Privacy Policy
Last updated: May 2026
1. Overview
ProcedureRadar, a registered trade name of LocalLayer AI LLC (LocalLayer AI LLC d/b/a ProcedureRadar; "we," "us," or "our"), respects your privacy. This Privacy Policy explains what information we collect when you use procedureradar.com (the "Service"), how we use it, and what choices you have.
The short version: we do not collect personal health information, we do not require account creation for consumer use, and we do not sell your data.
2. Information We Collect
ProcedureRadar collects minimal data, limited to what is necessary to operate and improve the Service. We collect:
Via Google Analytics 4 (GA4): page views, device type and screen size, geographic region (city/state level, not street address), referral source, session duration, and pages visited. This data is aggregated and not linked to individual identities.
When you use the ProcedureRadar search bar, we record the procedure name and city name entered. This helps us understand which procedures and locations are most in-demand so we can prioritize data coverage. Search queries are not linked to personal identities.
Collected for rate limiting, security monitoring, and abuse prevention. IP addresses are not used for personal identification and are not shared with third parties except as required for security services (Cloudflare).
When you sign up for a price alert on a procedure or metro page, we collect your email address along with the procedure and metro you selected. We use a double opt-in process: you receive a confirmation email and must click the link inside it before any alert is activated. You can unsubscribe from any alert email at any time using the unsubscribe link in the email footer.
Business customers who subscribe to the paid API provide a company name, billing contact name, billing email, and payment information. Payment information is handled directly by Stripe; we do not store full payment card details. API account information is used only to operate the subscription and to communicate with the customer about the service.
3. Information We Do Not Collect
ProcedureRadar is designed to operate without collecting personal or sensitive data. We do not collect:
- Names or phone numbers (we do not collect names or phone numbers from any surface on the Service. We collect email addresses only on the limited surfaces described in Section 2: voluntary contact, price-alert sign-up, and B2B API account creation.)
- Health conditions, diagnoses, or medical history
- Insurance plan details, member IDs, or coverage information
- Social Security numbers, dates of birth, or government IDs
- Payment card numbers or bank account details on the consumer site (API clients provide billing information directly to Stripe; we do not store payment credentials)
- Biometric data, facial recognition data, or genetic information
4. How We Use Information
The limited data we collect is used exclusively for:
- Improving the Service by understanding which procedures, cities, and features are most used.
- Analyzing traffic patterns to optimize site performance and content priorities.
- Preventing abuse, detecting automated scraping, and maintaining security through rate limiting and bot detection.
- Generating aggregate, anonymized statistics for internal reporting (such as total monthly visitors and most-searched procedures).
We do not sell, rent, or share your data with advertisers or data brokers.
5. Cookies
ProcedureRadar uses a minimal set of cookies:
Sets first-party cookies for session tracking and distinguishing unique visitors. GA4 does not use third-party cookies. Data is processed in accordance with Google's data processing terms.
May set cookies for bot detection and security challenge completion. These are strictly functional and do not track user behavior across sites.
We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. You can disable cookies in your browser settings, though this may affect the functionality of security features.
ProcedureRadar will implement a cookie consent mechanism for visitors from the European Economic Area (EEA) and United Kingdom, in compliance with GDPR requirements. Until this mechanism is deployed, no non-essential cookies are set for visitors from those regions.
6. Third-Party Services
ProcedureRadar relies on the following third-party services to operate:
Each of these services has its own privacy policy. We encourage you to review their terms. We select service providers that maintain appropriate security standards and data protection practices.
7. Data Security
We implement multiple layers of security to protect the Service and any data processed through it:
- All data is transmitted over HTTPS with TLS encryption.
- Supabase Row-Level Security (RLS) is enabled on all database tables.
- No database credentials or API keys are exposed to client-side code.
- The source code repository is private. All environment variables are stored as encrypted secrets.
- Cloudflare WAF provides bot management, rate limiting, and DDoS mitigation.
No system is 100% secure. While we employ commercially reasonable measures to protect information processed through our Service, we cannot guarantee absolute security.
8. Data Retention
ProcedureRadar retains collected data for the following periods:
Retained for 14 months per Google's default retention policy. We do not extend this period.
Retained for 12 months for product improvement purposes, then automatically deleted.
Retained for 30 days for security and rate-limiting purposes, then automatically deleted.
Retained for the duration of the API client's subscription plus 90 days after termination, then deleted.
Retained for as long as the subscription is active. You can unsubscribe at any time via the link in any alert email; after unsubscribe, your email address is deleted from the subscription record within 30 days. Unconfirmed sign-ups (where you submitted an email but never clicked the confirmation link) are deleted after 7 days.
Retained indefinitely as part of our historical pricing archive. This is public data sourced from federally mandated files and does not contain personal information.
You may request deletion of any personal data we hold by contacting [email protected]. We will respond within 30 days.
8A. Email Communications
If you sign up for a price alert, we use a double opt-in process. You submit your email and we send a confirmation email. No alerts go out until you click the confirmation link. This means we never send unsolicited alerts to addresses we have not verified.
Every alert email includes a one-click unsubscribe link in the footer, plus our physical mailing address, in compliance with the CAN-SPAM Act. Clicking unsubscribe stops all further alerts to that email immediately.
We use Resend (resend.com) to deliver email. Resend is contractually bound by its own privacy and security terms; it processes email addresses only to send mail on our behalf and does not use them for any other purpose. We do not share email addresses with advertisers, data brokers, or any third party other than Resend for delivery.
9. HIPAA
ProcedureRadar does not collect, store, or process protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
We are not a covered entity or business associate under HIPAA. All data published on ProcedureRadar is sourced from publicly available hospital Machine-Readable Files mandated by federal law (45 CFR Part 180). This data contains aggregate pricing information published by hospitals, not individual patient records.
No personal medical records, patient identifiers, insurance claims, or treatment histories are stored on or accessible through ProcedureRadar.
10. Children's Privacy
ProcedureRadar does not knowingly collect information from children under the age of 13. The Service is intended for adults researching healthcare pricing. If we become aware that we have inadvertently collected data from a child under 13, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at [email protected].
11. Your Rights
Because ProcedureRadar collects minimal personal data, most users have no personally identifiable information stored in our systems. However, you have the right to:
- Request confirmation of whether we hold any personal data about you.
- Request deletion of any personal data we may hold (such as an email address provided through voluntary contact).
- Opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
12. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you.
You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
ProcedureRadar does not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of such sales or sharing.
We will not discriminate against you for exercising any of your CCPA rights.
To exercise any of these rights, contact [email protected]. We will verify your identity before processing your request and respond within 45 days.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected by an updated "Last updated" date at the top of this page. We encourage you to review this page periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact
If you have questions about this Privacy Policy, contact us at: