Privacy Policy
Privacy Policy
Effective date: 2026-04-17 · Version 1.0
A Critical Distinction: Visitor Information vs. Provider Information
This policy concerns data about you (the visitor). Data about healthcare providers shown on profile pages is sourced from federal public records (NPPES, Open Payments, Medicare Provider Utilization, PECOS) and is governed by Section 3 below — it is not "personal data" that we "collect about you" in the privacy-law sense.
1. Data Controller
Data Controller: Yoel Castaño, Spain (contact: [email protected]).
Because the controller is established in the European Union, this site complies with the EU General Data Protection Regulation (GDPR) for all visitors regardless of location. EU/EEA/UK visitors have the right to access, rectify, erase, restrict, port, and object to processing of their personal data (GDPR Arts. 15–22), and to lodge a complaint with the Spanish AEPD (www.aepd.es) or their local supervisory authority.
2. What We Collect From Visitors
Our web server (nginx, hosted by Hetzner Online GmbH in Germany) automatically records standard access logs for each request:
- IP address (categorized as personal data under GDPR Art. 4(1) and CCPA §1798.140(v)(1)(A))
- User-agent (browser/OS string)
- Referrer URL
- Timestamp
- Requested URL and HTTP method
- HTTP response status and size
These logs are retained for 14 days and used solely for security, abuse detection, and aggregate traffic analysis. Lawful basis: legitimate interest under GDPR Art. 6(1)(f) — operating a secure public website.
We do not require accounts. There is no login, no registration, and no personal information form on this site (other than optional contact email if you write to us).
3. Provider Data Is Federal Public Record
All information displayed on provider profile pages — names, credentials, specialties, business addresses, payments received, and Medicare billing data — is sourced from federal government databases published by the Centers for Medicare & Medicaid Services (CMS): NPPES (Freedom of Information Act-released NPI registry), Open Payments (Sunshine Act §6002, 42 U.S.C. §1320a-7h), Medicare Provider Utilization, and PECOS. We present this information as-is; we do not add, fabricate, or editorialize any provider record.
This information is public record under federal statutory mandate and journalist-shield principles. The publication of this data is a constitutionally protected act of public-interest journalism (Bartnicki v. Vopper, 532 U.S. 514 (2001)).
4. Cookies
No cookies of any kind at launch. If we add privacy-respecting analytics in the future (e.g., Plausible, no cookies, no cross-site tracking), this policy will be updated and visibly announced 30 days before deployment.
5. Service Providers / Third-Party Processors
The following processors handle visitor data on our behalf:
- Hetzner Online GmbH (Germany — hosting and server logs). Data processed within the EU.
- Cloudflare, Inc. (United States — DNS and DDoS protection, if applicable). Cloudflare relies on Standard Contractual Clauses for international transfers.
- Email — incoming mail to our
@doctransparency.comaddresses is routed through our email provider.
We do not share visitor data with any other third party.
6. California Residents (CCPA / CPRA)
In the past 12 months we have collected the following categories of personal information from visitors: identifiers (IP address) and internet activity (pages viewed, referrer, user-agent).
We do not sell or share personal information for cross-context behavioral advertising, and we have not done so in the past 12 months.
California residents may request access, deletion, or correction of personal information by emailing [email protected]. We respond within 45 days.
7. EU/EEA/UK Visitors (GDPR)
In addition to the rights listed in §1, you have the right to data portability and the right not to be subject to automated decision-making. To exercise any right, email [email protected]. We respond within 30 days.
8. Children
This site is not directed to children under 13. We do not knowingly collect personal information from children. Parents who believe their child has interacted with the site may contact [email protected] for removal.
9. Provider Takedown / Correction Requests
Providers who believe their NPPES, Open Payments, or Medicare record displayed on this site is incorrect, or who request review for removal, may email [email protected] with their NPI. While we cannot alter the underlying federal records, we will:
(a) display a correction notice within 7 business days where the inaccuracy is verifiable; (b) suppress a profile pending CMS correction in cases of verified identity theft or imminent safety concerns; (c) document our source dataset and retrieval date upon request.
10. Data Breach Notification
In the event of a personal data breach affecting visitor data, we will notify the AEPD within 72 hours per GDPR Art. 33, and affected users without undue delay where required under GDPR Art. 34 and applicable US state breach laws.
11. Changes to This Policy
We will revise the "Effective date" above and post material changes prominently for 30 days. Previous versions may be requested at [email protected].
12. Contact
For all privacy questions, requests, or complaints: [email protected] (45-day SLA for CCPA requests; 30-day SLA for GDPR requests).