Starfish Health

Privacy Policy

Last updated: April 18, 2026

1. Introduction

Starfish Health, a product of Leveling Up Data LLC (“Company”, “we”, “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered patient outreach and engagement platform and related services (collectively, the “Service”).

2. Information We Collect

Account Information

When you register for the Service we collect your name, email address, phone number, practice name, role, and billing information.

Patient Data (Protected Health Information)

In the course of providing the Service, we may process patient names, contact information, appointment details, and message content on your behalf. This data is treated as Protected Health Information (PHI) under HIPAA and is governed by the Business Associate Agreement between you and the Company.

Usage Data & Log Files

We automatically collect information about how you interact with the Service, including device information, IP addresses, browser type, Internet Service Provider (ISP), referring/exit pages, pages visited, features used, and timestamps. This information is not linked to any personally identifiable patient data.

Cookies & Analytics

We use cookies and similar technologies on our websites (including the Starfish Health marketing site and this blog) to operate the site, remember preferences where applicable, and measure how visitors use our content. You can control or delete cookies through your browser settings; blocking certain cookies may affect how parts of the site work.

Google Analytics

We use Google Analytics(Google LLC), including Google Analytics 4, which uses cookies and similar technologies to collect information such as how often users visit, which pages they view, approximate location (derived from IP address, which may be truncated or anonymized depending on configuration), device and browser type, and referring pages. We use this information in aggregate to understand traffic patterns and improve our websites and services. Google may also use collected data in accordance with its own policies. For details on how Google processes data, see Google's Privacy Policy. For terms governing use of Google Analytics, see the Google Analytics Terms of Service. You may opt out of Google Analytics using Google's Analytics Opt-out Browser Add-on (where available for your browser) or by adjusting cookie settings in your browser.

Microsoft Clarity

We use Microsoft Clarity(Microsoft Corporation) on this blog to understand how visitors interact with pages—for example, clicks, scrolls, and navigation patterns—and to generate aggregated insights such as heatmaps and session replays that help us improve layout, readability, and usability. Clarity may collect technical and usage data (such as device type, browser, general region, and interactions with page elements) as described in Microsoft's documentation. Processing is subject to Microsoft's Privacy Statement and the Microsoft Clarity Terms of Use. For more information about the product, see Microsoft Clarity documentation.

Third-party vendors that provide analytics may set their own cookies or identifiers. We do not use these tools on the blog to collect Protected Health Information (PHI); the blog is a general-audience marketing and education site. If you are a California resident, you may have additional rights under applicable state law; contact us using the information in the Contact section below.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service, including AI-powered patient outreach and engagement features.
  • Process payments and manage your subscription.
  • Send transactional communications (e.g., account confirmations, billing notices, security alerts).
  • Improve the Service through de-identified, aggregated analytics.
  • Respond to support requests and inquiries.
  • Comply with legal obligations.

4. HIPAA Compliance

Starfish Health is designed to operate in compliance with HIPAA. We implement administrative, physical, and technical safeguards to protect PHI. Where required, we execute a Business Associate Agreement (BAA) before processing PHI on your behalf. We do not use PHI for marketing or sell PHI to third parties.

5. Data Sharing & Disclosure

We do not sell your personal information. We may share data with:

  • Service providers — trusted vendors who assist us in operating the Service (e.g., cloud hosting, payment processing), bound by confidentiality agreements.
  • EHR/PMS integrations — when you connect your practice management system, data flows between the Service and your EHR as configured by you.
  • Legal requirements — when required by law, regulation, or legal process.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.

6. Data Security

We use industry-standard security measures including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security assessments. While no system is 100% secure, we are committed to protecting your data with commercially reasonable safeguards.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account termination, Customer Data is available for export for 30 days, after which it is securely deleted. We may retain de-identified, aggregated data indefinitely for analytics and improvement purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your personal information.
  • Opt out of non-essential communications.
  • Export your data in a portable format.

To exercise any of these rights, contact us at [email protected].

9. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

For questions about this Privacy Policy, contact us at [email protected].