HealthFlint

Privacy Policy

Last updated: February 2026

1. Overview

HealthFlint ("we," "our," or "us") operates the website healthflint.com (the "Site"). We are committed to protecting the privacy of everyone who visits our Site and uses our services. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have regarding your data.

This policy applies to all visitors, subscribers, and users of healthflint.com, including all subdomains and any associated services. By accessing or using our Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Site.

HealthFlint is a health information platform that provides educational content. We are not a healthcare provider and do not provide medical advice, diagnosis, or treatment. Our commitment to privacy reflects our belief that access to health information should not require sacrificing your personal data.

2. Information We Collect

We collect minimal data necessary to operate our Site and improve your experience. We categorize the information we collect as follows:

2.1 Analytics Data (Automatically Collected)

We use Google Analytics 4 (GA4) to understand how visitors interact with our Site. GA4 collects the following anonymized and aggregated data:

  • Page views and navigation paths — which pages you visit and in what order
  • Session duration — how long you spend on the Site
  • Device and browser information — device type (mobile, desktop, tablet), operating system, browser type, and screen resolution
  • Geographic location — country and city-level location derived from your IP address (your IP address is anonymized by GA4 and is not stored in its complete form)
  • Referral source — how you arrived at our Site (search engine, social media, direct link)
  • User interactions — clicks, scrolls, and engagement with page elements

Important: GA4 does not collect personally identifiable information (PII) such as your name, email address, or physical address. IP addresses are anonymized before storage. We do not enable Google Signals, User-ID tracking, or any feature that would link analytics data to individual identities.

2.2 Newsletter Subscription Data (Voluntarily Provided)

If you choose to subscribe to our newsletter, we collect the following through ConvertKit (Kit):

  • Email address — required to deliver the newsletter
  • First name — optional, used to personalize communications
  • Subscription date and source — when and where you subscribed
  • Email engagement data — open rates and click rates, collected by ConvertKit to measure email performance

2.3 Contact Form Data (Voluntarily Provided)

If you contact us through our contact form or email, we collect:

  • Name — to address you in our response
  • Email address — to send our reply
  • Message content — the content of your inquiry

2.4 Information We Do Not Collect

We want to be explicit about data we do not collect:

  • Personal health information or medical records
  • Social Security numbers or government-issued IDs
  • Payment or financial information (we have no paid features in Phase 1)
  • Biometric data
  • Precise geolocation data (GPS coordinates)
  • Information from third-party social media accounts

3. How We Use Your Information

We use the information we collect for the following specific purposes:

3.1 To Improve Our Content and Services

  • Analyze which health topics and articles are most valuable to readers
  • Identify content gaps and prioritize new articles
  • Optimize Site navigation and user experience based on usage patterns
  • Monitor Site performance and fix technical issues

3.2 To Deliver Newsletter Communications

  • Send the health newsletter you subscribed to, including new articles, health tips, and curated content
  • Personalize newsletter content based on your stated preferences (if provided)
  • Measure newsletter effectiveness to improve future communications

3.3 To Respond to Your Inquiries

  • Reply to questions or feedback submitted through our contact form
  • Address content accuracy concerns or corrections
  • Respond to privacy-related requests

3.4 Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your data based on:

  • Consent — for newsletter subscriptions and analytics cookies (you may withdraw consent at any time)
  • Legitimate interest — for basic Site analytics and performance monitoring, where our interest in improving the Site does not override your privacy rights
  • Contractual necessity — for responding to your contact form inquiries

4. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit a website. We use a limited number of cookies to operate our Site and understand usage patterns.

4.1 Essential Cookies

These cookies are necessary for the Site to function and cannot be disabled. They include:

  • Cookie consent preferences — remembering your cookie choices so we do not ask repeatedly
  • Security cookies — protecting against cross-site request forgery and other threats

4.2 Analytics Cookies

These cookies are set by Google Analytics 4 and help us understand how visitors use our Site. They collect anonymized, aggregated data and do not identify you personally. Analytics cookies include:

  • _ga — distinguishes unique users (expires after 2 years)
  • _ga_* — maintains session state (expires after 2 years)

4.3 How to Manage Cookies

You have full control over cookies on our Site. You can manage your preferences in the following ways:

  • Cookie consent banner — when you first visit our Site, you can accept or decline non-essential cookies
  • Browser settings — most browsers allow you to block or delete cookies through their settings menu
  • Google Analytics opt-out — install the Google Analytics Opt-out Browser Add-on

Please note that disabling essential cookies may affect Site functionality. Disabling analytics cookies will not affect your ability to use the Site.

5. Third-Party Services

We use a limited number of third-party services to operate our Site. Each service has access only to the data necessary for its function. We do not sell, rent, or trade your personal information to any third party.

5.1 Vercel (Hosting)

Our Site is hosted on Vercel. When you visit our Site, Vercel processes your request and may log standard server data such as your IP address, request URL, and timestamp. This data is used for security, performance optimization, and abuse prevention.

Privacy policy: vercel.com/legal/privacy-policy

5.2 Google Analytics 4 (Analytics)

We use Google Analytics 4 to collect anonymized usage statistics about how visitors interact with our Site. GA4 processes anonymized IP addresses, device information, and browsing behavior. We have configured GA4 with IP anonymization enabled and do not use features that track individual users across sites.

Privacy policy: policies.google.com/privacy

5.3 ConvertKit / Kit (Email)

We use ConvertKit (also known as Kit) to manage our newsletter subscriptions and email communications. ConvertKit stores your email address, name (if provided), subscription preferences, and email engagement metrics (opens, clicks). ConvertKit does not share your information with other parties for marketing purposes.

