Privacy Policy

Access Michigan ("the Platform") is an independent, non-commercial civic resource that helps Michigan residents navigate healthcare, social services, and community resources. We are not a government agency, healthcare provider, or insurance company. We do not sell advertising, and we do not monetize your data in any way.

Our guiding principle is privacy by design: we collect the absolute minimum information needed to operate and improve the Platform. Where possible, data processing occurs entirely in your browser and never reaches our servers.

• No targeted advertising — Access Michigan displays zero ads.
• No sale or sharing of personal data — We never sell, rent, license, or share your information with third parties for marketing.
• No user accounts or login required — The Platform is fully accessible without creating an account or providing identifying information.
• No tracking cookies — We do not use cookies for analytics, advertising, or behavioral profiling.
• No attempt to identify individuals — We do not fingerprint browsers, track across sites, or build user profiles.
• No storage of Protected Health Information (PHI) — Health-related tools (AI appeals generator, benefits wizard, symptom information) process data client-side. We do not store, transmit, or retain any health information you enter.

3a. Operational Server Logs

Our hosting provider (Netlify / Vercel) automatically collects minimal operational data for security and reliability:

• IP addresses (not linked to any user profile)
• Request timestamps and HTTP methods
• Browser user-agent strings
• Referring URLs

These logs are retained for 30 days or less and are used exclusively for security monitoring, error detection, and capacity planning. They are never analyzed to identify individual users.

3b. Aggregated Usage Analytics

If analytics are enabled, we collect aggregated, non-identifying page-view counts and search terms to understand which resources are most useful. This data cannot be traced to individual visitors.

3c. Voluntarily Submitted Information

If you choose to use certain features, you may provide information voluntarily:

• Contact Form: Name, email address, subject, and message. Used solely to respond to your inquiry.
• Resource Submissions: Organization details submitted for inclusion in our directory.
• Page Feedback: Anonymous "helpful/not helpful" ratings with optional comments (no personal data collected).
• Partnership Inquiries: Organization and contact details for partnership evaluation.

3d. Local Browser Storage

Some features use your browser's localStorage to remember preferences (theme, language, recently viewed counties). This data never leaves your device and can be cleared at any time through your browser settings.

Access Michigan includes AI-powered tools such as the chat assistant and insurance appeal letter generator. Important privacy details about these features:

• No conversation logging: AI chat messages are processed in real-time via secure backend functions and are not stored on our servers after the response is delivered.
• No PHI storage: Any health details, insurance information, or personal circumstances you enter into the appeal generator or chat are processed transiently and discarded immediately after generating a response.
• Third-party AI models: AI responses are generated by third-party language model providers. Your prompts are sent to these providers under their data processing terms. We select providers that do not use input data for model training.
• Not medical advice: AI-generated content is informational only and does not constitute medical, legal, or insurance advice. See Section 7 for HIPAA disclaimers.

Access Michigan integrates data from public agencies and may load resources from third-party services. Each may have its own privacy policy:

We apply a global no-referrer policy on external links to prevent destination sites from knowing which Access Michigan page you came from.

We employ industry-standard security measures to protect any data we handle:

• Encryption in transit: All connections use HTTPS/TLS encryption.
• Row-Level Security (RLS): Database tables enforce strict access controls. Public submissions (contact forms, feedback) are insert-only; no public read or modification access.
• Input validation: All backend functions validate and sanitize inputs using Zod schema validation.
• Rate limiting: Backend functions enforce rate limits (5–10 requests per minute) to prevent abuse.
• No authentication required: Since we don't require accounts, there are no passwords or credentials to protect — reducing attack surface by design.

Michigan residents have specific privacy protections under state and federal law:

Michigan Identity Theft Protection Act (MCL 445.61–445.79c)

Although Access Michigan does not collect personal identifying information as defined by this Act, we comply with its requirements for any data we do handle, including prompt notification in the unlikely event of a security breach.

Michigan Consumer Protection Act (MCL 445.901–445.922)

Access Michigan does not engage in trade or commerce and makes no commercial representations. All information is provided as a free civic resource for public benefit.

Children's Online Privacy Protection Act (COPPA)

Access Michigan is designed for a general audience and does not knowingly collect personal information from children under 13. If you believe a child has provided personal information through our contact form, please contact us and we will promptly delete it.

Your Rights

You have the right to:

• Access: Request a copy of any personal information we hold about you (likely none, given our minimal collection).
• Deletion: Request deletion of any data you've submitted through contact forms or resource submissions.
• Correction: Request correction of any inaccurate information.
• Opt-out: Clear browser localStorage at any time to remove all locally stored preferences.

To exercise these rights, please use our contact page. We will respond within 30 days.

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

All previous versions of this policy are available through our changelog.