The future of
health dataHosted by

Privacy Policy

Last Updated: April 30, 2026

Overview

Datavant is a health data platform company making the world's health data secure, accessible, and actionable.

This Privacy Policy describes how Datavant collects, uses, discloses, and protects Personal Information from individuals who interact with Datavant-managed domains and websites including:

  • datavant.com
  • cioxhealth.com
  • smartrequest.com
  • swellbox.com
  • retrievalportal.datavant.com
  • app.chartswapinsights.com
  • chartcompass.datavant.com
  • futureofhealthdata.org

"Personal Information" refers to information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to an individual or household.

Important Note for Patients: Protected Health Information (PHI) provided through patient-facing websites is handled in accordance with HIPAA and Business Associate Agreements with healthcare providers. Review your healthcare provider's Notice of Privacy Practices to understand how your PHI is used.

Personal Information We Collect and How We Collect It

Categories of Information Collected

Identifiers - Name, mailing address, email address, phone number, account numbers

Internet and electronic activity information - IP address, language preference, browsing history, browser preferences, device type

Financial and payment information - Payment amounts, billing details, transaction history (payment card/bank details collected by third-party processors)

User-provided information - Account creation details, forms, submitted documents

How Information is Collected

  • Directly from you through email, applications, forms, feedback, transactions
  • Automatically through cookies and tracking technologies as you navigate websites
  • From third parties including marketing partners, recruiting partners, background check providers

Cookies and Similar Tracking Technologies

Strictly necessary cookies support critical site functions

Third party analytics - Google Analytics, Pendo Analytics and similar providers evaluate and improve website/Services usage. These tools collect unique identifiers (email, organization ID, name), browser type, operating system, device info, IP address, general location, usage data, and feedback. Analytics providers do not receive medical record content or PHI.

Do Not Track signals - Datavant does not respond to DNT browser signals as standards are not yet uniform.

No third-party tracking technologies are used on patient-facing websites like HealthForms and Patient Request tools.

Our Careers Page

Job applicants may provide:

  • Contact information
  • Qualifications, skills, experience, education details
  • Employment history, salary, references
  • Disability accommodation needs
  • Legal work authorization status
  • Protected class/demographic information
  • Background check records
  • Transcripts and supporting documentation

This information is used to:

  • Evaluate candidacy and compare candidates
  • Contact applicants during recruitment
  • Make job offers and prepare employment
  • Track internal metrics
  • Comply with legal requirements

Information is shared with Datavant personnel (talent acquisition, interviewers, IT staff) and third-party providers like Greenhouse.

For European/UK applicants, lawful processing bases include:

  • Legitimate interests in assessing candidates, preventing fraud, maintaining talent pools, defending recruitment decisions
  • Legal compliance obligations
  • Contract necessity for successful applicants

Applicant data is retained for 2 years before anonymization/deletion. Successful candidates' information is added to HR files and retained throughout employment.

SMS / Text Messaging

Job applicants may opt-in for SMS communications regarding scheduling, application status, and onboarding materials. Messaging frequency varies; message and data rates may apply. Opt out by texting "STOP" or text "HELP" for assistance.

How We Use Your Personal Information

Personal Information may be used for:

  • Specified purposes for which it was provided
  • Account maintenance and servicing
  • Website administration and improvement
  • Aggregation to understand and improve Services
  • Communications and inquiry responses
  • Promotion of websites, products, Services
  • Legal, regulatory, and risk management compliance

Sensitive Personal Information is used only for limited purposes: performing expected services, detecting security incidents, addressing malicious actions, ensuring physical safety, short-term transient use, internal business services, and quality verification.

How We May Disclose Your Personal Information

Disclosure may occur:

To affiliates - Parent company, subsidiaries, joint venture partners under common control

To service providers - Third parties providing hosting, job application processing, analytics, payment processing, authentication services

For legal obligations - When reasonably necessary to comply with legal process, prevent wrongdoing, or protect rights and property

In transactions - Mergers, reorganizations, asset sales, insolvency, bankruptcy, or when seeking financing

With individuals you direct us to - Employers, colleagues, references

With your consent

Datavant may create, use, or disclose de-identified information when recipients are prohibited from re-identification.

Personal Information is not sold for monetary consideration or shared for cross-contextual behavioral advertising.

How We Maintain and Protect Your Personal Information

Data Retention

Personal Information is retained only as long as needed to provide products/services, operate business, and comply with legal obligations.

Transaction and payment records are retained for a minimum of 7 years for accounting, legal, and compliance purposes.

