Privacy Policy

1. Introduction

CartoChrome ("we," "our," or "us") operates the website cartochrome.com and associated services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

2. Information We Collect

We collect information in several ways depending on how you interact with the Service:

Account Information: When you create an account, we collect your name, email address, and authentication credentials (provided through our authentication provider, Clerk). Healthcare providers who claim profiles may also provide their NPI number, practice details, and professional credentials.

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, search queries, map interactions, health scores viewed, and features used. This data helps us improve the Service and understand user needs.

Device and Browser Information: We collect standard technical information including IP address, browser type and version, operating system, device type, screen resolution, and referring URL. This information is used for analytics, security, and service optimization.

API Usage Data: If you use the CartoChrome API, we log API requests including endpoints accessed, request frequency, and response times for rate limiting, billing, and service monitoring.

Communications: If you contact us through our contact form, email, or other channels, we retain the content of those communications along with your contact information to respond to and resolve your inquiries.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Operation: To provide, maintain, and improve the Service, including computing health scores, displaying provider profiles, rendering maps, and processing API requests.

Account Management: To create and manage your account, verify provider identities, process profile claims, and communicate account-related information.

Analytics and Improvement: To understand how users interact with the Service, identify usage patterns, diagnose technical issues, and develop new features. We use aggregated, anonymized analytics data for these purposes whenever possible.

Billing and Payments: To process payments for premium features, API subscriptions, and other paid services. Payment processing is handled by Stripe; we do not store credit card numbers on our servers.

Communications: To respond to your inquiries, send service-related notifications, and (with your consent) send marketing communications about new features, health data insights, or partnership opportunities. You can opt out of marketing emails at any time.

Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.

Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Public Data Sources

CartoChrome uses 21 publicly available government data sources to compute health scores and populate provider and facility profiles. These sources include CMS NPPES (National Provider Registry), CMS Hospital Compare, US Census Bureau, CDC PLACES, and HRSA, among others.

This public data is not personal information that you provide to us. It is government-published data that we aggregate, analyze, and present in an accessible format. Healthcare providers whose information appears in these public registries may claim and manage their profiles through the Service.

5. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

Essential Cookies: Required for the Service to function, including session management, authentication state, and security tokens. These cannot be disabled.

Analytics Cookies: We use privacy-respecting analytics (Vercel Web Analytics) to understand Service usage. These tools collect aggregated, anonymized data and do not track individual users across websites.

Preference Cookies: To remember your settings, such as map view preferences, layer selections, and dismissed notifications.

You can control cookie settings through your browser. Disabling essential cookies may prevent the Service from functioning properly.

6. Third-Party Services

We use the following third-party services that may process your data:

Clerk (Authentication): Manages user authentication, including Google OAuth login. Clerk processes your email address and authentication tokens. See Clerk's privacy policy at clerk.com/legal/privacy.

Stripe (Payments): Processes payments for premium features and API subscriptions. Stripe collects payment information directly. See Stripe's privacy policy at stripe.com/privacy.

Vercel (Hosting and Analytics): Hosts the Service and provides web analytics. See Vercel's privacy policy at vercel.com/legal/privacy-policy.

Resend (Email): Sends transactional emails such as account confirmations and billing receipts. See Resend's privacy policy at resend.com/legal/privacy-policy.

Sentry (Error Tracking): Monitors application errors and performance. May collect technical information about your browser and device when errors occur. See Sentry's privacy policy at sentry.io/privacy.

We do not sell your personal information to third parties. We do not share your personal information with third parties for their marketing purposes.

7. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal information within 30 days, except where we are required by law to retain certain records.

Usage data and analytics are retained in aggregated, anonymized form indefinitely for service improvement purposes. API usage logs are retained for 90 days for billing and troubleshooting, then aggregated.

Claimed provider profiles may retain publicly available information (sourced from NPPES and other government registries) even after a claim is released, as this data is public record.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption of data in transit using TLS 1.3. Encryption of sensitive data at rest. Regular security audits and vulnerability assessments. Access controls limiting employee access to personal data on a need-to-know basis. Secure authentication through Clerk with support for multi-factor authentication.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: You can request a copy of the personal information we hold about you. Update: You can update your account information at any time through the Service. Deletion: You can request deletion of your personal information by contacting us or deleting your account. Portability: You can request your data in a machine-readable format. Opt-Out: You can opt out of marketing communications at any time.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information (note: we do not sell personal information).

To exercise these rights, contact us at privacy@cartochrome.com. We will respond within 30 days.

10. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@cartochrome.com.

11. International Data Transfers

The Service is operated in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For registered users, we will also send an email notification for material changes. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions or concerns about this Privacy Policy or our data practices, please contact us at: privacy@cartochrome.com. You may also reach us through our contact page at cartochrome.com/contact.