Privacy Policy

1. Information We Collect

We collect the following categories of personal information:

• Contact information: Email address (required for inquiry forms and newsletter sign-ups); name (optional).
• Facility preferences: Facilities you add to your shortlist or interact with, saved to browser localStorage; not transmitted to our servers unless you submit an inquiry.
• Inquiry content: Information you voluntarily submit through referral or contact forms, such as the name of the person seeking placement (not their medical record or clinical history).
• Usage data: IP address, browser type, pages visited, click events, referral source, and session identifiers collected automatically via analytics tools.
• Device/local data: Shortlist state, draft notes, and location preferences stored in your browser's localStorage or sessionStorage. This data stays on your device unless you explicitly submit it.

If you become a supporter:When you support Placet through a monthly, annual, or one-time contribution, we additionally store your email address, the Stripe customer ID associated with your payment (used only to reconcile billing events from Stripe's servers), and any shortlists, facility entries, notes, and share links you create while signed in. We do not store your card number, expiration date, CVC, or other payment-card details — those are held by Stripe under their PCI-compliant infrastructure.

What we do not collect: We do not collect Social Security numbers, dates of birth, medical record numbers, insurance IDs, clinical diagnoses, medication lists, or any other Protected Health Information (PHI).

2. Facility Data Sources

All facility-level data displayed on Placet is sourced from publicly available federal datasets published by the Centers for Medicare & Medicaid Services (CMS), including:

• Nursing Home Compare (CMS Skilled Nursing Facility Data)
• IRF Compare (Inpatient Rehabilitation Facility Data)
• Home Health Compare
• Hospice Compare
• CMS-mandated public FHIR APIs per CMS-9115-F (Interoperability and Patient Access Final Rule)

This data is public domain. No patient records or individual health information is contained in or accessible through these datasets.

3. Payer Interoperability Compliance

• Placet's primary function is aggregating publicly available provider directory data from CMS and other government sources. It does not function as a clinical health record system, EHR, or personal health information repository.
• Sections 4–7 fulfill disclosure requirements under the CMS Interoperability and Patient Access Final Rule (CMS-9115-F), which requires applications that connect to payer APIs to maintain clear policies governing consent, device access, revocation, and data disposal.
• These sections apply only in the event Placet adds functionality to access member-level health information through a payer or health plan API. Currently, no such functionality exists and no member health information is accessed or stored.
• Placet is not affiliated with, certified by, or endorsed by any payer, health plan, or government agency solely by virtue of these disclosures.

4. Express Consent for Health Information Access

• Placet will only access health information on a member's behalf through a payer interoperability API (such as a CMS Patient Access API) after the member provides express, affirmative consent , for example, by completing an explicit authorization flow.
• Placet will not access, use, or share member health information without this consent.
• Consent will be documented and associated with the specific access scope authorized. Broader or different access requires a new consent action.
• Currently, Placet accesses only publicly available provider directory data and does not access member-level health information through any payer or health plan API.

5. Device Information

• Placet does not request or require access to device contacts, photos, camera, microphone, location services, or other personal device data.
• The Service operates through standard browser mechanisms only: cookies, local storage for saved preferences (such as shortlists), and standard HTTP request metadata.
• No native device permissions are requested or required. If a future feature requires any device permission, this policy will be updated and explicit in-app notice will be provided before the permission is requested.

6. Revoking Access / Disconnecting

• If you have authorized Placet to access health information through a connected payer or health plan API, you may revoke that access at any time by contacting us at the address below or through the relevant payer's own member portal.
• Upon receiving a revocation request, Placet will cease accessing your data through that connection as soon as technically practicable and no later than within five business days.
• Revocation does not affect the lawfulness of any processing that occurred before revocation.
• You may also disconnect by revoking the application's authorization directly within your payer's member portal or app, if that option is available.

7. Data Disposal After Revocation

• Upon revocation of access or upon your written request, Placet will delete any member health information obtained through payer APIs within 30 days, except where retention is required by applicable law, regulation, or legal process.
• Derived or de-identified analytics aggregates that cannot be linked back to an individual are not subject to this deletion obligation.
• Confirmation of deletion is available upon request. Contact us at the address below to request confirmation.
• Deletion requests submitted in writing will receive a written acknowledgment within five business days.

8. Analytics and Tracking Technologies

We use the following analytics and tracking services:

9. Cookies

We use cookies and similar technologies in three categories:

You can disable cookies in your browser settings; doing so may affect site functionality.

10. How We Use Information

• To operate and improve the Service, including search, inquiry routing, and newsletter delivery.
• To respond to your inquiries and forward facility inquiries to the relevant facility or operator.
• To measure product performance and understand which features are most useful.
• To maintain security, detect abuse, and enforce rate limits.
• To comply with applicable law and respond to lawful requests from government authorities.

11. How Information Is Shared

We share information only in the following circumstances:

• With facilities: Inquiry details you submit may be forwarded to the facility or its designated liaison to respond to your request.
• With service providers (subprocessors): We share data with trusted vendors who help us operate the Service. See Section 12 for the full list.
• For legal compliance: We may disclose information when required by law, court order, or to protect the rights, property, or safety of users or the public.
• In a business transfer: If Placet is acquired or merges with another entity, your information may transfer as part of that transaction, subject to continued privacy protections.

We do not sell personal information. Ever.

12. Third-Party Processors

The following subprocessors may process personal data on our behalf:

All subprocessors are required to maintain security controls at least equivalent to those described in our Security Policy.

13. Data Retention

• User inquiry data: Retained for up to 2 years from the date of submission, then deleted or anonymized.
• Newsletter subscriber data: Retained until you unsubscribe, plus a 90-day grace period.
• Analytics data: Retained per each provider's data retention policy (GA4: 14 months by default; PostHog: per account settings).
• Server logs: Retained for up to 90 days for security and debugging purposes.

14. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request deletion of your personal information.
• Opt-out of analytics: Use your browser's opt-out tools or contact us to disable analytics tracking.
• Unsubscribe: Use the unsubscribe link in any email we send you.

We will respond to access, correction, and deletion requests within 30 days. To submit a request, email Contact us.

15. California Residents (CCPA)

Under the California Consumer Privacy Act (CCPA), California residents have additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at Contact us.

16. Children

The Service is intended for adults and healthcare professionals. It is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, please contact us immediately.

17. Security

We implement industry-standard security controls including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, and multi-factor authentication for administrative access. Details are described in our Security Policy.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via a banner on the Placet website for at least 30 days prior to the change taking effect. The updated effective date will be reflected at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Pennsylvania. Any disputes arising under this policy shall be subject to the jurisdiction of the courts of Philadelphia County, Pennsylvania.