Flexpa
Developer PortalFeedbackContact usSandbox

Guides

  • Home
  • Quickstart
  • Claims data guide
  • Financial data guide

Network

  • Network guide
  • Directory

Consent

  • Consent SDK
  • Usage patterns
  • Patient access

Records

  • FHIR API
  • Data Sheet
  • Node SDK
  • SMART Health Links API
  • Terminology

Misc

  • Changelog
  • Support
    • Privacy & Security Notice
    • Security
    • Terms of Service
    • Business Associate Agreement
    • Service Agreement
  • Flexpa OS
  • We're hiring

Privacy & Security Notice

Last Updated October 29, 2025

This Privacy & Security Notice explains how Flexpa USA, Inc. (“Flexpa,” “we,” “us,” or “our”) handles your Personal Information, including Individually Identifiable Information (together, “Personal Information”) when you use our website, API, online services, or customer application. These are collectively called the “Flexpa Platform” We are committed to protecting your privacy and managing your information responsibly. This Privacy & Security Notice details what information we collect, how we obtain and use it, when we share it, and your rights and choices regarding it.

This Privacy & Security Notice is part of the Flexpa Terms of Service and Services Agreement (“Flexpa Agreements”). Any terms not defined here will have the same meaning as in the Flexpa Agreements.

By using the Flexpa Platform, you agree to our data practices as outlined in this Privacy & Security Notice. If you disagree, please do not use our services. We encourage you to read the Privacy & Security Notice carefully.

Flexpa is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In some cases, we may act as a “business associate” to our covered entity customers, such as a health plan, health care provider, or health care clearinghouse.

This Privacy & Security Notice does not apply to the extent we process information in the role of a processor, business associate, or service provider on behalf of our customers (for example, on behalf of your health care provider). This information includes, for example, your provider’s referral data, your insurance membership information, or other data that our customers provide to us about you to help connect you to us. In that context, our customers are the data controllers and their privacy policies and/or notice of privacy practices will apply to the processing of your Personal Information. We are not responsible for the privacy or data security practices of our customers, which may differ from those explained in this Privacy & Security Notice.

Flexpa does not engage in the practice of medicine or provide medical advice, diagnosis, or treatment. Any information or interactions made available through Flexpa Platform is for general administrative, informational and educational purposes only and should not be relied upon as a substitute for professional medical advice, diagnosis, or treatment. You should consult a qualified healthcare professional for any medical concerns.

#1. Your Responsibilities

Under the Flexpa Agreements and by using the Flexpa Platform, End Users must comply with all applicable data protection, privacy, and security laws. These laws apply to the transmission of your Personal Information to Flexpa. You acknowledge and agree that you shall be responsible for:

  • The accuracy, quality, and legality of any information, including any user content;

  • Complying with all laws on collecting and using user content. This includes obtaining any required consents and authorizations.

  • Having the right to transfer, or provide access to, the user content to Flexpa. This is for providing the Flexpa Platform under the Flexpa Agreements.

#2. What We Mean by Personal Information

In this Privacy & Security Notice, “Personal Information” includes both Personal Identifiable Information and Personal Health Information.

“Personal Identifiable Information” is data that identifies a person either directly or when combined with other information. Personal Information includes names, addresses, emails, phone numbers, and social security numbers.

“Personal Health Information” is Personal Identifiable Information related to your health, health care services, or payment for healthcare that is not covered by HIPAA. It may be created or received by your healthcare providers or plans or provided directly from you. Examples are names, addresses, phone numbers, diagnosis information, intake information, treatment plans, health insurance information, Medicare numbers, and financial details.

This Privacy & Security Notice does not cover data that does not identify you, such as anonymized or de-identified data. We can create or extract such anonymized or de-identified data from our databases and use it for any lawful purpose.

#3. What Information We Collect About You

We collect information about you when you provide it to us, when you use our Flexpa Platform, and when other sources provide it to us, as further described below.

Information that is necessary for the use of Flexpa and its Platform

We ask for and collect the following Personal Information about you when you use the Flexpa Platform, including transferring any such information to a third party to facilitate the use of the Flexpa Platform. This information is necessary for us to deliver the services to you and for us to comply with the law. If you choose not to provide this information, we cannot provide you with access to the Flexpa Platform.

