Privacy Policy | Panopticare

Overview

Panopticare is a free, open-source healthcare price transparency platform based in Illinois. We help consumers compare publicly available hospital pricing data. We are not a healthcare provider and do not process protected health information (PHI). This policy explains what information we collect, how we use it, and your rights under Illinois law.

Information We Collect

Geolocation (Optional)

If you grant permission through your browser, we use your approximate location (latitude and longitude) to show nearby hospital prices. This data is sent to our server only as part of your search request to calculate distances. We do not store your location data, build location profiles, or track your movements. You can deny or revoke geolocation permission at any time through your browser settings, and the service will continue to work with manual city or ZIP code entry.

Search Queries

When you search for medical procedures, your search terms are processed by our server to return results. We do not log search queries tied to your identity. Search terms are not stored in any persistent database or associated with any user profile.

Contact Form Data

If you use our contact form, we collect the name, email address, and message you provide. This information is stored in a local database and used solely to respond to your inquiry. We do not add you to marketing lists or share this information with third parties.

Analytics Data

We use Umami, a privacy-focused, open-source analytics tool that we self-host on our own servers. Umami is cookieless — it does not use cookies, does not collect personal data, and does not track users across websites or sessions. Analytics data is aggregated and includes only: page views, referral source, device type, browser type, and country-level location (derived from IP, not stored). No individual user can be identified from this data.

Server Access Logs

Our web server (nginx) records standard access logs that include IP addresses, request timestamps, and requested URLs. These logs are used for security monitoring and troubleshooting only. Access logs are rotated and deleted automatically and are not used for tracking or profiling.

Information We Do Not Collect

Panopticare is designed to minimize data collection. We specifically do not collect:

Health information, medical records, or diagnoses (we are not a healthcare provider)
Insurance plan details, member IDs, or claims data
Social Security numbers, financial account numbers, or payment information
User accounts, passwords, or login credentials (no accounts are required)
Tracking cookies or cross-site identifiers
Biometric data or face/voice recognition data

How We Use Your Information

The limited information we collect is used exclusively to:

Provide price comparisons: Your search terms and optional location are used to return relevant hospital pricing results.
Respond to inquiries: Contact form submissions are used to reply to your questions or feedback.
Improve the service: Aggregated, anonymized analytics help us understand which features are most useful and where to focus improvements.
Maintain security: Server logs help us detect and respond to abuse or technical issues.

Third-Party Services

We take a minimal approach to third-party services:

Umami Analytics — Self-hosted on our own infrastructure. No data is sent to third-party analytics providers.
No Google Analytics — We do not use Google Analytics or any Google tracking services.
No advertising networks — We do not display ads or participate in ad tracking networks.
No data brokers — We do not sell, rent, license, or share your information with data brokers or any third parties for marketing purposes.

Data Retention

Contact form data: Retained for up to 1 year, then deleted. You may request earlier deletion at any time.
Analytics data: Aggregated and anonymized. No individual user data is retained because none is collected.
Server access logs: Retained for 30 days, then automatically rotated and deleted.
Search queries and location data: Not persistently stored. Used only for the duration of the request.

We do not build persistent user profiles. There are no user accounts, no browsing history records, and no behavioral tracking databases.

Cookies

Panopticare does not use tracking cookies. The only cookie we may set is a theme preference cookie (light/dark mode), which contains no personal information, is not shared with any third party, and is stored only in your browser.

Data Security

We protect your information with industry-standard security measures:

All connections are encrypted using HTTPS with HSTS preloading
Security headers including Content Security Policy, X-Frame-Options, and strict referrer policies
Contact form data is stored in a local database on our secured server, not in any cloud service
Our infrastructure is self-hosted, reducing the number of third parties with access to any data

Your Rights Under Illinois Law

Panopticare is based in Illinois. Under the Illinois Data Privacy Act (IDPA) and other applicable privacy laws, you have the following rights:

Right to Know: You may request information about what personal data we have collected about you.
Right to Access: You may request a copy of any personal data we hold about you.
Right to Delete: You may request that we delete any personal data we have collected about you, such as contact form submissions.
Right to Correct: You may request correction of inaccurate personal data.
Right to Opt Out: You may opt out of any processing of personal data for targeted advertising or the sale of personal data. Note: Panopticare does not engage in targeted advertising or sell personal data, so there is nothing to opt out of in this regard.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

How to Exercise Your Rights

To submit a privacy request (access, deletion, or correction), please contact us through our contact form or email us at privacy@panopticare.com. We will respond to verified requests within 45 days as required by law. Because we collect minimal data and do not maintain user accounts, most requests can be fulfilled immediately.

Children's Privacy

Panopticare does not knowingly collect personal information from children under 13. The service is intended for general audiences seeking healthcare pricing information. If you believe a child has submitted personal information through our contact form, please contact us and we will delete it promptly.

Pricing Data Disclaimer

Panopticare displays pricing estimates derived from publicly available hospital Machine-Readable Files (MRFs) and payer Transparency in Coverage (TiC) files published under federal regulations. These prices are not guarantees of what you will be charged.

Under the No Surprises Act, you have the right to receive a Good Faith Estimate from your healthcare provider before scheduled services. Panopticare is a comparison tool to help you research prices — it does not replace a Good Faith Estimate, insurance verification, or direct communication with your provider and insurer about your actual costs.

Open-Source Transparency

Panopticare is open-source software. Our data processing pipeline, API server, and frontend code are publicly available for inspection. This transparency extends to our privacy practices — you can verify exactly what data we collect by reviewing our source code. We believe privacy claims should be verifiable, not just stated.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Changes will be posted on this page with an updated revision date at the top. We encourage you to review this page periodically.

Contact Us

If you have questions about this privacy policy or wish to exercise your privacy rights, you can reach us at:

Email: privacy@panopticare.com
Contact form: panopticare.com/contact