Privacy policy
Last updated: March 6, 2026
This policy explains what information we collect, why we collect it, and how you can control it. We wrote it in plain language on purpose.
1. Information we collect
Information you provide directly
When you create an account, send an inquiry to a provider, leave a review, or contact us, you may share:
- Account information: your name, email address, and password (managed securely through our authentication provider, Clerk)
- Inquiries: messages you send to healthcare providers through our platform
- Reviews: ratings and written feedback you leave about providers
- Profile preferences: notification settings, saved providers, and search preferences
- Smart Match responses: health concerns, preferences, and location data you share when using our provider matching tool
- Communication: anything you share when you contact our support team
Information from providers
If you're a healthcare provider claiming or managing a profile, we also collect:
- Professional details: your NPI number, license information, education, specialties, and practice locations
- Verification data: information used to confirm your identity, such as your practice email domain or phone number
- Billing information: payment details processed securely through Stripe (we never store your full card number)
- Practice information: office hours, accepted insurance, services offered, and pricing you choose to share
Information collected automatically
When you use FindClarity, we automatically collect certain technical information:
- Usage data: pages you visit, searches you run, providers you view, and features you interact with
- Device information: browser type, operating system, screen resolution, and general device category
- Log data: IP address (hashed for analytics, never stored in plain text; hashed IPs are retained for up to 90 days before being purged with analytics data), timestamps, and referring URLs
- Performance data: page load times and error reports used to diagnose and fix issues
Information from public sources
To build accurate provider profiles, we gather publicly available data from sources including:
- The National Plan and Provider Enumeration System (NPPES/NPI Registry)
- State licensing boards
- Public business listings and directories
- CMS and other government healthcare databases
2. How we use your information
We use the information we collect to:
- Run the platform: power search results, display provider profiles, and deliver the core FindClarity experience
- Connect patients and providers: deliver inquiries, facilitate reviews, and enable direct communication
- Improve accuracy: verify provider information, enrich profiles with public data, and keep listings current
- Generate AI-enhanced content: create provider bios, Vibe Tags, and other profile enhancements using AI models (see our Terms of Service for details on AI-generated content)
- Personalize your experience: remember your preferences, saved providers, and recent searches
- Send notifications: inquiry responses, review alerts, and account updates (you can opt out anytime)
- Process payments: handle subscriptions and billing for provider accounts
- Maintain security: detect fraud, prevent abuse, and protect our community
- Improve the product: understand how people use FindClarity so we can make it better
We do not sell your personal information. We do not use your health-related searches or provider interactions to build advertising profiles.
3. When we share information
We share your information only in these specific situations:
- With providers you contact: when you send an inquiry, the provider receives your name, email, and message so they can respond to you
- Service providers: we work with trusted companies that help us operate FindClarity (listed below). They only access data needed to perform their specific function
- Legal requirements: if required by law, subpoena, or court order, or to protect the safety of our users and the public
- Business transfers: if FindClarity is acquired or merged, your information may transfer to the new owner. We'd notify you before that happens
Our service providers
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication and account management | Name, email, auth tokens | United States |
| Stripe | Payment processing | Billing info, subscription data | United States |
| OpenAI | AI content generation (bios, Vibe Tags, guides) | Public provider data, review text | United States |
| Anthropic | AI content generation (bios, first-visit guides) | Public provider data | United States |
| SerpApi | Search enrichment, provider data aggregation | Provider names, locations | United States |
| Resend | Email notifications | Email addresses, message content | United States |
| Infobip | SMS notifications | Phone numbers, message content | EU / United States |
| Cloudflare | Content delivery, security, image storage | Page requests, uploaded images | Global (edge network) |
| Sentry | Error monitoring and performance tracking | Error logs, device info | United States |
| Hetzner | Server hosting | All platform data (primary infrastructure) | United States |
Each provider operates under their own privacy policy and is contractually obligated to protect your data.
4. Cookies and tracking
We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how people use FindClarity.
- Essential cookies: required for authentication, security, and basic functionality. These can't be disabled without breaking the site.
- Analytics cookies: help us understand traffic patterns and usage. We use privacy-respecting analytics that don't build cross-site profiles.
We do not use third-party advertising cookies or trackers. We don't participate in ad networks, and we don't allow third parties to place tracking pixels on our pages.
