If you are a patient wishing to opt-out of Flatiron’s research, please complete this form.

Effective November 16, 2018:

Flatiron Health, Inc. and its affiliated companies (“Flatiron” “we” or “us”), collect Personal Information from you when you visit and interact with the websites (“Sites”), mobile applications (“Apps”) and other online services (including our electronic health records (“EHR”) services and patient portals), that we own and/or operate and that link to this Privacy Policy (collectively, the “Services”).

This Privacy Policy explains what Personal Information we collect, why we collect it, how we use it, and your choices related to your information. With respect to Protected Health Information and other information provided to us through our EHR services and patient portals, we have entered into agreements with our health care provider customers (“Providers”) that govern our use of that information (the “Provider Agreements”). These terms supplement the Providers Agreements with Provider. To the extent that this Privacy Policy conflicts with any applicable Provider Agreement, the Provider Agreement will control. If you are a patient using a patient portal and have questions about treatment of your health-related information, you should check with your health care provider.

This Privacy Policy is incorporated into and made a part of our Terms of Use. Please review our Terms of Use because they govern your use of the Services and limit our liability to you. By using our Services, you agree that we may treat your information in the ways we describe in this Privacy Policy. If you do not agree with any term of this Privacy Policy or the Terms of Use, you must refrain from using our Services.

Privacy Policy Table of Contents:

What Personal Information We Collect
How We Use Your Personal Information
How We Share Your Personal Information
Cookies and Other Data Collection Technologies
Your Choices; Interest-Based Ads
Patient Opt-Out
Your California Rights
Children’s Privacy
Links to Other Websites
How We Protect Your Personal Information
Note to International Visitors
Changes to This Privacy Policy
Contacting Us

What Personal Information We Collect

Personal Information” is information that can be used to identify, contact or locate you. When you access and use the Services, we may collect the following categories of Personal Information from you:

  • Contact information, such as your name, address, email address, and telephone number;
  • Technical information, such as a device identification number, an IP address or other online identifier;
  • Protected Health Information, which is personally identifiable health information protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”);
  • Location information, which information used to locate the device you use to access the Services. Location information may include: (i) the location of the device derived from GPS or WiFi use; (ii) the location derived from the IP address of the device or internet service used to access the Services, and (iii) other information made available by a user or others that indicates the current or prior location of the user; and
  • Any other information that you may provide to us that can be used to identify you.

We may also collect information that cannot be used to identify, contact or locate you, such as browser types, device types, and website traffic patterns. If we ever link this non-personally identifiable information with your Personal Information, we will treat such information as Personal Information.

We collect Personal Information directly from you when, for example, create an account, request a demo or support, contact us with inquiries and comments, complete or submit forms through the Services, register for events, or access the patient portal.

We may also collect Personal Information about you from other sources, including commercially available sources such as data aggregators, public databases and other third parties. For example, if you are on a third party website and you opt in to receive information from us, that website will forward your contact information to us so we may contact you as requested. We may combine this information with the information we collect from you to help us tailor our communications and improve our Services.

How We Use Your Personal Information

We may use your Personal Information as disclosed to you at the time of collection or in the following ways:

  • Provide you the Services and fulfill your requests. We may use your Personal Information to register you, administer your account, and provide you the information, products and services that you request.
  • Provide EHR Services to our Provider Customers. We use your Personal Information in connection with provision of EHR services to your Provider. As stated above, if you have questions about treatment of your Protected Health Information, you should check with your health care provider.
  • Communicate with you. We may contact you to share information and promotional materials that we think might be of interest to you.
  • Enhance your experience. We use your information to personalize and enhance your experience when you use the Services, such as tailoring content and advertising and remembering your preferences.
  • Improve our Services. Your Personal Information helps us improve the content, features and functionality of our Services by identifying popular features, enable more accurate reporting, and improve the effectiveness of our marketing.
  • Offer Products and Services. We may contact you to share and offer to you our products and Services, and products and services of our third party vendors and service providers.

We also may also aggregate your Personal Information with other users of the Services or otherwise de-identify it in accordance with applicable law (“De-Identified Information”). This information is not Personal Information, because it cannot be used to identify you. We may use De-Identified Information and other non-personally identifiable information for any lawful purpose.

How We Share Your Personal Information

We may share your Personal Information for the reason(s) disclosed to you at the time we collect it, with your consent, at your direction, or in the following ways:

  • Within Flatiron. We may share your Personal Information internally among our business units, brands, and our affiliates in order to provide you our Services, to provide EHR Services to Providers, and generally to improve our product and service offerings.
  • With Providers. We may share your Personal Information with the Providers with whom you have a relationship in accordance with our Provider Agreements and consistent with applicable law.
  • With vendors and business partners. We may share your Personal Information with vendors and business partners in order to provide you our Services, to provide EHR and other services to Providers, and to improve our product and service offerings. For example, these parties include third party IT service providers that host our software and other support service providers.
  • With business partners. We may share your Personal Information with our business partners in order to provide you our Services, to provide EHR Services to Providers, and generally to improve our product and service offerings.
  • In the event of a corporate transaction. In the event we go through a business transition, such as a merger, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy or sale of all or a portion of our assets, we may disclose your Personal Information to the party or parties of such transaction.
  • For legal purposes. We will disclose your Personal Information when we think it is necessary to investigate or prevent actual or expected fraud, criminal activity, injury or damage to us or others or when otherwise required by statute, regulation, subpoena, court order, or other law, or if necessary to protect the rights, property, or safety or us, our employees, or others.


Cookies and Other Data Collection Technologies

We use cookies, pixel tags, log files, and other technologies (collectively, “Data Collection Technologies”) to help us provide the Services, tailor our content and enhance your online experience. Our Data Collection Technologies include:

  • Cookies. A cookie is a small file placed on your computer’s hard drive that collects and stores information about your equipment, preferences and browsing patterns. We use cookies to analyze web page traffic, usage patterns, and to tailor our Services to your individual interests. For more information about cookies, visit allaboutcookies.org.
  • Web Beacons. A web beacon (also referred to as clear gif, pixel tag or single-pixel gif) is a transparent graphic image used in tandem with cookies that enables us to record a user’s actions. We use web beacons to count users who have visited those pages, verify system and server integrity and for similar statistical measures. we may also use pixel tags in HTML-based emails sent to our users to track which emails are opened by recipients.
  • Google Analytics. We use Google Analytics to helps us understand how users engage with our Services. Google Analytics uses cookies to track your interactions with our Services, then collects that information and reports it to us, without identifying individual users. This information helps us improve our Services so that we can better serve users like you. For more information on Google Analytics, visit google.com/analytics.

You can set your Internet browser settings to stop accepting new cookies, to receive notice when you receive a new cookie, to disable existing cookies, and to omit images (which will disable pixel tags). Note that the opt-out will apply only to the browser that you are using when you elect to opt out of advertising cookies. Please note, without cookies or pixel tags, you may not be able to take full advantage of all features of our Services.

Some web browsers incorporate a “Do Not Track” feature (“DNT”) that signals to the websites that you visit that you do not want to have your online activity tracked. Many websites and applications, including our Services, do not currently respond to web browser DNT signals because such signals are not yet uniform. For more information about DNT signals, please visit allaboutdnt.com.

Your Choices; Interest-Based Ads

We encourage you to communicate your preferences to us about how we use your Personal Information.

  • Unsubscribe from marketing. You may opt out of receiving marketing communications from us by following the instructions included in each communication or by emailing us at [email protected] If you receive marketing communications from any of our business partners or other third parties, you must opt out with each of those parties. Note that if you unsubscribe from our marketing communications, you still may receive transactional and other administrative communications from us under your Provider Agreement or other arrangement with us.
  • Access and modify your Personal Information. You may review and request changes to the Personal Information we have collected about you. Contact us at the email, address or phone number included in the Contacting Us section below to make a request. We will endeavor to comply with your request, but please understand that we may not be able to modify information about you that we have relied upon to provide services to you or your healthcare provider, or that we are legally required to maintain.
  • Turn off location services. If you do not want us to collect location information from your device, please disable the location setting(s) on your device or delete the Apps. Please note that disabling the location setting may affect certain features of the Services and the Apps.
  • Unsubscribe from future research. You can unsubscribe from being included in our research datasets (as described in the Patient Opt-Out section below) by completing an online form.

We may use third-party vendors to serve advertisements on our behalf across the internet. These advertising vendors may collect (by using Data Collection Technologies) information about your visits to and interactions with our Services. In addition to the information about your visits to our Site, these vendors may also use the information about your visits to other websites to target advertisements for products and services available from us. If you would like more information about this practice and your choices relating to this data collection, please visit networkadvertising.org. You may manage your third-party advertising preferences.

How Patients Contribute to Flatiron Research; Right to Opt-Out

Flatiron is committed to improving lives by learning from the experience of every cancer patient.

In service of this mission, Flatiron works with over 280 oncology clinics, several academic centers, the Food & Drug Administration, the National Cancer Institute, and biopharma companies, to create datasets that enable our clinics to provide the best care possible and researchers to accelerate their understanding of the way cancer treatments work. See some examples of how we’re working to advance cancer research.