Privacy policy: convertkit.com/privacy

5.4 Sanity.io (Content Management System)

We use Sanity.io as our headless content management system to store and deliver our editorial content (articles, author information, images). Sanity.io does not collect or process any visitor personal data. Content is delivered through Sanity's CDN, which may log standard access data for performance and security purposes.

Privacy policy: sanity.io/legal/privacy

6. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy. Our specific retention periods are:

  • Analytics data — Google Analytics retains data for 14 months, after which it is automatically deleted. We do not export or store analytics data beyond this period.
  • Newsletter subscriber data — retained for as long as your subscription is active. When you unsubscribe, your email address is removed from our active mailing list within 30 days. ConvertKit may retain a suppression record of your email to ensure you are not resubscribed unintentionally.
  • Contact form submissions — retained for up to 12 months after your inquiry has been resolved, then deleted.
  • Server logs (Vercel) — Vercel retains server logs in accordance with their data retention policy, typically for a limited period for security and debugging purposes.

You may request early deletion of your data at any time by contacting us at privacy@healthflint.com.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

  • Right of Access — You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification — You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure ("Right to Be Forgotten") — You have the right to request that we delete your personal data, subject to certain legal exceptions (such as compliance with legal obligations).
  • Right to Data Portability — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Restriction of Processing — You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to Object — You have the right to object to the processing of your personal data where we rely on legitimate interest as our legal basis, including for direct marketing purposes.
  • Right to Withdraw Consent — Where processing is based on your consent (such as newsletter subscriptions), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your GDPR Rights

To exercise any of these rights, please contact us at privacy@healthflint.com with the subject line "GDPR Request." We will respond to your request within 30 days. We may ask you to verify your identity before processing your request to protect your privacy.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

8. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know — You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared.
  • Right to Delete — You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale or Sharing — You have the right to opt out of the sale or sharing of your personal information. HealthFlint does not sell or share your personal information as defined by the CCPA/CPRA. We have never sold personal data and have no plans to do so.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, service quality, or access based on your privacy choices.
  • Right to Correct — You have the right to request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information — We do not collect sensitive personal information as defined by the CCPA/CPRA.

How to Exercise Your CCPA Rights

To exercise any of these rights, please contact us at privacy@healthflint.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days. You may also designate an authorized agent to submit a request on your behalf.

9. Children's Privacy

HealthFlint is designed for a general adult audience. We do not knowingly collect, use, or disclose personal information from children under the age of 13 (or under the age of 16 in the EEA).

If we become aware that we have collected personal information from a child under these ages without verified parental consent, we will take steps to delete that information as quickly as possible. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@healthflint.com so we can address the issue promptly.

Our health content may be relevant to parents and caregivers seeking information about children's health conditions. This content is intended for adult readers and does not require any data collection from minors.

10. Health Data

HealthFlint is a health information platform that provides educational content about medical conditions, treatments, medications, and wellness topics. We do not collect, store, or process any personal health information, medical records, or protected health information (PHI) as defined by HIPAA or equivalent regulations.

Our content is for informational and educational purposes only. When you read an article about a health condition on our Site, we do not track or store what health topics you have viewed in any way that is linked to your personal identity. Our analytics data is anonymized and aggregated, meaning we can see that an article about diabetes received 10,000 views, but we cannot see that a specific individual viewed it.

We are not a covered entity under HIPAA and do not have access to your medical records, insurance information, treatment history, or any other personal health data. If future features involve any form of health data input (such as symptom checkers or health calculators), we will update this policy with specific protections and obtain explicit consent before collecting such data.

11. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

  • Encryption in transit — All data transmitted between your browser and our Site is encrypted using HTTPS (TLS 1.2 or higher). We enforce HTTPS on all pages with HTTP Strict Transport Security (HSTS).
  • Secure hosting infrastructure — Our Site is hosted on Vercel, which provides enterprise-grade security including DDoS protection, automatic SSL certificates, and secure edge network distribution.
  • Access controls — Access to any administrative systems (CMS, analytics, email service) is restricted to authorized team members with strong authentication.
  • Minimal data storage — We follow the principle of data minimization. We do not store sensitive personal information on our own servers. Data is held by our trusted third-party service providers as described in Section 5.
  • Regular security reviews — We periodically review our security practices and the security practices of our third-party service providers.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining industry-standard protections.

12. International Data Transfers

HealthFlint operates from the United States. If you access our Site from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Specifically, the following services may process your data in the United States:

  • Vercel — hosting and edge network (data may be processed at the nearest edge location to you, or in the US)
  • Google Analytics — analytics data is processed by Google in the United States
  • ConvertKit — email subscriber data is stored and processed in the United States

For users in the EEA, UK, and Switzerland, these transfers are conducted in compliance with applicable data protection laws. Our service providers participate in recognized data transfer mechanisms such as Standard Contractual Clauses (SCCs) or equivalent safeguards. By using our Site, you acknowledge and consent to the transfer and processing of your data as described in this section.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

  • Update the "Last updated" date at the top of this page
  • Post the revised policy on this page with a summary of material changes
  • For significant changes that affect how we process your personal data, notify active newsletter subscribers via email at least 14 days before the changes take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our Site after changes are posted constitutes your acceptance of the revised policy.

14. Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

  • Email: privacy@healthflint.com
  • Subject line suggestions:
    • "GDPR Request" for GDPR-related inquiries
    • "CCPA Request" for CCPA-related inquiries
    • "Privacy Question" for general privacy questions
    • "Data Deletion Request" for data removal requests

We aim to respond to all privacy-related inquiries within 30 days. For CCPA requests, we will respond within 45 days as required by law. If we need additional time to process your request, we will notify you of the extension and the reason for it.