Privacy Policy
Effective: April 27, 2026 · Last updated: April 27, 2026
Overview
ForThePatient.org is committed to protecting your privacy. This policy explains what information we collect, how we use it, and what rights you have. The short version: we collect almost nothing, we never sell data, and we never set third-party cookies.
ForThePatient.org is operated by a 501(c)(3) nonprofit corporation registered in the State of Georgia. Our mission is to provide transparent healthcare quality information, not to collect or monetize user data.
What We Collect
Information you provide
If you contact us by email or submit a score dispute, we collect the information you voluntarily include — such as your name, email address, and the content of your message. We use this information solely to respond to your inquiry and track dispute resolutions.
Information collected automatically
When you visit ForThePatient.org, we may collect the following through our privacy-respecting analytics tool:
- Page URLs visited
- Referring website (the page that linked you to us)
- Browser type and screen size (in aggregate)
- Country-level geographic location (derived from IP address, which is then discarded)
We do not collect IP addresses, device fingerprints, or any information that can identify you personally through our analytics.
Geolocation
If you grant the Site location permission through your browser, we use your coordinates solely to center the map near your location. Your coordinates are sent to our database as part of a spatial query to find nearby facilities. We do not store, log, or associate your location with any identifier.
Analytics
When analytics are enabled, we use Plausible Analytics, a privacy-focused, open-source analytics tool that:
- Does not use cookies
- Does not collect personal data
- Does not track users across websites
- Does not create user profiles
- Is compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner
Plausible processes all data in the EU. Aggregate, non-personal analytics data (such as total page views and referral sources) may be made publicly available on our Plausible dashboard.
If analytics have not yet been enabled, no analytics data is collected at all.
Cookies & Local Storage
ForThePatient.org does not set any third-party cookies. Ever.
We use the browser's localStorage to remember your theme preference (light or dark mode). This data is stored only on your device, is never transmitted to our servers, and can be cleared at any time through your browser settings.
We do not use tracking cookies, advertising cookies, or any cookie-based analytics.
Subprocessors
The following third-party services process data on our behalf when you use ForThePatient.org:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Facility database and API | Facility search queries, spatial coordinates (from geolocation or map viewport), facility IDs viewed | United States |
| CARTO | Map tile rendering | Map tile requests containing viewport coordinates. CARTO may log IP addresses per their own privacy policy. | United States / EU |
| Plausible Analytics | Privacy-respecting analytics (when enabled) | Page URLs, referrer, browser type, country (no IP stored) | European Union |
| jsDelivr / unpkg | CDN for JavaScript libraries | Standard HTTP request headers (IP, User-Agent) | Global CDN |
We do not use Google Analytics, Facebook Pixel, or any advertising-related tracking service.
Data Sharing & Selling
We never sell your data. This is not a policy choice — it is a structural feature of our organization. As a 501(c)(3) nonprofit with zero industry funding, we have no financial incentive to collect, profile, or monetize user behavior.
We may disclose information if required to do so by law (such as in response to a valid subpoena or court order), or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
Data Retention
Analytics data (when collected via Plausible) is retained in aggregate form indefinitely. No individual-level analytics data is collected or retained.
Dispute and contact correspondence is retained for as long as needed to resolve the inquiry, plus an additional 3 years for audit trail purposes, after which it is deleted.
We do not maintain server logs that contain IP addresses beyond the standard retention period of our hosting infrastructure (typically 30 days).
Your Rights Under GDPR
Although ForThePatient.org is a U.S.-based nonprofit and may not be strictly subject to the General Data Protection Regulation, we voluntarily extend GDPR-equivalent rights to all users regardless of location. If you are in the European Economic Area, you have the right to:
- Access — Request a copy of any personal data we hold about you.
- Rectification — Request correction of inaccurate personal data.
- Erasure — Request deletion of your personal data.
- Restriction — Request that we limit processing of your data.
- Portability — Request your data in a structured, machine-readable format.
- Objection — Object to processing of your data for specific purposes.
Because we collect minimal personal data (primarily only from voluntary contact or dispute submissions), these rights are most likely to apply to correspondence you have sent us. To exercise any of these rights, contact privacy@forthepatient.org.
Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information. We voluntarily extend these rights to all users:
- Right to Know — You may request that we disclose what personal information we have collected, the sources, the business purpose, and the categories of third parties with whom it has been shared.
- Right to Delete — You may request deletion of personal information we have collected from you.
- Right to Opt-Out of Sale — We do not sell personal information, so this right is satisfied by default.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, contact privacy@forthepatient.org. We will respond within 45 days as required by law.
Children's Privacy
ForThePatient.org is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us and we will promptly delete it.
Security
We use HTTPS encryption for all connections to ForThePatient.org. Our database infrastructure is hosted on Supabase with row-level security enabled. API access is limited to read-only operations through an anonymous key that cannot modify data.
No system is perfectly secure. If you discover a security vulnerability, please report it to security@forthepatient.org.
Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
Contact
For privacy-related questions or requests:
ForThePatient.org
Atlanta, Georgia
privacy@forthepatient.org