Legal

Privacy Policy

Last updated: March 14, 2026

1. Introduction

ARXIO Health ("we," "us," or "our") is committed to protecting the privacy of our users and their patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our clinical decision support API services.

2. Information We Collect

Account Information: When you register for an API key, we collect your email address, organization name, and billing information.

API Usage Data: We log request metadata including timestamps, endpoint paths, response codes, and latency metrics. We do not store request bodies or patient health information (PHI) beyond the duration of the API request.

Technical Data: IP addresses, user agent strings, and TLS versions for security monitoring and rate limiting.

3. How We Use Information

  • To authenticate and authorize API requests
  • To process billing and manage subscriptions
  • To monitor service health and enforce rate limits
  • To send essential service notifications (outages, security alerts, breaking changes)
  • To improve our API endpoints and clinical datasets

4. Data Retention

API request/response payloads are processed in-memory and never persisted to disk. Account information is retained for the duration of your subscription plus 30 days after cancellation. Usage analytics are retained in aggregated form for up to 12 months.

5. HIPAA Considerations

ARXIO Health is designed to minimize PHI exposure. API payloads containing clinical data are processed transiently and not stored. Enterprise customers may execute a Business Associate Agreement (BAA) for HIPAA-covered workflows. See our HIPAA Compliance page for details.

6. Third-Party Services

We use the following third-party processors:

  • Stripe — Payment processing and subscription management
  • Railway — Infrastructure hosting (SOC 2 Type II certified)
  • Cloudflare — DNS, DDoS protection, and edge caching

7. Data Security

All API communications are encrypted via TLS 1.3. API keys are hashed using SHA-256 before storage. We perform regular security audits and vulnerability assessments of our infrastructure.

8. Your Rights

You have the right to:

  • Access and export your account and usage data
  • Request deletion of your account and associated data
  • Opt out of non-essential communications
  • Request a copy of our data processing records

9. Contact

For privacy-related inquiries, contact us at [email protected].