  • Account Information. When you sign up for a Flexpa account, we require certain information such as your first name, last name, telephone number, and email address.
  • Personal Health Information. When you use Flexpa to link your Personal Health Information from a health care provider or a health plan to a third-party application, you will be asked to share your Personal Health Information with Flexpa. To operate the Online Service and to increase service reliability, Flexpa requires you to allow storage of your Personal Health Information on Flexpa’s data servers.
  • User Content. This consists of all text, documents, or other content or information uploaded, entered, or otherwise transmitted by you in connection with your use of the Flexpa Platform.
  • Communications. If you contact us directly, we may receive additional information about you, such as your name, email address, phone number, the contents of a message or attachments that you may send to us, and other information you choose to provide.

Information you choose to provide to us

You may provide us with more Personal Information at any time. We will use this information to improve your experience with the Flexpa Platform. We will process this additional information consistent with our legitimate interest or your consent. You may also provide us information when you: fill in a form, update your account, respond to surveys, post on forums, join promotions, communicate with support, or use other features of the Flexpa Platform.

Information we collect automatically when you use the Flexpa Platform

When you use the Flexpa Platform, we automatically collect certain information about your use We collect the following information to ensure that we provide you with the best available experience using the Flexpa Platform, we are able to improve functionalities, and we are able to comply with our legal obligations:

  • Usage Information. We collect information about your interactions with the Flexpa Platform such as the pages or content you view, your searches, and communications.
  • Prompts and Outputs. Flexpa Platform allows you to submit text, audio, images, video, documents, and other materials to the Services (“Prompts”), which generate responses based on your Prompts (“Outputs”). We will collect any information you choose to provide in your Prompts and this information may be reproduced in the Outputs.
  • Log Data and Device Information. We automatically collect log data and device information when you access and use the Flexpa Platform, even if you have not created an account or logged in. That information includes, among other things: details about your use of the Flexpa Platform, including clicking links to third-party apps), your IP address, access dates and times, and hardware and software information. It also includes device info, device event info, unique identifiers, crash data, cookie data, and the pages you interacted with.
  • Cookies and Similar Technologies. We use server logs, cookies, tracking pixels, and other similar technologies. to offer you a more tailored experience in the future, by understanding and remembering your particular browsing preferences. Cookies are small text files placed on your computer or mobile device when you visit a site. They let us: (i) recognize your device; (ii) store your preferences; (iii) track the web pages you’ve visited on the Flexpa Platform; (iv) improve your experience by delivering and measuring tailored content; (v) perform searches and analytics; and (vi) assist with security or administrative tasks.
  • Most browsers are automatically set to accept cookies whenever you visit a website. You can disable cookies or change your cookie settings. If you are based in Europe, visit www.youronlinechoices.eu for more details about cookies. If you are in the US, visit to www.aboutads.info/choices/ for more information. To change your settings, visit www.allaboutcookies.org/manage-cookies. If you disable cookies that are necessary or essential, you will not be able to access all parts of the Flexpa Platform and it may not operate as expected. Disabling cookies that remember your preferences or analytics, will prohibit us from providing you with relevant information.
  • Analytics. We may share your Personal Information with third-party analytics providers to monitor and analyze how you are using the Flexpa Platform. The analytics providers track and report website traffic and use this information to monitor the use of the Flexpa Platform. Visit allaboutcookies.org/manage-cookies to update your settings or opt out of third-party cookies.

Information we receive from third parties in connection with the Flexpa Platform

Please note that we use certain third-party service providers and business partners on the Flexpa Platform to enhance your experience or deliver certain services. Such third parties include the Flexpa Client or Customer that interacts directly with the End User. These third parties may collect Personal Information in performing their services and/or functions on the Flexpa Platform.

#4. How We Use Your Information

We use your information for various purposes depending on the types of information we have collected from and about you, in order to:

  • Respond to your requests
  • To train, develop, and improve the artificial intelligence, machine learning, and models that we use to support Flexpa and Flexpa Platform
  • Provide you with more effective and efficient service
  • Contact you by email, postal mail, or phone regarding Flexpa and the Flexpa Platform
  • Customize your content
  • Secure our Flexpa Platform and resolve technical issues being reported
  • Help us better understand your interests and needs, and improve the Flexpa Platform, including through research and reports, and test, improve, and create new products, features, and services. We test and analyze certain new features with some users before rolling the feature out to all users. Any user test of new Flexpa features will be done with the express consent of the user and may be governed by additional agreements related to the user test.
  • To allow access to third party services’ accounts at your direction and consent.
  • For our business purposes we have a legitimate interest, when we:
  • Operate the Flexpa Platform, including by storing any information on Flexpa servers or by transferring any information to necessary third parties to enable us to provide and operate the Flexpa Platform
  • Apply information security policies and controls on the Flexpa Platform, including overall integrity, identity management and account authentication
  • For research and development to improve Flexpa’s Services
  • Investigate and prevent fraudulent transactions or unauthorized access to the Flexpa Platform
  • Comply with any procedures, laws, and regulations which apply to us where it is necessary for our legitimate interests or the legitimate interests of others
  • Establish, exercise, or defend our legal rights where it is necessary for our legitimate interests or the legitimate interests of others
  • For other purposes for which we obtain your consent