5. Data retention
We keep your data only as long as it serves a clear purpose:
- Active accounts: retained while your account is active, plus a reasonable period after closure to handle any outstanding issues
- Inquiries and reviews: retained for the lifetime of the associated provider profile, unless you request deletion
- Analytics data: aggregated and anonymized within 90 days
- Hashed IP addresses: purged with analytics data after 90 days
- Server logs: automatically purged after 30 days
- Billing records: retained as required by tax and financial regulations (typically 7 years)
6. Your rights and choices
You have control over your information. Depending on where you live, your rights may include:
- Access: request a copy of the personal information we hold about you
- Correction: update or fix inaccurate information
- Deletion: ask us to delete your account and personal data
- Portability: receive your data in a structured, machine-readable format
- Opt out of communications: unsubscribe from emails or SMS at any time through your account settings or the links in our messages
To exercise any of these rights, email us at [email protected] or use the contact form. We'll respond within 30 days (extendable by up to 60 additional days for complex requests, with prior notice).
California residents (CCPA/CPRA)
If you're a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Your rights
- Right to know: request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties we share it with
- Right to delete: request deletion of your personal information, subject to certain exceptions
- Right to correct: request correction of inaccurate personal information
- Right to opt out: opt out of the “sale” or “sharing” of personal information
- Right to limit: limit the use of sensitive personal information
- Non-discrimination: we will not discriminate against you for exercising your privacy rights
We do not sell or share your personal information
FindClarity does not sell your personal information as defined by the CCPA/CPRA. We do not share personal information with third parties for cross-context behavioral advertising purposes.
Categories of personal information collected
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, IP address hash)
- Internet activity (search queries, pages viewed, provider interactions)
- Geolocation data (approximate, based on IP or user-provided location)
- Professional information (for providers: NPI, license data, credentials)
- Financial information (for providers: billing data processed by Stripe)
These categories are disclosed to service providers listed above for the business purposes described in Section 2. We have not sold any personal information in the preceding 12 months.
Sensitive personal information
Health-related search queries and Smart Match responses may constitute sensitive personal information under the CPRA. We use this information only to provide the search and matching services you request. We do not use sensitive personal information for purposes beyond what is necessary to provide the services.
How to submit a request
You or your authorized agent may submit a verifiable consumer request by emailing [email protected] or using our contact form. We will verify your identity before fulfilling your request. If you use an authorized agent, we may require written proof of authorization.
European residents (GDPR)
If you're located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data under the following legal bases:
| Processing activity | Legal basis (Art. 6) |
|---|---|
| Account creation, authentication | Contract performance |
| Delivering inquiries to providers | Contract performance |
| Processing payments | Contract performance |
| Provider profile enrichment (public data) | Legitimate interests (accurate directory) |
| AI content generation for profiles | Legitimate interests (platform quality) |
| Analytics and usage tracking | Legitimate interests (service improvement) |
| Email and SMS notifications | Consent (opt-in) / Contract performance (transactional) |
| Error monitoring (Sentry) | Legitimate interests (service reliability) |
| Security and fraud prevention | Legitimate interests (platform security) |
Your GDPR rights
In addition to the general rights listed above, EEA residents have the right to:
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Withdraw consent at any time for consent-based processing
- Lodge a complaint with your local data protection authority
We respond to data subject requests within 30 days. This period may be extended by up to 60 additional days for complex requests, in which case we will notify you of the extension within the initial 30-day period.
EU representative
As FindClarity is operated from the United States, we are in the process of designating an EU representative under GDPR Article 27. Until an EU representative is formally appointed, all data protection inquiries from EEA residents can be directed to [email protected].
7. Data security
We take reasonable technical and organizational measures to protect your information, including:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest for sensitive data
- Hashed IP addresses (never stored in plain text)
- Secure authentication through Clerk with support for multi-factor authentication
- Regular security monitoring and error tracking
- Access controls that limit employee access to personal data on a need-to-know basis
Breach notification
If we discover a breach that affects your personal information, we will:
- Notify affected individuals without unreasonable delay, and within the timeframes required by applicable state laws (typically 30-60 days)
- For breaches involving EEA residents, notify the relevant supervisory authority within 72 hours where required by GDPR
- Provide details about the nature of the breach, the categories of data affected, likely consequences, and the measures taken or proposed to mitigate the impact
- Include contact information for follow-up questions
8. Children's privacy
FindClarity is not designed for children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we'll promptly delete it.
9. International data transfers
FindClarity's primary infrastructure is hosted in the United States (Hetzner, Hillsboro, Oregon). If you access FindClarity from outside the United States, your data will be transferred to and processed in the United States.
For data transferred from the EEA, UK, or Switzerland, we rely on:
- The EU-U.S. Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) where the Data Privacy Framework does not apply
Our sub-processors that handle EEA personal data are listed in the service provider table above with their processing locations.
10. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we'll update the “Last updated” date at the top and notify you through a banner on our site or an email to your account. Your continued use of FindClarity after changes take effect means you accept the updated policy.
11. Contact us
If you have questions about this privacy policy, how we handle your data, or want to exercise any of your rights, reach out:
- Email: [email protected]
- Contact form: findclarity.com/contact
We'll get back to you within 30 days.