FHIRfly
Dashboard

Privacy Policy

Effective Date: January 15, 2026 Last Updated: January 30, 2026

FHIRfly.io LLC ("FHIRfly," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, API platform, and related services (collectively, the "Service").

By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

  • Email address (required for account creation)
  • Name (optional)
  • Organization name and details

Billing Information:

  • Payment information is collected and processed by our payment processor, Stripe
  • We do not store complete credit card numbers on our servers

Communications:

  • Support requests and correspondence
  • Feedback and survey responses

1.2 Information Collected Automatically

Usage Data:

  • API request metadata (endpoints accessed, request timestamps, response codes)
  • Request volume and patterns
  • IP addresses

Important: We log request metadata for security, billing, and abuse prevention. We do not intentionally log request bodies or query parameters containing user data. You must not submit Protected Health Information (PHI) or other sensitive personal data in API requests. See Section 11 for details.

Device and Browser Information:

  • Browser type and version
  • Operating system
  • Device identifiers

Analytics Data:

  • Pages visited on our website
  • Time spent on pages
  • Referral sources
  • Click patterns

1.3 Cookies and Similar Technologies

We use cookies and similar tracking technologies. See our Cookie Policy for details.

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Maintain the Service

  • Process account registration and authentication
  • Provide access to our APIs
  • Process payments and manage subscriptions
  • Send transactional emails (password resets, billing notifications)

2.2 Improve the Service

  • Analyze usage patterns to improve performance
  • Develop new features and functionality
  • Monitor and prevent abuse
  • Debug and troubleshoot issues

2.3 Enforce Policies

  • Enforce rate limits and quotas
  • Detect and prevent fraud or abuse
  • Ensure compliance with our Terms of Service

2.4 Communicate With You

  • Respond to support requests
  • Send service announcements and updates
  • Provide important notices about your account
  • Comply with applicable laws and regulations
  • Respond to legal requests and protect our rights

3. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We share information with third-party service providers who assist in operating our Service:

Provider Purpose Data Shared
Stripe Payment processing Billing information
Amazon Web Services Cloud infrastructure All data (encrypted)
MongoDB Atlas Database hosting Account and usage data
Upstash Redis caching Session and rate limit data
Google Analytics Website analytics Website usage data (pages visited, referrals, device info)

We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to:

  • Comply with legal obligations
  • Protect our rights or property
  • Prevent fraud or security issues
  • Protect the safety of users or the public

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

We may share information with your explicit consent.

4. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Data Type Retention Period
Account information Until account deletion + 30 days
Usage logs 90 days (detailed), 1 year (aggregated)
Billing records 7 years (legal requirement)
Support correspondence 3 years

After account deletion, we may retain anonymized or aggregated data that cannot be used to identify you.

5. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in transit: All data is transmitted over HTTPS/TLS
  • Encryption at rest: Sensitive data is encrypted in our databases
  • Access controls: Limited access on a need-to-know basis
  • Authentication: Secure session management
  • Credential protection: API keys and secrets are protected using industry-standard security practices

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5.1 Data Breach Notification

In the event of a security breach that results in unauthorized access to your personal information, we will:

  • Investigate promptly: Begin investigation within 24 hours of discovering the potential breach
  • Notify affected users: Send email notification within 72 hours of confirming a breach that affects your personal data
  • Provide details: Include in our notification: (a) description of the breach, (b) types of data affected, (c) steps we are taking to address the breach, and (d) recommended actions you can take to protect yourself
  • Report to authorities: Comply with applicable data breach notification laws, including reporting to relevant regulatory authorities where required

We maintain security incident response procedures and will provide updates as our investigation progresses.

6. Your Rights and Choices

6.1 Access and Portability

You may access your account information through the dashboard. You may request a copy of your data by contacting us.

6.2 Correction

You may update your account information through the dashboard or by contacting us.

6.3 Deletion

You may request deletion of your account and associated data. Some data may be retained as required by law or for legitimate business purposes.

6.4 Opt-Out

  • Marketing emails: Unsubscribe using the link in any marketing email
  • Cookies: Manage through your browser settings (see Cookie Policy)
  • Analytics: Use browser extensions like Google Analytics Opt-out

6.5 Do Not Track

Our website does not currently respond to "Do Not Track" (DNT) browser signals. This is because there is no universally accepted standard for how websites should respond to DNT signals, and the DNT specification has been deprecated by the W3C. We encourage users who wish to limit tracking to use the opt-out tools described above.

7. International Data Transfers

FHIRfly is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

Where required by applicable law, we use appropriate transfer mechanisms, which may include:

  • Standard Contractual Clauses or similar approved mechanisms
  • Your consent provided through your use of the Service

By using the Service, you consent to the transfer of your information to the United States.

8. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about data collection and sharing
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
  • Non-Discrimination: We will not discriminate against you for exercising these rights

How to Submit a Request

To exercise your California privacy rights:

  1. Email us at admin@fhirfly.io with the subject line "California Privacy Request"
  2. Include your name and the email address associated with your account
  3. Specify which right(s) you wish to exercise

We will verify your identity by matching the information you provide with our records. We will respond within 45 days, or notify you if we need additional time (up to 90 days total).

An authorized agent may submit a request on your behalf with written permission.

10. European Privacy Rights

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests

Legal Basis for Processing:

Processing Activity Legal Basis
Account management Contract performance
Payment processing Contract performance
Service improvement Legitimate interest
Security and fraud prevention Legitimate interest
Legal compliance Legal obligation
Marketing communications Consent

To exercise your rights or lodge a complaint with a supervisory authority, contact us at admin@fhirfly.io.

11. Healthcare Data Clarification

11.1 Service Not Designed for PHI

The Service is not designed, intended, or authorized for the storage, processing, or transmission of Protected Health Information ("PHI") as defined under HIPAA. We provide healthcare reference data only—not patient data, medical records, or individually identifiable health information.

11.2 Do Not Submit PHI

You must not submit PHI through the Service, including in API requests, query parameters, headers, or any other form. This includes patient names, medical record numbers, Social Security numbers, or any individually identifiable health information.

11.3 No Business Associate Agreement

We do not offer a Business Associate Agreement ("BAA"). FHIRfly is not a HIPAA-covered entity or business associate with respect to the Service.

11.4 Your Compliance Responsibility

If you use FHIRfly's APIs in a healthcare application that handles PHI, you are solely responsible for your own HIPAA compliance. Your use of reference data from FHIRfly does not create a business associate relationship.

11.5 Incidental Exposure

If PHI is inadvertently submitted to the Service, we may delete it without notice and take other actions as described in our Terms of Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date
  • Sending notice to your registered email for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us:

FHIRfly.io LLC Email: admin@fhirfly.io Phone: (816) 552-2628 Address: 30 N Gould St, Ste 60120, Sheridan, WY 82801