Ask us a question

Legal

Privacy Policy

Last updated: June 2, 2026

This Privacy Policy describes how Bluefish Systems, LLC ("Bluefish," "we," "us," "our") handles information collected through our marketing website at bluefishsystems.com (the "Site"). It applies only to this Site. Data handled inside the products we deliver to health systems — Capsa, HealthPoint, the Employee Portal, Shield Tracker, and SprocOptimizer — is governed by the separate Business Associate Agreement (BAA) and master service agreement we sign with each customer, not by this policy.

1. Important: do not submit patient health information here

This Site is not a HIPAA-covered channel. Our public forms (Ask a Question, Contact, and any future inquiry forms) are intended for routine business inquiries — your name, work email, organization, role, and a short message about what you're interested in.

Please do not submit any patient-identifiable information, protected health information (PHI), or other regulated data through this Site. If you need to share clinical scenarios, de-identify them first or wait for a contracted channel with a BAA in place. If you accidentally include PHI in a public form submission, email sales@bluefishsystems.com and we will delete the record from our systems.

2. Information we collect

We collect two categories of information through the Site:

  • Information you provide directly. When you fill out a form (Ask a Question, Contact, newsletter sign-up if offered) or email us, we receive what you submit — typically your name, work email address, organization, job title, the product(s) you're interested in, and the contents of your message.
  • Information collected automatically. Like most websites, our hosting provider records standard request logs (IP address, request time, requested URL, referring URL, user-agent string, and HTTP status). These are used for operational purposes such as security monitoring, abuse prevention, and capacity planning, and are kept on a rolling short-term basis.

3. Cookies and similar technologies

The Site uses a small number of strictly necessary mechanisms — session-storage keys and short-lived cookies set by the hosting platform — that are required to serve pages and keep forms working. We do not currently use third-party advertising trackers, social-network pixels, or cross-site behavioral profiling.

If we add privacy-respecting product analytics in the future (for example, aggregated page-view counts that don't identify you personally), we will update this policy and surface a cookie notice before turning them on.

4. How we use information

  • To respond to your inquiry, schedule a demo, and follow up on a conversation you started.
  • To deliver information you've explicitly asked for.
  • To operate, secure, and improve the Site (debugging, abuse prevention, load planning).
  • To comply with legal obligations and respond to lawful requests.

We do not sell personal information. We do not share it with third parties for their own marketing. We do not use information you submit here to make automated decisions that have legal or similarly significant effects on you.

5. How information is shared

We share information only with the vendors that help us operate this Site and our business — and only the minimum they need to do their job. As of the date above, the categories of service providers we use for the Site are:

  • Hosting and edge delivery (Microsoft Azure Static Web Apps) — serves the Site and records the request logs described in Section 2.
  • Form delivery (a third-party form-handling service) — receives Ask a Question and Contact submissions and forwards them to our team inbox.
  • Email (Microsoft 365) — the inbox that receives your messages and that we use to reply.

We may also disclose information when required by law, in response to a valid legal process, to protect the rights, property, or safety of Bluefish, our customers, or others, or in connection with a corporate transaction (such as a merger or asset sale) — in which case we will require any acquirer to honor the commitments in this policy.

6. Where information is processed

Bluefish is based in the United States and the service providers above process information in the United States. If you submit information from outside the U.S., you understand that it will be transferred to and processed in the U.S., which may have different data-protection rules than the country you submitted it from.

7. How long we keep information

We keep the information you submit through forms only as long as we need it to follow up on your inquiry and maintain a record of our business relationship — typically the active sales conversation plus a reasonable retention window for legitimate business reference. If you ask us to delete your record, we will (subject to any legal hold or recordkeeping requirement we can't waive).

Hosting request logs are retained on a short rolling basis (days to weeks) for security and operations and then automatically discarded.

8. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect the information you submit, including TLS encryption in transit across the public Site, hardened hosting on a managed platform, role-based access to internal systems, and least-privilege principles. No internet transmission or storage system is 100% secure; we work to reduce the risk but cannot guarantee absolute security.

9. Children's privacy

The Site is for healthcare professionals and not directed to children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child has submitted information to us, email sales@bluefishsystems.com and we will delete it.

10. Your choices and rights

Depending on where you live, you may have rights under privacy laws such as the California Consumer Privacy Act (CCPA/CPRA), the EU/UK GDPR, the Colorado Privacy Act, and similar U.S. state laws. These may include the right to:

  • Access the personal information we hold about you,
  • Correct information that's inaccurate,
  • Request deletion of your information,
  • Object to or restrict certain processing,
  • Receive a portable copy of your information, and
  • Not be discriminated against for exercising any of these rights.

We do not sell personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA, so there is no separate "Do Not Sell or Share" link to action — that disclosure is the action.

To exercise any right, email sales@bluefishsystems.com with the subject line "Privacy request." We will verify the request as required by law and respond within the timeframe the applicable law sets (generally 30–45 days). You may designate an authorized agent; we may need to verify the agent's authority and your identity.

11. Do Not Track and Global Privacy Control

Because the Site does not perform cross-site tracking, there is no behavioral profile to suppress in response to a Do Not Track or Global Privacy Control (GPC) signal. We will continue to honor any such signal as a clear opt-out from any cross-site tracking we ever add in the future.

12. Linked sites and our product microsites

Some Bluefish products live on their own websites — for example, capsacoding.com, shieldtracker.app, and sprocoptimizer.com. Those sites have their own privacy notices and are not covered by this policy. We also link to third-party sites we don't operate (for example, our LinkedIn page); we aren't responsible for their privacy practices.

13. Changes to this policy

We may update this policy as our practices and the law evolve. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be flagged at the top of this page; continued use of the Site after that signals acceptance.

14. Contact us

Questions about this policy or about how we handle information on the Site?

Bluefish Systems, LLC
Conway, AR, USA
sales@bluefishsystems.com

For matters specific to the products we deliver under contract — including HIPAA, the BAA, or incident notification — please use the channel established in your agreement with us.