CheapestACA Plans

Privacy Policy

Last updated: 2026-04-26

Summary

cheapestacaplans.com does not require an account, does not collect your email, does not sell or share your data with insurers or brokers, and does not run advertising. We use Google Analytics and PostHog to measure site traffic and debug UX issues. A portion of sessions are recorded for usability research, with income and age input fields masked in the recordings. Search inputs (ZIP, age, income, family members) are sent to our API in real time to compute your results and are not stored. Read on for detail.

What we collect

  • Search inputs you type into the site. ZIP code, age, optional spouse age, optional children ages, and optional household income. These are sent to our server to compute your cheapest-plan results and are not saved to a database, logged with your IP, or associated with a user profile.
  • Rate-limit metadata. Your IP address is checked against a sliding-window rate limiter (30 requests per 10 seconds) to protect site availability. IP counters are held in memory at our rate-limit provider for at most a few minutes and are not used for identification, advertising, or cross-site tracking.
  • Multi-county-ZIP resolution logs. When you enter a ZIP that spans more than one county, we log a single structured line containing the ZIP, the candidate county FIPS codes, and which county was chosen, so we can tune the picker threshold. These logs contain no age, income, household, or IP data.
  • Google Analytics 4 pageviews. If GA4 is enabled, we record standard pageview and referral data with anonymize_ip: true set so Google strips the final octet before storing. GA4 may set its own cookies per its Google Privacy Policy.
  • PostHog product analytics and session recordings. We use PostHog to capture anonymous events (pageviews, form submissions, enrollment-link clicks) so we can understand which parts of the site are working. A portion of sessions are recorded so we can watch anonymous replays of how users move through the site and fix usability problems. Income and age input fields are masked in session recordings (rendered as asterisks) and the APTC dollar estimate in the subsidy banner is masked because it is derived from income. We do not attach your identity to any event. PostHog sets cookies to distinguish sessions; you can block these with browser settings.

HealthSherpa handoff

What cheapestacaplans collects. ZIP code, age, optional household income, and optional household-size details are entered on-screen for price discovery only. We do not transmit these inputs to third parties (not to HealthSherpa, not to any insurer, not to any broker system).

What happens when you click Enroll (FFM-30 + GA). The Enroll button for these 31 jurisdictions routes you to HealthSherpa, a CMS-approved Enhanced Direct Enrollment platform. After you click, HealthSherpa's privacy policy governs all data collection, including any personal, demographic, or application information you provide during enrollment.

Agent of Record attribution. Nick Soman (broker profile, NPN listed there) is named as Agent of Record on applications submitted through the HealthSherpa handoff. Insurance carriers pay Nick a monthly commission for as long as your policy remains active, at no additional cost to you. Or enroll directly at HealthCare.gov without an agent.

State-based Marketplaces (19 SBM states). Enrollment clicks for CA, CO, CT, DC, ID, IL, KY, MA, MD, ME, MN, NJ, NM, NV, NY, PA, RI, VA, VT, and WA route directly to that state's Marketplace website. After you click, the state Marketplace's privacy policy governs all data collection; Nick is not currently your agent of record in these states.

Email reminder signup (opt-in only)

If you opt in to the "Email me when Open Enrollment opens" form on the homepage or the Special Enrollment page, we store your email address (and the optional ZIP code, if you provide one) in our Upstash Redis instance for the sole purpose of sending one reminder email when Open Enrollment opens (Nov 1, 2026).

  • One email per signup. No newsletter, no follow-up campaigns, no list resale, no third-party data sharing.
  • Every reminder email contains an unsubscribe link. Unsubscribing permanently removes the record.
  • Emails are not used to identify or track you across the rest of the site. The signup record is segregated from analytics.
  • You can ask us to delete your record at any time by emailing the address at the bottom of this page; we honor deletion requests within 7 days regardless of jurisdiction.

What we do not collect

  • No accounts. No phone numbers. The only optional contact info we collect is the email you supply to the OEP-reminder form (see above) — we never collect email otherwise.
  • No protected health information (PHI) or medical history.
  • No payment or banking information.
  • No social-security numbers or government identifiers.
  • No advertising identifiers, no behavioral tracking pixels, and no cross-site device graphs beyond what GA4 and PostHog set to distinguish sessions.

How we use the data we do collect

  • Search inputs compute your cheapest-plan results and the enrollment links shown on the results page. They exist only for the duration of the HTTP request.
  • GA4 pageviews help us see which pages are used, where visitors come from, and whether site improvements are reaching people.
  • Rate-limit data is used only to throttle abusive traffic and protect availability.

Who we share with

We do not sell your data. We do not share search inputs, results, or any personal information with insurance carriers, brokers, or third parties for marketing or lead generation. The only third parties that receive data from your visit are the infrastructure providers we use to run the site: Vercel (hosting, edge network, rate-limit cache), Google Analytics (pageview measurement), and PostHog (event analytics and session recordings, with income and age inputs masked in recordings). These providers process data under their own privacy commitments and only for the purpose of delivering their service to us.

When you click an enrollment link on our results page, you leave our site and arrive at HealthCare.gov, a state exchange, or an insurance carrier's website. Those destinations have their own privacy practices. We do not pre-populate any information about you on those sites, and we do not receive a referral fee or tracking callback from any of them.

The data sources that back the cheapest-plan answer (CMS public-use files and per-state Department of Insurance filings; see the terms page for the full list) are ingested in batch during annual data refreshes. We do not send any information about your visit, your searches, or your identity to any data publisher.

Your rights (California CCPA / CPRA and similar)

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information is collected about them, the right to delete that information, and the right to opt out of the sale or sharing of personal information. Residents of other states with similar laws (for example Colorado, Connecticut, Virginia, Utah) have equivalent rights under their own statutes.

Because we do not maintain user accounts, do not store search inputs, do not sell or share personal information, and do not run advertising beyond GA4 pageview measurement, in most cases there is no user-identifiable record on file that we could access or delete. If you believe we may hold information about you and want us to investigate, email the address at the bottom of this page and we will respond within 45 days.

Cookies and similar technologies

The site itself sets no tracking cookies. GA4, if enabled, sets its own cookies to measure unique visitors and sessions. You can block these with browser settings or the Google Analytics opt-out browser add-on; the site will continue to function normally.

PostHog sets cookies (and uses LocalStorage) to distinguish sessions and, for the sampled subset of sessions that get recorded, to attach the recording to a consistent session key. Blocking third-party cookies, using an ad-blocker that matches PostHog domains, or using a privacy-focused browser will prevent PostHog from tracking your session. The site will continue to function normally.

Security

The site runs with HSTS, a strict Content Security Policy, X-Frame-Options DENY, and TLS enforced everywhere. Our underlying plan dataset is hosted in a private, token-authenticated blob. We publish a security.txt with a contact for reporting security issues responsibly.

Children

cheapestacaplans.com is not directed at children under 13 and does not knowingly collect information from them. The form accepts children's ages as part of a household-size calculation, but that information is not stored and is associated with the household search, not with a child-user.

Changes to this policy

We may update this policy when the site changes what it collects, stores, or shares. The "Last updated" date above reflects the most recent revision. Material changes will be announced via an update to this page.

Contact

Privacy questions, requests to exercise your rights under CCPA / CPRA or an equivalent state statute, and any concern about how your information is handled: use the feedback link at the bottom of every page. We will respond within 45 days.