Privacy Policy

OMOPHub API Service ("OMOPHub," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the OMOPHub API service, website, and related services (collectively, the "Service").

This Privacy Policy is incorporated into and forms part of the OMOPHub Terms of Service. By using the Service, you consent to the collection, use, and disclosure of information as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

When you create an account, we collect:

• Email address
• Password (stored in encrypted form)
• Organization name (optional)
• Billing information for paid subscriptions (processed by our payment processor)

Support Communications:

When you contact us for support, we collect:

• Name and email address
• Content of your communications
• Any attachments or files you provide

1.2 Information Collected Automatically

API Usage Logs:

We automatically collect information about your API usage for operational, security, and compliance purposes, including:

• API endpoints accessed
• Request timestamps
• IP addresses
• User agent strings
• API Key used (hashed)
• Response status codes
• Request and response sizes
• Query parameters (vocabulary IDs, search terms)

Website Analytics:

When you visit our website, we may collect:

• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent
• Device identifiers

1.3 Information We Do NOT Collect

OMOPHub is a vocabulary reference service. We do NOT collect:

• Protected Health Information (PHI)
• Patient data or clinical records
• Personal health information
• Individually identifiable health information

The vocabulary data accessible through our Service consists of standardized medical terminology reference data, not patient data.

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Service Delivery

• To provide, maintain, and improve the Service
• To authenticate your identity and authorize API access
• To process transactions and send billing information
• To enforce rate limits and usage quotas
• To monitor and optimize Service performance

2.2 Security and Compliance

• To detect, prevent, and respond to security incidents
• To investigate potential Terms of Service violations
• To comply with legal obligations
• To respond to law enforcement requests
• To maintain audit logs for SOC 2 and HIPAA compliance

2.3 Communications

• To respond to your inquiries and support requests
• To send service-related announcements (maintenance, security alerts)
• To send billing and account notifications
• To provide product updates and new feature announcements (with opt-out)

2.4 Analytics and Improvement

• To analyze usage patterns and improve the Service
• To develop new features and functionality
• To generate aggregate, anonymized statistics

3. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We engage third-party service providers to perform functions on our behalf, including:

• Cloud infrastructure providers (hosting, storage)
• Payment processors (billing, subscription management)
• Email service providers (transactional emails)
• Analytics providers (usage analytics)

Service providers are contractually obligated to use your information only for the purposes of providing services to us.

3.2 Vocabulary Owners

As described in the Terms of Service and Data Use Agreement, we may disclose your identity and usage information to third-party vocabulary owners in response to legitimate inquiries regarding licensing compliance.

3.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal process
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Detect, prevent, or address fraud, security, or technical issues

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on our website before your information becomes subject to a different privacy policy.

4. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account information: Retained while your account is active and for 2 years after account deletion
• API usage logs: Retained for 2-7 years for compliance and audit purposes
• Billing records: Retained for 7 years as required by tax regulations
• Support communications: Retained for 3 years after resolution

We may retain anonymized or aggregate data indefinitely for analytics purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure password hashing (bcrypt)
• API Key encryption and secure storage
• Regular security assessments and penetration testing
• Access controls and authentication for internal systems
• Employee security training
• Incident response procedures

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights and Choices

6.1 Account Information

You may access, update, or delete your account information by logging into your account or contacting us at legal@omophub.com.

6.2 Communication Preferences

You may opt out of promotional emails by clicking the "unsubscribe" link in any email. You cannot opt out of service-related communications (security alerts, billing notices).

6.3 Data Export

You may request a copy of your personal data by contacting legal@omophub.com. We will provide your data in a commonly used, machine-readable format within 30 days.

6.4 Account Deletion

You may request deletion of your account and personal data by contacting legal@omophub.com. We will delete your data within 30 days, except for information we are required to retain for legal or compliance purposes.

7. International Data Transfers

OMOPHub is based in the United States. If you access our Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

7.1 EU-US Data Privacy Framework

We comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss- U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. We are committed to subjecting all personal data received from European Union member countries, the United Kingdom, and Switzerland to the Framework's applicable Principles.

7.2 Standard Contractual Clauses

For transfers of personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection, we rely on Standard Contractual Clauses approved by the European Commission.

8. GDPR Rights (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection laws:

8.1 Rights Under GDPR

• Right of Access: Request access to personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request restriction of processing of your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority

8.2 Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Service
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, service improvement)
• Legal Obligation: Processing required to comply with legal requirements
• Consent: Processing based on your explicit consent (marketing communications)

8.3 Data Controller

OMOPHub API Service is the data controller for personal data processed through the Service. For inquiries regarding your data or to exercise your rights, contact: legal@omophub.com

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you
• Right to Delete: Request deletion of personal information collected about you
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, contact legal@omophub.com.

10. Compliance Frameworks

10.1 SOC 2 Compliance

OMOPHub maintains SOC 2 Type II compliance for security, availability, and confidentiality trust service criteria. API usage logs are maintained as part of our SOC 2 audit trail.

10.2 HIPAA Considerations

While OMOPHub provides access to medical vocabulary data, we do not process Protected Health Information (PHI). The vocabulary data accessible through our Service consists of standardized medical terminology reference data, not patient health information.

If you are a HIPAA-covered entity or business associate and require a Business Associate Agreement (BAA) for integration purposes, please contact legal@omophub.com.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party services you access.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.