Legal

Privacy Policy

Last updated: April 14, 2026

Information we collect

We collect information you provide when creating an account (name, email, company, role, territory preferences), usage data (searches, saved filters, alert preferences, exports), and standard web analytics (page views, device type, referral source). We do not collect sensitive personal health information.

How we use your information

Your information is used to provide and improve the ProviderSignal service, send alert notifications and email digests you've configured, process payments through Stripe, and communicate product updates. We never sell your data to third parties.

Data sources

Provider data displayed in ProviderSignal comes from publicly available government sources: NPPES/NPI (CMS), state dental board records, CMS fee schedules, NPDB public use files, Census ACS, HRSA HPSA designations, and Grants.gov. This data is public record and does not contain protected health information (PHI).

Service providers we use

We share data with the following service providers to operate ProviderSignal. Each is contractually required to use your data only as needed to provide their service to us.

  • Supabase (database, authentication, file storage). Hosts your account, subscriptions, profile, saved searches, and the public provider data.
  • Stripe (payment processing). Handles your subscription, payment method, and invoices. We never see or store your full card details.
  • Resend (transactional email). Delivers email digests, trial notifications, password reset emails, and account notifications.
  • Cloudflare (hosting, CDN, bot protection). Serves the application, caches static assets, and screens login attempts via Turnstile.
  • Upstash (rate limiting). Tracks API request rates per user and IP address to enforce plan limits.
  • Mapbox (interactive maps). Renders the map view; receives geographic queries to display tiles.

We do not use third-party advertising networks, marketing pixels, or session replay tools.

Data security

All data is transmitted over HTTPS with HSTS enforced. Authentication tokens are stored in httpOnly secure cookies. Optional two-factor authentication (TOTP) is available in account settings. Database connections use connection pooling with least-privilege credentials and row-level security. We do not store credit card numbers; payment processing is handled entirely by Stripe.

How long we keep your data

We retain your account information and usage data for as long as your subscription is active. After cancellation:

  • Account profile, saved searches, API keys, and trial activity logs are deleted within 30 days unless you reactivate.
  • Subscription and payment records are retained by Stripe per their own retention policy (typically 7 years for tax compliance).
  • Email send logs are retained for 1 year for deliverability troubleshooting.
  • Anonymized, aggregate usage metrics may be retained indefinitely for product analysis. These cannot be linked back to you.

Your rights and choices

Depending on where you live, you may have additional rights regarding your personal information:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Update your name, email, company, and territory preferences directly in Settings. For other corrections, email support.
  • Deletion. Request that we delete your account and associated data. We complete deletion within 30 days. Some records may be retained where legally required (for example, billing records held by Stripe for tax compliance).
  • Portability (GDPR). Request your data in a machine-readable JSON format.
  • Opt out of sale (CCPA). We do not sell your personal data to third parties, so this right does not apply in practice. The data sharing with service providers listed above is not considered a sale under CCPA.
  • Non-discrimination (CCPA). Exercising any of these rights will not affect your service or pricing.

To exercise any of these rights, email support@providersignal.com from the email address associated with your account. We will respond within 30 days.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active subscribers and announced on this page at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Questions about this policy or how we handle your data? Email support@providersignal.com. ProviderSignal is operated by Braman Analytics LLC.