Privacy Policy
Last updated: April 2026
Introduction
Morningside Health & Risk (“we,” “our,” or “us”) is committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard the information you provide when you visit our website or contact us about our services. Please read this policy carefully. If you do not agree with its terms, please do not use our Site.
What We Are (and Are Not)
Morningside Health & Risk is a licensed insurance broker regulated by the New York State Department of Financial Services (NY DFS) under producer license #1962161. We are not a HIPAA Covered Entity or Business Associate. The information we collect about you for the purpose of quoting insurance is not Protected Health Information (PHI) as defined under HIPAA. However, some of it does constitute Nonpublic Information (NPI) under the NY DFS Cybersecurity Regulation (23 NYCRR Part 500), and we handle it accordingly.
Information We Collect
We may collect personal information that you provide directly to us, including:
- Contact information such as your name, email address, phone number, and mailing address
- Professional information such as your organization name, specialty, or industry
- Information you include in messages, quote requests, or consultation requests submitted through our Site
- Information necessary to provide insurance services, including information about your business, employees, and existing coverage
- For life and long-term care quoting: self-reported general health category (Excellent, Good, Fair, or Poor), date of birth, gender, and tobacco use
- For commercial cyber-insurance quoting: whether your business handles Protected Health Information (a yes/no applicant attestation), approximate patient/client record counts, and operational details about your business
We also collect certain information automatically when you use our Site, such as your IP address, browser type, operating system, referring URLs, and pages visited. This information is collected through standard web server logs and may use cookies or similar tracking technologies.
How We Use Your Information
We use the information we collect to:
- Respond to your inquiries and provide the services you request
- Prepare and deliver insurance quotes and proposals
- Communicate with you about your account, policies, and renewals
- Send you information about our services that may be relevant to you
- Improve our Site, services, and business operations
- Comply with applicable laws, regulations, and professional obligations
Disclosure of Your Information
We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:
- With insurance carriers and underwriters as necessary to obtain quotes, place coverage, or service your policies
- With service providers who assist us in operating our business, subject to confidentiality obligations
- When required by law, court order, or governmental authority
- In connection with a business transaction such as a merger, acquisition, or sale of assets
We may also share aggregated, de-identified information that cannot reasonably be used to identify you.
Insurance-Related Disclosures
As an insurance broker, we are required to share certain personal and business information with carriers and underwriters in order to obtain and maintain coverage on your behalf. This sharing is a necessary and expected part of the insurance placement process. We share only the information required and work with carriers who maintain appropriate privacy and data security standards.
New York Regulatory Compliance (23 NYCRR Part 500)
As a NY DFS licensed entity, Morningside Health & Risk is subject to the NY DFS Cybersecurity Regulation (23 NYCRR Part 500). Some of the data we collect — including self-reported health status and date of birth — constitutes Nonpublic Information under §500.01(g). We maintain cybersecurity controls meeting the requirements of Part 500, including written policies, access controls, encryption of data in transit and at rest, and incident response procedures.
We work with the following third-party service providers as permitted under §500.11. Each maintains security practices that we have reviewed and found appropriate for the data they handle on our behalf:
- Vercel, Inc. — website hosting and encrypted storage for quote form submissions (SOC 2 Type II)
- Resend, Inc. — transactional email delivery for consultation confirmations and reminders (SOC 2 Type II)
- Cal.com, Inc. — consultation scheduling and calendar embedding (SOC 2)
- Google LLC — web analytics (Google Analytics 4) to help us understand site usage in aggregate
Data Security
We implement reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, use, or disclosure, including encryption of information in transit (TLS/HTTPS) and at rest, access controls on internal systems, and periodic review of our information security practices. However, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your information.
Data Retention
Quote, consultation, and inquiry records are retained for six (6) years from the date of last contact, consistent with the record retention requirements of New York Insurance Regulation 152 (11 NYCRR 243). For clients with whom we establish an ongoing broker-of-record relationship, records are retained for six (6) years following termination of that relationship. We may retain aggregated or de-identified data indefinitely for analytics and business-improvement purposes.
Your Choices
You may opt out of receiving marketing communications from us at any time by contacting us at the address below or by following the unsubscribe instructions in any marketing email we send. Please note that opting out of marketing communications does not affect our ability to send you service-related messages necessary to manage your account or policies.
Children's Privacy
Our Site is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will take steps to delete that information.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Site with a revised effective date. Your continued use of the Site after any changes constitutes your acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us at:
Morningside Health & Risk
NY DFS Producer License #1962161
545 Fifth Avenue, Suite 1400
New York, NY 10017
hello@mnshc.com
(212) 555-0180