Appearance
Privacy Policy
Last updated: April 13, 2026
This Privacy Policy explains how Luxera Software, LLC ("Luxera," "we," "us," or "our") collects, uses, and shares information when you use the FHIR Directory API, website, and related services (collectively, the "Service").
By using the Service, you agree to the practices described in this policy.
1. No Protected Health Information (PHI)
The Service does not collect, store, transmit, or process Protected Health Information (PHI) as defined by HIPAA. The Service only handles publicly published FHIR endpoint metadata — URLs, organization names, FHIR version, supported resources, authorization endpoints, and similar information made publicly available by EHR vendors under the 21st Century Cures Act.
If you are building an application that uses the Service to discover FHIR endpoints and then fetches PHI from those endpoints, that PHI flows directly between your application and the endpoint — it never touches our systems.
2. Information We Collect
Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Password (stored only as a salted hash; never in plaintext)
- Organization / company name (optional)
API Usage
When you make requests to the API, we collect:
- API key identifier (prefix only — full keys are stored only as salted hashes)
- Request timestamp, method, path, and response status
- IP address of the requesting client
- User-Agent header
- Request count per endpoint for quota tracking
Billing Information
If you subscribe to a paid plan, our payment processor (via Voyage Pay → Stripe) collects and stores payment card information. We do not directly receive or store your full payment card number.
Cookies and Local Storage
The website uses minimal local storage for session management and user preferences. We do not use third-party tracking cookies for advertising.
3. How We Use Information
We use the information we collect to:
- Authenticate you and control access to your account.
- Enforce rate limits, quotas, and plan restrictions.
- Bill subscribers accurately.
- Diagnose and fix bugs, monitor performance, and detect abuse.
- Respond to support requests.
- Send essential service notifications (e.g., security alerts, plan expiration, policy updates).
- Improve the Service based on aggregate usage patterns.
We do not sell your personal information. We do not use your data to train machine learning models without your explicit consent.
4. Information We Share
We share information only in these limited circumstances:
- Service providers: We use AWS (infrastructure hosting), Amazon Cognito (authentication), and Voyage Pay / Stripe (payment processing). These providers handle data strictly to perform services for us and are bound by their own privacy and security commitments.
- Legal compliance: We may disclose information when required by law, subpoena, court order, or to protect the rights, property, or safety of Luxera, our users, or the public.
- Business transfers: If Luxera is acquired or merged, user information may be transferred to the new owner as part of the transaction. We will notify you before your information becomes subject to a different privacy policy.
We do not share your information with advertisers, data brokers, or third-party marketers.
5. Data Retention
- Account information: retained while your account is active and for up to 90 days after account deletion, after which it is anonymized or purged.
- API usage logs: retained for 90 days for debugging, abuse detection, and billing reconciliation, then aggregated and anonymized.
- Billing records: retained as long as required by tax and financial-reporting law (typically 7 years in the United States).
- Security logs: retained for up to 1 year for incident investigation.
You may request earlier deletion by contacting support@luxera.io.
6. Security
We use industry-standard security practices to protect your information:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AWS-managed encryption (KMS).
- API keys are stored as salted SHA-256 hashes; full keys are shown only once at creation.
- Passwords are hashed via Amazon Cognito's managed identity service.
- Access to production systems is restricted, logged, and audited.
No security system is perfect. If you believe your account has been compromised, contact support@luxera.io immediately.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: request a copy of the information we hold about you.
- Correction: request that we update inaccurate information.
- Deletion: request that we delete your information.
- Portability: request your information in a machine-readable format.
- Objection: object to certain processing of your information.
- Withdraw consent: where processing is based on your consent, withdraw it at any time.
To exercise any of these rights, contact support@luxera.io. We will respond within 30 days.
Residents of California, the European Economic Area, the United Kingdom, and other jurisdictions with data protection laws have additional rights under those laws, which we will honor.
8. Children's Privacy
The Service is not intended for individuals under the age of 13, and we do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, contact us and we will promptly delete it.
9. International Transfers
Luxera is based in the United States, and our infrastructure is hosted in the United States (AWS us-east-1 region). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via the Service, via email to registered users, or by updating the "Last updated" date at the top of this document. We encourage you to review this policy periodically.
11. Contact
Privacy questions, data requests, or complaints?
Privacy inquiries: support@luxera.ioSecurity reports: support@luxera.ioGeneral contact: hello@luxera.io
Luxera Software, LLC Minnesota, USA