Privacy Policy
Effective Date: January 15, 2026 Last Updated: January 15, 2026
FHIRfly.io LLC ("FHIRfly," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, API platform, and related services (collectively, the "Service").
By using the Service, you consent to the practices described in this Privacy Policy.
1. Information We Collect
1.1 Information You Provide
Account Information:
- Email address (required for account creation)
- Name (optional)
- Organization name and details
Billing Information:
- Payment information is collected and processed by our payment processor, Stripe
- We do not store complete credit card numbers on our servers
Communications:
- Support requests and correspondence
- Feedback and survey responses
1.2 Information Collected Automatically
Usage Data:
- API request metadata (endpoints accessed, request timestamps, response codes)
- Request volume and patterns
- IP addresses
Important: We log request metadata for security, billing, and abuse prevention. We do not intentionally log request bodies or query parameters containing user data. You must not submit Protected Health Information (PHI) or other sensitive personal data in API requests. See Section 11 for details.
Device and Browser Information:
- Browser type and version
- Operating system
- Device identifiers
Analytics Data:
- Pages visited on our website
- Time spent on pages
- Referral sources
- Click patterns
1.3 Cookies and Similar Technologies
We use cookies and similar tracking technologies. See our Cookie Policy for details.
2. How We Use Your Information
We use the information we collect to:
2.1 Provide and Maintain the Service
- Process account registration and authentication
- Provide access to our APIs
- Process payments and manage subscriptions
- Send transactional emails (password resets, billing notifications)
2.2 Improve the Service
- Analyze usage patterns to improve performance
- Develop new features and functionality
- Monitor and prevent abuse
- Debug and troubleshoot issues
2.3 Enforce Policies
- Enforce rate limits and quotas
- Detect and prevent fraud or abuse
- Ensure compliance with our Terms of Service
2.4 Communicate With You
- Respond to support requests
- Send service announcements and updates
- Provide important notices about your account
2.5 Legal Compliance
- Comply with applicable laws and regulations
- Respond to legal requests and protect our rights
3. Information Sharing
We do not sell your personal information. We may share your information in the following circumstances:
3.1 Service Providers
We share information with third-party service providers who assist in operating our Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing information |
| Amazon Web Services | Cloud infrastructure | All data (encrypted) |
| MongoDB Atlas | Database hosting | Account and usage data |
| Upstash | Redis caching | Session and rate limit data |
| Google Analytics | Website analytics | Website usage data (pages visited, referrals, device info) |
3.2 Legal Requirements
We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to:
- Comply with legal obligations
- Protect our rights or property
- Prevent fraud or security issues
- Protect the safety of users or the public
3.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
3.4 With Your Consent
We may share information with your explicit consent.
4. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Usage logs | 90 days (detailed), 1 year (aggregated) |
| Billing records | 7 years (legal requirement) |
| Support correspondence | 3 years |
After account deletion, we may retain anonymized or aggregated data that cannot be used to identify you.
5. Data Security
We implement appropriate technical and organizational measures to protect your information:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Encryption at rest: Sensitive data is encrypted in our databases
- Access controls: Limited access on a need-to-know basis
- Authentication: Secure session management
- Credential protection: API keys and secrets are protected using industry-standard security practices
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Your Rights and Choices
6.1 Access and Portability
You may access your account information through the dashboard. You may request a copy of your data by contacting us.
6.2 Correction
You may update your account information through the dashboard or by contacting us.
6.3 Deletion
You may request deletion of your account and associated data. Some data may be retained as required by law or for legitimate business purposes.
6.4 Opt-Out
- Marketing emails: Unsubscribe using the link in any marketing email
- Cookies: Manage through your browser settings (see Cookie Policy)
- Analytics: Use browser extensions like Google Analytics Opt-out
6.5 Do Not Track
Our website does not currently respond to "Do Not Track" (DNT) browser signals. This is because there is no universally accepted standard for how websites should respond to DNT signals, and the DNT specification has been deprecated by the W3C. We encourage users who wish to limit tracking to use the opt-out tools described above.
7. International Data Transfers
FHIRfly is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
Where required by applicable law, we use appropriate transfer mechanisms, which may include:
- Standard Contractual Clauses or similar approved mechanisms
- Your consent provided through your use of the Service
By using the Service, you consent to the transfer of your information to the United States.
8. Children's Privacy
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
9. California Privacy Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Request information about data collection and sharing
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
- Non-Discrimination: We will not discriminate against you for exercising these rights
How to Submit a Request
To exercise your California privacy rights:
- Email us at admin@fhirfly.io with the subject line "California Privacy Request"
- Include your name and the email address associated with your account
- Specify which right(s) you wish to exercise
We will verify your identity by matching the information you provide with our records. We will respond within 45 days, or notify you if we need additional time (up to 90 days total).
An authorized agent may submit a request on your behalf with written permission.
10. European Privacy Rights
If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data
- Restriction: Request limitation of processing
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
Legal Basis for Processing:
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Payment processing | Contract performance |
| Service improvement | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
| Marketing communications | Consent |
To exercise your rights or lodge a complaint with a supervisory authority, contact us at admin@fhirfly.io.
11. Healthcare Data Clarification
11.1 Service Not Designed for PHI
The Service is not designed, intended, or authorized for the storage, processing, or transmission of Protected Health Information ("PHI") as defined under HIPAA. We provide healthcare reference data only—not patient data, medical records, or individually identifiable health information.
11.2 Do Not Submit PHI
You must not submit PHI through the Service, including in API requests, query parameters, headers, or any other form. This includes patient names, medical record numbers, Social Security numbers, or any individually identifiable health information.
11.3 No Business Associate Agreement
We do not offer a Business Associate Agreement ("BAA"). FHIRfly is not a HIPAA-covered entity or business associate with respect to the Service.
11.4 Your Compliance Responsibility
If you use FHIRfly's APIs in a healthcare application that handles PHI, you are solely responsible for your own HIPAA compliance. Your use of reference data from FHIRfly does not create a business associate relationship.
11.5 Incidental Exposure
If PHI is inadvertently submitted to the Service, we may delete it without notice and take other actions as described in our Terms of Service.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending notice to your registered email for significant changes
Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact Us
For questions about this Privacy Policy or to exercise your privacy rights, contact us:
FHIRfly.io LLC Email: admin@fhirfly.io Phone: (816) 552-2628 Address: 30 N Gould St, Ste 60120, Sheridan, WY 82801