Privacy policy.

Fonteum operates source-of-truth healthcare provider data infrastructure. We aggregate, normalize, and re-publish data originating in U.S. federal public-record sources — CMS NPPES, CMS PECOS, CMS Care Compare, OIG LEIE, HRSA HPSA, BLS OEWS, BEA Regional, CMS Open Payments, CMS Provider Utilization. This policy describes how Fonteum handles personal data collected through fonteum.com and its API surfaces.

Fonteum does not receive, process, or store Protected Health Information (PHI) as defined by HIPAA. We do not handle patient identifiers, medical records, claims data, test results, or treatment narratives. Every published field ties to an entry in provider_field_provenance that in turn ties to a row in data_sources — a 14-tuple provenance contract documented at /data-platform/schema. Because no published field originates from PHI, Fonteum is not a HIPAA Covered Entity, Business Associate, or Subcontractor under 45 CFR § 160.103.

Provider-level data published on this site originates in U.S. federal public-record sources. The National Provider Identifier (NPI) Registry (CMS NPPES) is publicly distributed under 5 U.S.C. § 552 (FOIA) and is in the public domain. CMS Care Compare, CMS Open Payments, OIG LEIE, and HRSA HPSA all publish their underlying datasets under open-government licensing. Fonteum does not pay providers to be listed and does not solicit data submissions from individual providers.

California residents have the right under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) to request access to, correction of, or deletion of personal information collected about them. For Fonteum-published provider records, exercise these rights via /corrections-log or by emailing privacy@fonteum.com. We respond within 45 days. Note: where the underlying field originates in a federal public record (NPI, DEA-published exclusion, CMS facility certification), Fonteum cannot remove the upstream record — corrections must be filed with the source agency. We can and will remove the field from Fonteum surfaces while the upstream correction is pending.

For EU/EEA-resident providers whose data is published in U.S. federal sources we ingest, this section serves as the Article 14 GDPR notice for indirectly collected data. The data controller is Fonteum (operating as Fonteum Research), reachable at privacy@fonteum.com. The lawful basis is Article 6(1)(f) (legitimate interests) — operating a public-record provenance graph for healthcare research and transparency. Categories of data processed: provider name, license number, NPI, practice address, federal credentialing status, and CMS-published quality metrics. Recipients are limited to Fonteum infrastructure providers (Vercel, Supabase, Inngest, Sentry, Resend) and the public web. EU residents have rights of access, rectification, erasure, restriction, objection, and portability under GDPR Articles 15-22, exercised via the same email.

For people who interact with the site directly (researchers who request API access, journalists who fill the contact form, providers who claim a listing), we collect only the information explicitly submitted: name, email, organization, ORCID, and the message body. This information is stored in Supabase, retained for the lifetime of the relationship plus two years for audit purposes, and never sold or shared with third-party advertisers. Logs and analytics: Vercel Analytics (page-load metadata only), PostHog (event-level usage with IP truncation), Sentry (error stack traces with no request bodies). All processors are SOC 2 Type II audited.

Derived analytics (per-page click telemetry, session durations, search queries) are retained for 90 days and then aggregated to non-identifiable counters. Public-record provider data has no retention limit because the upstream sources have no retention limit; corrections and field-level removals propagate to the next snapshot.

Fonteum uses first-party cookies for session management on authenticated surfaces (researcher API dashboards, owner portal, admin tools). We do not run third- party advertising trackers. PostHog and Vercel Analytics cookies set on first visit are first-party, IP-truncated, and rotated on a 30-day cadence.

Fonteum surfaces healthcare-provider data to a professional audience and is not directed at children under 13 (COPPA) or under 16 (GDPR-K). We do not knowingly collect personal information from minors.

Material changes will be announced on /corrections-log with a revision date. The Effective and Last revised dates at the top of this page reflect the most recent edit.

Privacy inquiries: privacy@fonteum.com
Corrections / takedowns: corrections@fonteum.com
General contact: /contact