Careers Page information is retained for 2 years before anonymization/deletion.

Data Security

Safeguards include:

  • SSL encryption for sensitive information transmission
  • Limited physical premises access
  • Restricted information access
  • Security requirements for business partners
  • Destruction or de-identification when legally required

Communications containing Personal Information are protected with Secure Socket Layer (SSL) encryption.

NO DATA TRANSMISSION OVER THE INTERNET OR WIRELESS NETWORK CAN BE GUARANTEED TO BE PERFECTLY SECURED. Users transmit information at their own risk.

Security breach notifications will be provided as required by applicable law.

International Transfers

Personal Information may be transferred among affiliates and business partners globally, including to the United States, United Kingdom, Ireland, and other countries. For transfers from the EEA/UK to countries without adequate protection, appropriate safeguards are implemented including EU Standard Contractual Clauses and UK Addendum.

Your Choices About How We Use and Disclose Your Personal Information

EU/UK Data Subjects

This section applies to EU/UK Applicants and Contractors, not patient-facing websites.

Controllers responsible for recruitment and contractor engagement:

  • UK: Mirador Analytics Limited
  • Ireland: Datavant Limited
  • Spain: Aetion Iberia S.L.

Datavant, LLC manages certain recruitment/HR functions centrally in the United States as a controller.

EU/UK data subject rights include:

  • Access to personal data
  • Rectification of personal data
  • Erasure of personal data
  • Objection to processing
  • Restriction of processing
  • Portability to you or third parties
  • Withdrawal of consent
  • Protection from automated decision-making with legal/significant effects

Rights are subject to legal conditions. Complaints may be lodged with Datavant or a supervisory authority.

Special categories of personal data processed (for applicants/contractors): racial and ethnic origin. Processing occurs to carry out employment obligations and promote equality under Schedule 1 of the Data Protection Act 2018 (UK).

Personal Information may be disclosed to Processors performing recruitment and employment functions.

Contact Datavant directly with questions about Personal Information. To exercise data subject rights, complete the Data Request Form. Requests may be rejected or restricted if required/permitted by law.

U.S. State Privacy Rights

Certain U.S. states provide residents with rights including:

Right to access/know - Categories and specific pieces of Personal Information collected, sources, and disclosure practices

Right to correct - Request correction of inaccurate personal information

Right to deletion - Request deletion of collected/maintained Personal Information (subject to exceptions)

Right to opt out - Opt out of sale/sharing of Personal Information (Datavant does not sell or share for targeted advertising)

Right to limit additional processing - Certain uses of sensitive personal information and profiling

Exercise rights via Data Request Form or contact Datavant. No discrimination for exercising rights. Identity verification required before processing requests. Authorized agents may submit requests with proper authorization documentation.

Appeals of denied requests may be submitted by contacting Datavant.

Disclosures for California Residents

California residents have rights to knowledge, access, correction, deletion, and opt-outs as described in U.S. State Privacy Rights.

Datavant does NOT:

  • Sell or share personal information
  • Discriminate in response to privacy rights requests
  • Use sensitive personal information requiring a right to limit
  • Use personal information for automated decision making (profiling)

Datavant is a Service Provider

Datavant primarily serves as a service provider for healthcare ecosystem businesses. Business customers generally determine how Personal Information is used and shared.

Many customers are HIPAA Covered Entities. As a Business Associate, Datavant implements safeguards and adheres to privacy/security standards for PHI.

Patient-facing website interactions (medical records requests, document uploads, health forms) involve PHI processing solely on behalf of healthcare providers.

PHI is:

  • Collected and processed only as directed by healthcare providers
  • Protected using administrative, physical, and technical safeguards including encryption and role-based access
  • Not shared with third parties unless permitted under HIPAA and agreements or required by law

Datavant does not make medical care decisions or maintain designated record sets. Contact healthcare providers directly with PHI questions or to exercise HIPAA rights.

Children's Data

Services are not directed at children under age 13 (or equivalent jurisdiction age). Personal information is not knowingly collected from children. Information from children without parental consent will be deleted upon discovery.

How to Contact Us

Privacy Policy questions or DPO contact:

Email: compliance@datavant.com

Mail:
Datavant
Attention: Compliance
2222 W. Dunlap Avenue, Suite 250
Phoenix, AZ 85021

Compliance concerns:

Corporate Compliance Connection (C3) hotline: 844-882-3809 or online at ethicspoint.com

Medical information questions:

Contact the healthcare organization that partners with Datavant using their privacy policy contact information.