We may anonymize and de-identify aggregate information collected through the Flexpa Platform so that such information does not identify you as the source of the information. We may use such information to improve the Flexpa Platform, by and through any third-party we use to integrate Flexpa Platform with the users’ database, for research.

#5. Data Subject Rights and Your Choices

We will only access, use, exchange, or disclose your Personal Information if you have provided your express, documented consent to the Privacy and Security Notice, except where disclosure is required by law.

When you share information with us, the Personal Information that you share may have an impact on others. For example, if you share Personal Health Information related to genetic or family history, this may have an impact on your family members.

You have certain rights with respect to your information as further described in this section.

If you would like further information in relation to your legal rights under applicable law or would like to exercise any of them, please contact us using the information in the “Contact Information” at Section 14. You have the following rights with respect to your Personal Information

  • You have the right to request we provide access to and/or a copy of certain information we hold about you in a machine-readable format
  • You have the right to prevent the processing of your information for direct-marketing purposes.
  • You have the right to have us update information which is out of date or incorrect.
  • You have the right to delete your information, to the extent technically feasible and not prohibited by law.
  • You have the right to restrict the way that we process and disclose certain of your information.
  • You have a right to be notified if your information is reasonably believed to have been affected by a security incident.
  • You have the right to withdraw your consent at any time where we rely on your consent as the basis to process or use your Personal Information.

You also have the right to opt out of certain disclosures, such as having your information shared through the TEFCA Exchange, which is Trusted Exchange Framework and Common Agreement.

There are several ways that you can control your Personal Information

  • You may change your personal account information by updating your health insurance account page
  • You may request deletion of your account by contacting us at privacy@flexpa.com
  • You may request the rights listed above by contacting us at privacy@flexpa.com

Users in certain jurisdictions may have additional rights regarding control of their Personal Information.

Please note that we may ask you to verify your identity before responding to such requests. We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. We may request you provide us with information necessary to confirm your identity before responding to your request.

#6. Third-Party Links

The Flexpa Platform contain links to third-party websites. If you choose to use these sites or features, you may disclose your information not just to those third-parties, but also to their users and the public more generally depending on how their services function. We are not responsible for the content or practices of those websites or services. The collection, use, and disclosure of your information will be subject to the privacy policies of the third-party websites or services, and not this Privacy & Security Notice. We urge you to read the privacy and security policies of these third-parties.

#7. Data Security

We use commercially reasonable administrative, technical, and physical measures to safeguard your information in our possession against loss, theft and unauthorized use, disclosure or modification. While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others. We encrypt all Personal Information that we hold, both while it is being transmitted and while it is stored (i.e., in transit and at rest), whether or not such data qualifies as TEFCA Information. In the unlikely event of a data breach involving your Personal Information, you will be notified as soon as reasonably possible, in accordance with applicable law. Furthermore, we are not responsible for any breach of security or for any actions of any third parties that receive the information.

We are required to act at all times in conformance with this Notice and to use commercially reasonable efforts to protect the security of the Personal Information we hold in accordance with the applicable Framework Agreement (Participant or Subparticipant Terms of Participation in TEFCA). Our obligations under this Notice remain in effect for as long as we maintain your information.

#8. Data Retention

We keep your information for no longer than necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and/or as required to comply with applicable law.

We reserve the right to retain any Personal Information as long as the Personal Information are needed to: (i) fulfill the purposes that are described in Section 4 and (ii) comply with applicable law.

If your account is deleted or terminated, your Personal Information will be deleted within 45 days from termination or request for deletion. Once this time period has expired, we will delete your data in its entirety, except as to the extent necessary to comply with applicable law. If your account is dormant without activity for over a year, your Personal Information will be deleted within 45 days from the one-year dormant period in its entirety, except as to the extent necessary to comply with applicable law.

