please contact us at support@medicarebookexchange.com if you believe a minor has submitted information to us.

15. Data Minimization & Pseudonymization

We collect only what is necessary to operate the Service. Where possible, we pseudonymize user identity (e.g., display names instead of legal names for public-facing features) and pseudonymize Business Asset Data for analytics and market reports. Individual listings remain associated with your account in our database and are subject to your deletion rights under §12.

16. Third-Party Sites & Services

The Service integrates with the following third parties. Their privacy policies govern their own data practices.

• Supabase (database, auth, real-time): https://supabase.com/privacy
• Stripe (payments): https://stripe.com/privacy
• Escrow.com (KYC and fund holding): https://www.escrow.com/privacy
• MailerLite (email marketing): https://www.mailerlite.com/legal/privacy-policy
• Resend (transactional email): https://resend.com/privacy
• Google (OAuth login + Maps API): https://policies.google.com/privacy
• Microsoft (OAuth login): https://privacy.microsoft.com/privacystatement
• LinkedIn (OAuth login): https://www.linkedin.com/legal/privacy-policy
• Facebook / Meta (OAuth login): https://www.facebook.com/privacy/policy/

We are not responsible for third-party content or practices.

17. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by all of the following:

• Email notification to your registered address
• In-product notice upon your next login
• Updated Effective Date and "Last Reviewed" date on this page

Your continued use of the Service after an update signifies acceptance of the revised Policy.

18. How to Contact Us

Privacy & Compliance Team
Business: Broker Book Xchange
Email: support@medicarebookexchange.com
Address: 418 Broadway STE R, Albany, NY 12207

19. Quick Reference: Key Operational Disclosures

Non-Contractual Summary — For informational purposes only. The full Policy sections above govern.

• Supabase Infrastructure: All user data is stored in Supabase's SOC 2-compliant, US-hosted database. Supabase Auth mediates all OAuth session tokens. See https://supabase.com/privacy.
• Escrow.com KYC: We store verification results only; no ID images or biometrics reach us.
• Stripe Payments: We store no card or bank data; Stripe processes all payments.
• Escrow.com: Handles protected fund transfers for closings. Buyer/seller names and emails are shared when a closing is initiated.
• NDA Gate: Buyers and sellers remain pseudonymous until an NDA is executed, after which limited identity details (name, NPN) are shared for due diligence only.
• Contact Disclosure: Email and phone number are only shared with a counterparty when an offer is accepted — not before.
• Zero-PHI: Messages are checked against PHI patterns at submission and rejected if prohibited content is detected — PHI never reaches our database. Accounts may be suspended for repeated violations.
• Social Login Providers: Google, Microsoft, LinkedIn, and Facebook used for authentication only. OAuth tokens pass through Supabase Auth. See §3 for privacy policy links.
• MailerLite: Used for account and marketplace email notifications. Receives name and email. Not used for behavioral advertising.
• Resend: Transactional email delivery (account confirmations, alerts). Receives recipient email and notification content.
• Google Maps API: Receives listing latitude/longitude for map display only.
• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest, including messages, offers, and transaction records.
• Transaction Record Retention: Minimum 7 years for compliance and financial records.
• Business Asset Data: Retained in pseudonymized form indefinitely for benchmarking; users may request deletion under §12.
• CMS/Carrier Compliance: Sellers are solely responsible for compliance with 42 CFR Parts 422/423 and CMS Medicare Marketing Guidelines.
• Appeals: Privacy request denials may be appealed within 30 days; we respond within 45 days.