Privacy Policy

Effective Date: February 22, 2026 · Last Updated: February 22, 2026

This policy is currently under review by legal counsel. Final policy will be published prior to product launch.

1. Introduction

Pidgeon Health (“Company,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (pidgeon.health), applications, and services (collectively, the “Services”).

2. Information We Collect

Information you provide:

  • Account registration details (name, email address, organization)
  • Waitlist signup information (email, name, role/title)
  • Payment information (processed by Stripe; we do not store card details)
  • Support requests and communications
  • Configuration files, vendor profiles, and workflow definitions you create

Information collected automatically:

  • Usage data (features used, frequency, error reports)
  • Device and browser information (type, OS, screen resolution)
  • IP address and approximate location
  • Cookies and similar tracking technologies

Information we do NOT collect:

  • Protected Health Information (PHI) — our Services are designed for synthetic and de-identified data
  • The content of HL7, FHIR, or NCPDP messages processed locally via the CLI

3. How We Use Your Information

  • To provide, maintain, and improve the Services
  • To process transactions and manage subscriptions
  • To communicate with you about updates, security alerts, and support
  • To send marketing communications (with your consent; you can opt out at any time)
  • To analyze usage patterns and improve user experience
  • To detect, prevent, and address technical issues and security threats
  • To comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We may share information with:

  • Service providers: Hosting (Vercel), payment processing (Stripe), email services (Beehiiv), analytics — all bound by data processing agreements
  • Legal requirements: When required by law, regulation, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets
  • With your consent: When you explicitly authorize sharing

5. Data Retention

We retain your information for as long as your account is active or as needed to provide Services. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention).

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security assessments. However, no method of transmission or storage is 100% secure.

7. Cookies and Tracking

We use essential cookies for site functionality and optional analytics cookies to understand usage patterns. You can control cookie preferences through your browser settings. The Services function without optional cookies.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict processing
  • Data portability
  • Withdraw consent at any time

California residents (CCPA): You have the right to know what personal information is collected, request deletion, and opt out of sale (we do not sell personal data). You will not be discriminated against for exercising these rights.

European residents (GDPR): Our legal basis for processing includes contract performance, legitimate interest, and consent. You may lodge a complaint with your local data protection authority.

9. Children's Privacy

The Services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will promptly delete it.

10. International Data Transfers

Your information may be processed in the United States. By using the Services, you consent to the transfer of your data to the U.S., where data protection laws may differ from your jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice on the Services. The “Last Updated” date at the top reflects the most recent revision.

12. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@pidgeon.health.