State Rates
Request DataSign In

Privacy Policy

Last updated: April 23, 2026

This policy explains what information State Rates Health, LLC ("StateRates," "we," "us") collects when you use our website (staterates.health) and API (api.staterates.health), how we use it, and the choices you have. It applies only to data collected through those services — not to information you provide to us offline or through a third-party site we link to.

By using the service you agree to this policy. If you don't, please don't use the service.

Information We Collect

Information you give us when you sign up or request access. To create an account or receive an API key, we collect your email address, name, and the name of the organization you represent. Accounts are provisioned by us manually — there is no self-serve sign-up.

Information about how you use the product. When you are signed in, we log the queries and form inputs you submit (for example, the state, procedure code, or rate type you look up). We use this to understand which parts of the product people use and to improve it. This data is tied to your account.

Automatic technical information. When you visit the website or call the API, our servers log the request — including the IP address, the endpoint called, and the time of the request. For API traffic, we associate the request with your API key identifier so we can enforce rate limits and quotas. We do not log request headers or the raw API key itself.

Error and diagnostic data. When something in the product errors out, we collect a record of the error (stack trace, request path, user identifier) through our error-monitoring provider so we can fix it. Secrets, API keys, and authorization headers are stripped before this data leaves our servers.

Cookies. We use session cookies set by our authentication provider (Auth0) to keep you signed in. We do not use cookies for advertising or cross-site tracking.

How We Use Your Information

  • To provide the service — sign you in, route you to the states you're entitled to, enforce rate limits and quotas.
  • To communicate with you about your account, renewals, outages, or material changes to the product.
  • To debug, monitor, and improve the product — including understanding which features get used and what queries are common.
  • To comply with our legal obligations, enforce our Terms of Service, and protect the service from abuse.

We do not sell your personal information, and we do not use it for advertising.

Disclosure of Your Personal Data

We share your information only in these situations:

  • With service providers we rely on to operate the product. These providers process data on our behalf and are contractually limited to that purpose. Our current providers are:
    • Auth0 (Okta) — user authentication and session management.
    • Amazon Web Services — hosting, database, and storage.
    • Sentry — error monitoring and performance diagnostics.
    • Onetimesecret — one-time delivery of API keys at issue time.
  • When required by law. We may disclose information in response to a valid subpoena, court order, or other lawful request, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of StateRates, our users, or others.
  • In a business transfer. If StateRates is acquired, merged, or sells substantially all of its assets, your information may transfer to the successor entity. We will notify you if this happens.

We do not share, sell, rent, or trade your personal information with third parties for their own marketing purposes.

Aggregated or de-identified information that cannot reasonably be used to identify you may be shared without restriction.

Retention of Your Personal Data

We retain your personal information for as long as we need it to provide the service, comply with our legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed for these purposes, we delete or anonymize it. Usage and diagnostic data is generally retained for shorter periods than account information, except where we need it longer to maintain the security or functionality of the service.

Your Choices

  • Access and correction. You can request a copy of the account information we hold about you, or ask us to correct it, by emailing us at the address below.
  • Deletion. You can request that we delete your account and associated personal information. We will honor the request unless we are required to retain specific information by law.

We will respond to verified requests within 30 days.

Data Security

We take reasonable administrative and technical measures to protect your information, including encrypted connections (HTTPS), hashed storage of API keys, and scrubbing of secrets from error logs. No system is perfectly secure, and we cannot guarantee that unauthorized access will never occur. You are responsible for keeping your account credentials and API keys confidential.

Links to Other Websites

Our website may contain links to third-party sites. This policy does not apply to those sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policy of any site you visit.

Children

Our service is intended for business use and is not directed to children under 13. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will notify account holders by email or through the service.

Contact Us

If you have questions about this policy or our privacy practices, email us at [email protected].