Privacy Policy

1. Introduction

CartoChrome ("we," "our," or "us") operates the website cartochrome.com and associated services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

2. Information We Collect

We collect information in several ways depending on how you interact with the Service:

Account Information: When you create an account, we collect your name, email address, and a password hash. CartoChrome handles authentication directly via self-hosted Django session auth, with Google OAuth as an optional sign-in method (Google receives only the information you approve at sign-in). Healthcare providers who claim profiles may also provide their NPI number, practice details, and professional credentials.

Usage Data: We collect product analytics to understand and improve the Service, such as pages visited, route changes, feature usage, API performance, and aggregate map interactions. Where analytics could identify provider or facility views, the browser beacon is gated by your analytics consent. We do not use health-condition searches or score views for ad targeting.

Device and Browser Information: We collect standard technical information including IP address, browser type and version, operating system, device type, screen resolution, and referring URL. This information is used for analytics, security, and service optimization.

API Usage Data: If you use the CartoChrome API, we log API requests including endpoints accessed, request frequency, and response times for rate limiting, billing, and service monitoring.

Provider and Facility Contact Requests: If you ask to be contacted by a provider or facility, we collect routing contact details such as name, email, optional phone number, ZIP Code, preferred contact method, and consent. The public contact form is designed not to collect symptoms, diagnoses, insurance IDs, member numbers, or other medical details.

Reviews: Reviews are public only after moderation. We ask reviewers not to include personal medical, insurance, or ID details, and our submission flow blocks common PHI-like free text before publication.

Communications: If you contact us through our contact form, email, or other channels, we retain the content of those communications along with your contact information to respond to and resolve your inquiries.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Operation: To provide, maintain, and improve the Service, including computing Healthcare Access Scores, displaying provider profiles, rendering maps, and processing API requests.

Account Management: To create and manage your account, verify provider identities, process profile claims, and communicate account-related information.

Analytics and Improvement: To understand how users interact with the Service, identify usage patterns, diagnose technical issues, and develop new features. We use aggregated, anonymized analytics data for these purposes whenever possible.

Billing and Payments: To process payments for premium features, API subscriptions, and other paid services. Payment processing is handled by Stripe; we do not store credit card numbers on our servers.

Communications: To respond to your inquiries, send service-related notifications, and (with your consent) send marketing communications about new features, health data insights, or partnership opportunities. You can opt out of marketing emails at any time.

Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.

Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Public Data Sources

CartoChrome uses a free public source registry to compute Healthcare Access Scores and populate provider and facility profiles. These sources include CMS NPPES (National Provider Registry), CMS Hospital Compare, US Census Bureau, CDC PLACES, HRSA, and routing/reference data, among others.

This public data is not personal information that you provide to us. It is government-published data that we aggregate, analyze, and present in an accessible format. Healthcare providers whose information appears in these public registries may claim and manage their profiles through the Service.

5. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

Essential Cookies: Required for the Service to function, including session management, authentication state, and security tokens. These cannot be disabled.

Analytics Cookies: Optional browser-side analytics tools, including GA4, Ahrefs, Vercel Analytics, Speed Insights, and CartoChrome entity-view beacons, load only after you allow analytics. Some host-level aggregate logs may still be processed by infrastructure providers for reliability and security.

Advertising Cookies: Pages with explicit ad placements may load Google AdSense. AdSense can use cookies or similar technologies for ad delivery, fraud prevention, frequency capping, and measurement. CartoChrome does not place ads on private account, claim, edit, dashboard, or checkout surfaces.

Preference Cookies: To remember your settings, such as map view preferences, layer selections, and dismissed notifications.

You can control cookie settings through your browser. Disabling essential cookies may prevent the Service from functioning properly.

6. Third-Party Services

We use the following third-party services that may process your data:

Google (OAuth sign-in, Analytics, and AdSense): If you choose to sign in with Google, Google provides your email address and basic profile information to CartoChrome under Google's OAuth terms. We also use Google Analytics 4 for site analytics and Google AdSense for ads in approved public content placements. See Google's privacy policy at policies.google.com/privacy. You can revoke OAuth access in your Google account settings and control ad personalization through Google's ad settings.

Stripe (Payments): Processes payments for premium features and API subscriptions. Stripe collects payment information directly. See Stripe's privacy policy at stripe.com/privacy.

Vercel (Hosting and Analytics): Hosts the frontend application and provides privacy-respecting web analytics. See Vercel's privacy policy at vercel.com/legal/privacy-policy.

Render (Backend Hosting): Hosts the Django API and PostgreSQL database. See Render's privacy policy at render.com/privacy.

Resend (Email): Sends transactional emails such as account confirmations, lead notifications, and billing receipts. See Resend's privacy policy at resend.com/legal/privacy-policy.

Sentry (Error Tracking): Monitors application errors and performance. May collect technical information about your browser and device when errors occur. See Sentry's privacy policy at sentry.io/privacy.

Mapbox, ipapi, and OpenStreetMap/Nominatim: Support map search, approximate location, and routing/geographic reference workflows. These providers may process technical request data when their services are used.

We do not sell your personal information to third parties. We do not share your personal information with third parties for their marketing purposes.

7. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal information within 30 days, except where we are required by law to retain certain records.

Usage data and analytics may be retained in aggregated, anonymized form for service improvement. Detailed API usage logs are kept only as long as needed for billing, rate limiting, troubleshooting, security, and legal obligations, then deleted, aggregated, or de-identified under the configured retention policy.

Provider, facility, and general contact request plaintext is minimized at ingest where production policy disables plaintext contact storage. Any remaining operational plaintext is retained for the configured window, currently 30 days in production, then redacted while privacy-preserving hashes remain for abuse prevention and deduplication.

Claimed provider profiles may retain publicly available information (sourced from NPPES and other government registries) even after a claim is released, as this data is public record.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption of data in transit using HTTPS/TLS. Managed infrastructure and database providers supply storage-level protections where configured. Access controls limit employee access to personal data on a need-to-know basis. Passwords are stored as salted PBKDF2 hashes per Django's authentication framework, and API/widget credentials are stored as hashes rather than reusable plaintext secrets.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: You can request a copy of the personal information we hold about you. Update: You can update your account information at any time through the Service. Deletion: You can request deletion of your personal information by contacting us or deleting your account. Portability: You can request your data in a machine-readable format. Opt-Out: You can opt out of marketing communications at any time.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information (note: we do not sell personal information).

To exercise these rights, contact us at privacy@cartochrome.com. We will respond within 30 days.

10. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@cartochrome.com.

11. International Data Transfers

The Service is operated in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For registered users, we will also send an email notification for material changes. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions or concerns about this Privacy Policy or our data practices, please contact us at: privacy@cartochrome.com. You may also reach us through our contact page at cartochrome.com/contact.