#9. Sharing of Information

In certain circumstances, we share Personal Information with third parties where disclosure is necessary in connection with the delivery and offering of the Flexpa Platform to you and the operation of our business. These third-party service providers are required to protect Personal Information we share with them and may not use any directly identifying Personal Information other than to provide the services for which we have contracted them. They are not allowed to use the Personal Information we share for purposes of their own direct marketing (unless you have separately consented to such use under the terms provided by the third party). Any information shared will be governed by the third-party provider’s privacy policy (including any Personal Information we may access via the third-party provider). These third-party providers should inform you about how you can modify your privacy settings on their sites. We may share Your Personal Information in the following situations:

  • With Service Providers: We may share Your Personal Information with Service Providers to provide you the Flexpa Platform and to monitor and analyze the use of our Service, for payment processing, to contact You.
  • AI Service Providers: We may disclose Your Personal Information we receive to vendors that provide artificial intelligence services that provide backend support for our Services.
  • With Affiliates: We may share Your Personal Information with affiliates, in which case we will require those affiliates to honor this Privacy & Security Notice. Affiliates include our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with us.
  • With business partners: We may share Your Personal Information with our business partners to offer You certain products, services or promotions.
  • With other users: when You share Personal Information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
  • When necessary to comply with laws and law enforcement requests or otherwise to protect the Company: Under certain circumstances, the Company may be required to disclose Your Personal Information if required to do so by law or in response to valid requests by public authorities. We may disclose Personal Information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or act regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Flexpa Agreements, or as otherwise required by law. We will not access, exchange, use, or disclose your Personal Information to assert any claim against you. The only exception is if we must use such information to collect fees that you owe for the services provided.

Personal Information related to reproductive health care services — which includes medical, surgical, counseling, or referral services relating to the human reproductive system, including services related to pregnancy, or termination of a pregnancy— and Personal Information related to gender affirming care may be used or disclosed if we are compelled to do so under a civil or criminal subpoena, court order, search warrant, or other legal demand, including across state lines, as required by applicable law. This may apply even if you paid for the service entirely out-of-pocket.

If we receive a civil or criminal subpoena, court order, search warrant, or other legal demand requiring disclosure of your Personal Information, including through sale of Personal Information, we will use commercially reasonable efforts to provide you with written or electronic notice within three (3) business days, unless we are prohibited from doing so by any applicable law. This notice will give you the opportunity to object to the disclosure, seek a protective order, or pursue another appropriate remedy under the applicable law.

If we make your Personal Information available to law enforcement agencies, we will use commercially reasonable efforts to provide you with written or electronic notice within three (3) business days, unless prohibited from doing so by applicable law.

  • With Your consent: We may disclose Your Personal Data for any other purpose with Your consent.

All disclosures of your Personal Information made through the Trusted Exchange Framework and Common Agreement (TEFCA) are limited to the permitted and required uses and disclosures defined in the Common Agreement and in guidance issued by the U.S. Department of Health and Human Services (HHS).

Information Shared in Connection With a Business Transfer

If ownership of all or substantially all of Flexpa’s business changes, or we undertake a corporate reorganization (including, but not limited to, a merger or consolidation) or any other transfer between Flexpa entities, you expressly consent to Flexpa transferring your Personal Information to the new owner of successor entity so that we can continue providing the Flexpa Platform. If required by applicable law, Flexpa will notify the applicable data protection agency in each jurisdiction of such a transfer in accordance with the notification procedures under applicable data protection law. We will endeavor to provide you with notice of any material changes to the Privacy & Security Notice following a business transaction.

In the event of such business transaction you will have the right (1) to request that we securely dispose of or transmit your data subject to our legal obligations; (2) to securely download your data; (3) to close your account; (4) right to ensure that the new owner or controlling entity’s privacy policies are consistent with this Privacy & Security Notice.

#10. Children

We do not knowingly collect Personal Information online from children under 16 (note that the minimum age may vary based on location and on local law). If you become aware that a child has provided us with Personal Information without parental consent, please contact us through privacy@flexpa.com. If we become aware that a child under 16 has provided us with Personal Information without parental consent, we will take steps to remove the data and cancel the child’s account.

#11. Changes to Privacy & Security Notice

We may update our Privacy & Security Notice from time to time. We will notify you of any changes by posting the new Privacy & Security Notice on this page and updating the “effective date” at the top of this Privacy & Security Notice.

You are advised to review this Privacy & Security Notice periodically for any changes. Changes to this Privacy & Security Notice are effective when they are posted on this page. We will not make changes that have a retroactive effect unless we are legally required to do so.

#12. Contact Information

If you have questions or complaints regarding this Privacy& Security Notice, please contact us by email at privacy@flexpa.com or by phone at ‪(707) 654-4982‬.

Status TwitterGitHub

© 2025 Flexpa. All rights reserved.