For many oncology clinics across the country, Flatiron provides an EHR software called OncoEMR®. If you are treated at one of these clinics, Flatiron accesses your data to help the clinics with your care and to use in a de-identified and aggregated form for research purposes. Flatiron also has partnerships with academic medical centers to provide quality monitoring and outcomes research.

The datasets that we create are considered “de-identified,” meaning that they do not contain Personal Information. Our datasets are also “aggregated,” which means that we combine de-identified patient records to compare with others. If your doctor’s practice participates in the Flatiron network, the clinical data (such as stage of your cancer or length of treatment) that is collected from your clinic is de-identified and aggregated with other de-identified patient data. The de-identified data may help researchers better understand various issues relating to cancer, such as why certain patients benefit more than others when given a particular treatment. For example, with Flatiron datasets, we can now understand why some lung cancer patients respond better to one immunotherapy than another.

Please know that Flatiron will never use your information — even in de-identified form — for marketing purposes. Your de-identified information will be used for cancer research.

Your De-Identified Information, along with that of thousands of other patients, is contributing to cancer research and is helping to accelerate the development of new treatment options for future patients. However, we respect your right as a patient to opt-out of this research. If you wish to know whether you are treated at a clinic that uses Flatiron’s technology, please ask your provider for the name of the EHR that they use. If you are still unsure whether your information is included in our datasets, or if you would like to opt-out of our research, please complete the online form. From there, a member of the Flatiron team will contact you to confirm that your opt-out request has been processed.

Please be aware that your opt-out will apply only to Flatiron’s future use of your Personal Information for research. Your opt-out will not apply to de-identified information that Flatiron has already created for current and future research purposes.

Your California Rights

California Civil Code Section 1798.83 gives California residents the rights to request certain information regarding our disclosure of their Personal Information to third parties for those third parties’ direct marketing purposes. You may request information regarding the disclosure of your Personal Information to third parties for those third parties’ direct marketing purposes by emailing [email protected] or writing us to the address in the contacting us section below. Please indicate “California Rights” in the subject or attention line of your communication.

Children’s Information

Our Services are not intended for use by or directed to children under 18 years of age. If you are under 18 years old or otherwise have not attained the age of majority in your state of residence, you must have your parent or other legal representative’s permission to use the Services. If we learn that we have received any Personal Information directly from a child under age 18 without first receiving his or her parent’s verified consent, we will use that Personal Information only to respond directly to that child (or his or her parent or legal guardian) to inform the child that he or she cannot use the Services. We will then subsequently delete that child’s Personal Information.

If you are under 18 years old, you will not be granted access to Flatiron’s patient portals, commonly known as CareSpace.

Links to Other Sites

Our Services may contain links to other sites that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices or content of such other sites. We encourage you to be aware when you leave our Services. We encourage you to review the privacy policies of each website that collects Personal Information as the privacy policy may differ from ours.

We Protect Your Personal Information

The security of Personal Information is important to us. We use reasonable safeguards aimed to protect against unauthorized use, disclosure, alteration or destruction of the Personal Information we collect and maintain. You should keep in mind, however, that no data transmitted over the internet is 100% secure. As a result, while we strive to protect your Personal Information, we cannot guarantee or warrant the security of any information you transmit to or from our Services.

Note to International Visitors

The Services are intended for use in the United States only. If you visit our Services or contact us from outside of the United States, please be advised that (i) any information (including Personal Information) you provide to us or that we automatically collect will be transferred to the United States; and (ii) that by using our Services or submitting information (including Personal Information), you explicitly authorize its transfer to and subsequent processing in the United States in accordance with the laws of the United States and this Privacy Policy.

Changes to This Privacy Policy

We reserve the right to change or replace this Privacy Policy at any time. Please check back from time to time to ensure that you are aware of any changes or updates to the Privacy Policy. We will indicate the Privacy Policy’s effective date at the top of this page. If we make material changes that would impact your use of the Services or your privacy rights, we will endeavor to notify you of the changes, such as by posting a notice directly on the Services, by sending an email notification (if you have provided your email address to us), or by any other reasonable method. Your continued use of the Services after changes have been posted indicates your acceptance of the amended Privacy Policy.

Contacting Us

If you have any questions or comments about this Privacy Policy, please contact us at [email protected] or by mail at:

Flatiron Health
233 Spring Street, EAST
New York, NY 10013

If you are a patient wishing to opt-out of Flatiron’s research, please complete this form.