How we collect, use, and retain service data

Information we collect

Account data

We collect account information needed to operate the service: identifiers from our authentication provider, internal user records, and data you provide such as API key labels.

Billing data

Payments and subscriptions are processed by Stripe. Card numbers and core payment processing data stay with Stripe; we store subscription and customer references needed to enforce plan entitlements.

Provider data source

NPI lookup responses are derived from the public CMS NPPES NPI Registry. We do not assert independent verification beyond what that registry contains.

API request logging and usage

We log API requests to enforce quotas, debug issues, and improve reliability. Logs are associated with your account and API key identifiers as described in the product documentation.

Transactional email

Service emails are delivered via SendGrid (Twilio). Your email address is sent to SendGrid solely for the purpose of delivering transactional messages.

Analytics

We use Umami and Google Analytics on public pages and the dashboard to understand product usage, measure conversions, and improve the service.

Umami is cookieless and is not used for cross-context behavioral advertising. Google Analytics may set first-party cookies; you can opt out via Google's opt-out tool.

Cookies and session technology

Clerk sets authentication session cookies required to keep you signed in. Google Analytics may set first-party measurement cookies. Umami is cookieless. We do not use third-party advertising cookies.

How we use information

• Operate and maintain the service, including authentication and billing.
• Enforce usage quotas and prevent abuse.
• Send transactional emails such as billing receipts, quota warnings, and security alerts.
• Analyze aggregate usage patterns to improve product design and reliability.
• Comply with legal obligations.

Data sharing and sale

We do not sell personal information. We do not share personal information for cross-context behavioral advertising or targeted advertising purposes.

We share data only with service providers described in this policy, each acting as a processor under terms that restrict use of your data to providing the relevant service.

Data retention

• Request logs: retained for 30 days, then automatically deleted by a scheduled cleanup job.
• Cached lookup payloads: successful lookups are cached for up to 7 days; not-found entries for up to 24 hours. Cached entries may be served beyond TTL for up to 48 additional hours under stale-if-error grace.
• Usage counters: roll forward per billing period; no purge schedule is defined.
• Billing event logs and email notifications: append-only audit trails; no purge schedule is defined.

Your rights

You may request access to, correction of, or deletion of your personal data by contacting our support inbox (use the support form or Copy support email). We will respond within a reasonable timeframe.

Children's data

The service is not directed to children under 13. We do not knowingly collect personal information from children under 13.

US-only scope

All data processing and storage occurs within the United States. Hosting is provided by Vercel. Database hosting is provided by Neon in US Virginia.

Third-party processors

• Clerk - authentication and session management (Privacy policy)
• Stripe - payment processing and billing (Privacy policy)
• SendGrid - transactional email delivery (Privacy policy)
• Vercel - application hosting (Privacy policy)
• Neon - database hosting (Privacy policy)
• Umami - analytics (Privacy policy)
• Google Analytics - web analytics (Privacy policy)

Changes to this policy

We may update this privacy policy from time to time. Material changes will be reflected in the last-updated date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For privacy questions, data access requests, or deletion requests, use the support form or Copy support email.