Privacy Policy
Last updated: May 1, 2026
Introduction
Verzi ("Company," "we," "us," "our") operates the website api.healthcaredata.io, the dashboard at www.healthcaredata.io, and related API services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our Services.
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.
Information We Collect
Account Information
When you sign up for an API key, we collect:
- Email address
- Full name
- Organization name
- Website URL
- Use case description (how you plan to use the API)
Automatically Collected Information
When you interact with our Services, we automatically collect:
- API Usage Data: Endpoints accessed, request timestamps, response codes, and query parameters
- IP Address: Your IP address at signup and when making API requests
- Rate Limiting Data: Daily request counts to enforce usage limits per your billing tier
Information We Do NOT Collect
- We do not collect Protected Health Information (PHI)
- We do not collect payment card numbers directly (handled by Stripe — see Third-Party Services below)
- We do not use cookies for tracking or advertising purposes
How We Use Your Information
We use the information we collect to:
- Provide the Services: Authenticate your API requests, enforce rate limits, and deliver data
- Manage Your Account: Process signups, manage billing tiers, and communicate about your account
- Prevent Abuse: Detect and prevent unauthorized access, rate limit abuse, and fraudulent signups (e.g., limiting signups per IP address)
- Improve the Services: Analyze aggregate API usage patterns to prioritize feature development and optimize performance
- Communicate: Send service-related notices such as maintenance alerts, billing updates, or policy changes
Data Retention
- Account Data: Retained as long as your account is active. If you request account deletion, we will delete your personal information within 30 days.
- API Usage Logs: Request logs are retained for 90 days for operational purposes, then aggregated into anonymized statistics.
- IP Signup Records: Retained for 30 days for abuse prevention, then deleted.
Third-Party Services
We use the following third-party services that may receive or process your data:
- Stripe — Payment processing. When you subscribe to a paid plan, Stripe collects and processes your payment information directly. We store only your Stripe customer ID and subscription status — never your card number.
- Amazon Web Services (AWS) — Database hosting (RDS), file storage (S3), and data pipeline infrastructure. Your API usage data is processed and stored on AWS servers in the US East (Virginia) region.
- Railway — API and dashboard hosting. All requests are processed through Railway's infrastructure.
- Google Maps API — Used to geocode healthcare facility addresses. This is a backend process — your personal data is not sent to Google.
Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:
- Service Providers: With the third-party services listed above, solely to provide and maintain the Services
- Legal Requirements: When required by law, regulation, legal process, or government request
- Protection of Rights: To protect the rights, property, or safety of Verzi, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
Data Security
We implement appropriate technical and organizational measures to protect your information:
- API keys are generated using cryptographically secure random values
- Database access is restricted to specific whitelisted IP addresses via security groups
- All data in transit is encrypted via TLS/HTTPS
- Database credentials are stored in AWS Secrets Manager
- We use parameterized queries to prevent SQL injection
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information and API key
- Data Portability: Request your data in a structured, machine-readable format
- Opt-Out: Opt out of non-essential communications
To exercise any of these rights, contact us at adrian@verzi.io.
California Privacy Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
International Users
Our Services are hosted in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States. By using our Services, you consent to this transfer.
Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.
Healthcare Data Disclaimer
The healthcare provider data served through our API is sourced from publicly available federal, state, academic, and commercial datasets. None of this data constitutes Protected Health Information (PHI) under HIPAA; it consists of provider-level facility, financial, and administrative records that the underlying source agencies have already released for public use. Our platform aggregates, normalizes, links, and serves this data — we do not create, receive, maintain, or transmit PHI on behalf of covered entities, and Verzi is not a HIPAA-covered entity or business associate.
The full per-source disclosure (license, restrictions, HIPAA classification, refresh cadence) is published as a separate document at /legal/data-disclosure (canonical Markdown: docs/DATA_DISCLOSURE.md). The live machine-readable catalog is at /sources. In the event of any conflict between this Privacy Policy and the Data Use & Disclosure Statement regarding data sourcing or HIPAA classification, that statement controls.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, for significant changes, by sending an email to the address associated with your account.
Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email: adrian@verzi.io
- Phone: (+1) 801-721-5508
- Mail: Verzi, 32 West 200 South #555, Salt Lake City, UT 84101, United States