Privacy Policy
Last updated: April 2026
1. Overview
ProcedureRadar ("we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect when you use procedureradar.com (the "Service"), how we use it, and what choices you have.
The short version: we do not collect personal health information, we do not require account creation for consumer use, and we do not sell your data.
2. Information We Collect
ProcedureRadar collects minimal data, limited to what is necessary to operate and improve the Service. We collect:
Via Google Analytics 4 (GA4): page views, device type and screen size, geographic region (city/state level, not street address), referral source, session duration, and pages visited. This data is aggregated and not linked to individual identities.
When you use the ProcedureRadar search bar, we record the procedure name and city name entered. This helps us understand which procedures and locations are most in-demand so we can prioritize data coverage. Search queries are not linked to personal identities.
Collected for rate limiting, security monitoring, and abuse prevention. IP addresses are not used for personal identification and are not shared with third parties except as required for security services (Cloudflare).
3. Information We Do Not Collect
ProcedureRadar is designed to operate without collecting personal or sensitive data. We do not collect:
- Names, email addresses, or phone numbers (unless you voluntarily contact us)
- Health conditions, diagnoses, or medical history
- Insurance plan details, member IDs, or coverage information
- Social Security numbers, dates of birth, or government IDs
- Payment card numbers or bank account details on the consumer site (API clients provide billing information directly to Stripe; we do not store payment credentials)
- Biometric data, facial recognition data, or genetic information
4. How We Use Information
The limited data we collect is used exclusively for:
- Improving the Service by understanding which procedures, cities, and features are most used.
- Analyzing traffic patterns to optimize site performance and content priorities.
- Preventing abuse, detecting automated scraping, and maintaining security through rate limiting and bot detection.
- Generating aggregate, anonymized statistics for internal reporting (such as total monthly visitors and most-searched procedures).
We do not sell, rent, or share your data with advertisers or data brokers.
5. Cookies
ProcedureRadar uses a minimal set of cookies:
Sets first-party cookies for session tracking and distinguishing unique visitors. GA4 does not use third-party cookies. Data is processed in accordance with Google's data processing terms.
May set cookies for bot detection and security challenge completion. These are strictly functional and do not track user behavior across sites.
We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. You can disable cookies in your browser settings, though this may affect the functionality of security features.
ProcedureRadar will implement a cookie consent mechanism for visitors from the European Economic Area (EEA) and United Kingdom, in compliance with GDPR requirements. Until this mechanism is deployed, no non-essential cookies are set for visitors from those regions.
6. Third-Party Services
ProcedureRadar relies on the following third-party services to operate:
Each of these services has its own privacy policy. We encourage you to review their terms. We select service providers that maintain appropriate security standards and data protection practices.
7. Data Security
We implement multiple layers of security to protect the Service and any data processed through it:
- All data is transmitted over HTTPS with TLS encryption.
- Supabase Row-Level Security (RLS) is enabled on all database tables.
- No database credentials or API keys are exposed to client-side code.
- The source code repository is private. All environment variables are stored as encrypted secrets.
- Cloudflare WAF provides bot management, rate limiting, and DDoS mitigation.
No system is 100% secure. While we employ commercially reasonable measures to protect information processed through our Service, we cannot guarantee absolute security.
8. Data Retention
ProcedureRadar retains collected data for the following periods:
Retained for 14 months per Google's default retention policy. We do not extend this period.
Retained for 12 months for product improvement purposes, then automatically deleted.
Retained for 30 days for security and rate-limiting purposes, then automatically deleted.
Retained for the duration of the API client's subscription plus 90 days after termination, then deleted.
Retained indefinitely as part of our historical pricing archive. This is public data sourced from federally mandated files and does not contain personal information.
You may request deletion of any personal data we hold by contacting kevin@procedureradar.com. We will respond within 30 days.
9. HIPAA
ProcedureRadar does not collect, store, or process protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
We are not a covered entity or business associate under HIPAA. All data published on ProcedureRadar is sourced from publicly available hospital Machine-Readable Files mandated by federal law (45 CFR Part 180). This data contains aggregate pricing information published by hospitals, not individual patient records.
No personal medical records, patient identifiers, insurance claims, or treatment histories are stored on or accessible through ProcedureRadar.
10. Children's Privacy
ProcedureRadar does not knowingly collect information from children under the age of 13. The Service is intended for adults researching healthcare pricing. If we become aware that we have inadvertently collected data from a child under 13, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at kevin@procedureradar.com.
11. Your Rights
Because ProcedureRadar collects minimal personal data, most users have no personally identifiable information stored in our systems. However, you have the right to:
- Request confirmation of whether we hold any personal data about you.
- Request deletion of any personal data we may hold (such as an email address provided through voluntary contact).
- Opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
To exercise any of these rights, contact kevin@procedureradar.com. We will respond within 30 days.
12. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you.
You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
ProcedureRadar does not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of such sales or sharing.
We will not discriminate against you for exercising any of your CCPA rights.
To exercise any of these rights, contact kevin@procedureradar.com. We will verify your identity before processing your request and respond within 45 days.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected by an updated "Last updated" date at the top of this page. We encourage you to review this page periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact
If you have questions about this Privacy Policy, contact us at: