Skip to main content

Privacy Policy

Last updated: May 5, 2026

1. Information We Collect

advortho.org collects the following types of information:

  • Provider information: Name, NPI number, credentials, practice address, phone number, and specialty - sourced from the publicly available NPI Registry maintained by CMS.
  • Patient contact requests: When you submit an appointment request, we collect your name, email address, phone number (optional), and message.
  • Account information: Providers who claim their profiles create accounts with email and password via our authentication partner, Clerk.
  • Usage data: We collect anonymized analytics data (page views, search queries) through Vercel Analytics to improve our service.

2. How We Use Your Information

  • To display provider profiles and facilitate patient-provider connections
  • To forward appointment requests to the appropriate provider
  • To send transactional emails (appointment confirmations, account notifications)
  • To improve our search results and user experience
  • To prevent fraud and ensure platform security

3. Information Sharing

We do not sell your personal information. We share information only in the following circumstances:

  • Appointment requests: Your contact information is shared with the specific provider you request an appointment with.
  • Service providers: We use third-party services for hosting (Vercel), authentication (Clerk), database (Neon), email delivery (Resend), analytics (Google Analytics, Vercel Analytics), and payments (Stripe). These providers process data on our behalf under data processing agreements.
  • Provider data enrichment: To help patients reach the right provider, we may use Hunter.io (email lookup by professional name and practice domain) and the Google Places API (resolving practice website and address from publicly listed practice information) when a non-claimed provider does not have a stored business email. Only provider-side professional data (name, practice domain, city, state) is sent to these services — patient information is not shared with them.
  • Legal requirements: We may disclose information when required by law or to protect our rights.

3a. NPI Registry and Provider Outreach

Provider directory information on AdvOrtho originates from the publicly available NPI Registry maintained by the Centers for Medicare & Medicaid Services (CMS). Our use of this data includes:

  • Directory display: Provider name, NPI, credentials, practice address, phone, and specialty are shown on profile pages so patients can find orthopedic care. This is the primary purpose of NPI Registry public dissemination.
  • Profile claim invitations: When a patient initiates a contact request or cost estimate, we may contact non-claimed providers in the patient's area to invite them to claim their AdvOrtho profile and respond to the patient lead. Outreach emails identify AdvOrtho as the sender, include a one-click opt-out, and are reviewed by an administrator before sending.
  • Profile changes and removal: Providers may request changes to their profile (corrections to specialty, location, credentials, contact information) at any time by emailing privacy@advortho.org with their name and NPI; corrections are typically processed within a few business days. Full profile removal is reserved for narrow cases — retirement, license change or revocation, deceased providers, identity theft, and court orders. Removal requests are reviewed individually within 30 days and, when granted, prevent re-listing on future NPI Registry refreshes. Consistent with industry practice for healthcare directories, full profile removal is not granted in response to disputed patient reviews; reviews are user-generated content addressed under our Reviews Policy, and the underlying NPI Registry data remains public regardless of profile status.

4. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (HTTPS/TLS), encrypted database connections, and secure authentication. However, no method of electronic storage is 100% secure.

5. HIPAA Disclaimer

advortho.org is a provider directory and marketing platform, not a healthcare provider, health plan, or clearinghouse. We are not a covered entity under HIPAA. Contact requests contain personal information (name, email, phone, and a brief reason-for-visit message) that you provide voluntarily to initiate contact with a provider. This information is forwarded to the provider you select and stored in our platform. We encourage you not to include detailed medical records or sensitive diagnoses in your message. For information about how we handle health-related data, see our Consumer Health Data Privacy Policy.

6. Your Rights

  • You may request deletion of your contact request data by emailing privacy@advortho.org
  • Providers may update or delete their profile information through the provider dashboard
  • You may opt out of analytics tracking by enabling Do Not Track in your browser

7. California Consumer Privacy Act (CCPA) Notice

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose what personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.
  • Right to Limit Use of Sensitive Personal Information: Health-related information you voluntarily include in appointment requests or cost estimate inquiries (such as a described condition or procedure) may qualify as sensitive personal information under the CPRA. We collect this information solely to fulfill the service you requested — connecting you with orthopedic surgeons — and do not use it for any secondary purpose. You may request that we limit its use by emailing privacy@advortho.org.

To exercise any of these rights, email privacy@advortho.org with the subject line "CCPA Request." We will respond within 45 days. You may also designate an authorized agent to make a request on your behalf.

Categories of personal information collected in the past 12 months: Identifiers (name, email, phone, NPI number), internet activity (page views via Vercel Analytics), and professional information (credentials, practice address). We do not collect biometric data, geolocation data, or financial information.

8. Cookies and Tracking Technologies

advortho.org uses the following cookies and tracking technologies:

  • Essential cookies: Required for authentication (Clerk session cookies) and basic site functionality. These cannot be disabled.
  • Analytics: We use Vercel Analytics and Vercel Speed Insights, which are privacy-friendly and do not use cookies. They collect anonymized, aggregated data about page views and performance. No personal information is tracked.
  • Third-party cookies: Our authentication provider (Clerk) may set cookies for session management. Google Maps embeds on provider profile pages may set cookies per Google's privacy policy.

We do not use advertising cookies, retargeting pixels, or cross-site tracking. For more details, see our Cookie Policy.

9. Data Retention

We retain personal information for as long as necessary to provide our services. Contact lead data is retained for 2 years. Provider profile data is retained as long as the profile is active. You may request earlier deletion by contacting us.

10. Children's Privacy and Parental Requests

advortho.org is not directed at children under 13. We do not maintain accounts for children, and we do not knowingly collect information directly from children. The Children's Online Privacy Protection Act (COPPA) governs online services directed at children, and we operate as an adult-directed informational service.

Parental requests on behalf of minors. Pediatric orthopedic care is part of the directory's scope. Parents and legal guardians may use AdvOrtho's contact form, cost estimator, or appointment request flows to research care for a minor child. When you submit a form on behalf of a minor:

  • Provide your own (the parent or guardian's) name, email, and phone — not the child's.
  • Avoid including the child's full name, date of birth, or other identifying details in the message field. Reference the child as “my son,” “my daughter,” or with a first name or age only.
  • By submitting, you confirm you are the parent or legal guardian and authorize AdvOrtho to share the request with the selected provider.

If you believe we have inadvertently collected information identifying a child under 13, contact privacy@advortho.org and we will delete it within 30 days.

11. European Economic Area (EEA) and UK Residents — GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights regarding your personal data.

Lawful Basis for Processing

  • Legitimate interest: We process publicly available provider directory information (NPI data) under our legitimate interest in operating a healthcare provider directory that helps patients find orthopedic care.
  • Consent: We process analytics data through Google Analytics only when you consent via our cookie banner. You may withdraw consent at any time.
  • Contract performance: We process contact request data as necessary to facilitate the appointment request you initiate.

Your Rights Under the GDPR

As an EU or UK resident, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Data portability: Request your data in a structured, commonly used, machine-readable format.
  • Restriction: Request that we restrict processing of your personal data under certain circumstances.
  • Objection: Object to processing of your personal data based on legitimate interest.

International Data Transfers

advortho.org is operated from the United States. If you are accessing our service from the EEA or UK, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for international data transfers.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your personal data has been processed in violation of the GDPR.

To exercise any of your GDPR rights, contact us at privacy@advortho.org with the subject line "GDPR Request." We will respond within 30 days.

12. Contact

For questions about this privacy policy or to exercise your rights, contact us at privacy@advortho.org.

advortho.org is operated from California, United States.