Heartflow Privacy Policy

Last Updated: May 20, 2026

1. Scope

2. The Information Heartflow Collects

3. How Heartflow Uses Information

4. Disclosures of Personal Information

5. Security of Personal Information

6. Data Retention

7. Children’s Privacy

8. Third-Party Sites

9. Your Choices and Rights

10. International Visitors and Data Transfer

11. In the Event of a Merger or Sale

12. Changes and Updates to this Privacy Policy

13. Heartflow Contact Information

14. Jurisdiction Specific Disclosures

Supplemental Notice for California Residents

Supplemental EEA+ Privacy Notice

Data Privacy Framework

Welcome to the Heartflow, Inc. (“Heartflow”) website at www.Heartflow.com  (or any successor URLs thereof) (collectively, the “Site”). Heartflow values your privacy and the privacy of visitors of the Site (referred to individually as “Customer” and collectively as “Customers“).

This Privacy Policy describes what information we gather from you on the Site, how we use that information, and what we do to protect it. By using the Site, you expressly consent to the information handling practices described in this policy.

1. Scope

General Scope. This Privacy Policy (“Policy”) describes how Heartflow uses and discloses personal information collected via our Site. If you do not agree with our privacy practices, please do not provide us with personal information or use our Services.

Jurisdiction-Specific Disclosures. If you are located or reside in any of the following jurisdictions, please see the Jurisdiction-Specific Disclosures shown at the end of this Policy for additional information related to rights you may have under the applicable privacy laws of your jurisdiction and disclosures required by the privacy laws of particular jurisdictions. The remainder of this Privacy Policy applies to all jurisdictions.

2. The Information Heartflow Collects

The categories of personal information we collect depend on how you interact with us or use our Site. We collect information that you provide to us and information we obtain automatically when you use our Site.

Customer-Provided Information: You may provide Heartflow with personally identifiable information, such as your name, email address, postal mailing address, and telephone number, when you use the Site.

Automatically Collected Information: When you visit the Site, we may automatically record certain information from your web browser using technologies like “clear gifs” or “web beacons”. This automatically collected information may include your Internet Protocol address (IP Address), web browser type, the web pages or sites you visited just before or after the Site, the pages you view on the Site, and the dates and times you visit the Site.

Cookies Information: We may send one or more cookies, which are small text files, to your computer when you visit the Site. Heartflow uses only session cookies, which disappear after you close your browser. We use the consent tool “Cookiebot” to manage cookies and related consents. For more information on how Heartflow uses cookies see our Cookie Policy.

3. How Heartflow Uses Information

Heartflow uses the information you provide or that we collect to operate, maintain, enhance, and provide all of the features, information, and services found on the Site.

  • To provide and improve our services: We use the information we collect to understand and analyze usage trends and preferences of our Customers, to improve the way the Site works, and to create new features and functionality.
  • To communicate with you: We may use the information you provide to contact you to discuss your interest in our company and to send information about our company or partners, such as promotions and events.
  • To personalize your experience: We may use “automatically collected” information and “cookies” information to remember your information so you do not have to re-enter it during your current or next visit, and to monitor aggregate site usage metrics.
  • To protect our legitimate business interests and legal rights: This includes taking precautions against liability and protecting Heartflow from fraudulent, abusive, or unlawful uses. We also use information to investigate and defend against third-party claims, assist government enforcement agencies, and protect the security of the Site.

4. Disclosures of Personal Information

Heartflow does not share your personally identifiable information with other organizations for their marketing or promotional uses without your express consent. We may disclose your information to third parties in the following circumstances:

  • To Affiliated Companies and Service Providers: We may disclose Customer information to affiliated companies or other businesses to provide services such as website hosting, maintenance, and security; fulfill orders; conduct data analysis; and assist Heartflow in improving the Site and creating new service features. These parties are required to process such information in compliance with this Privacy Policy and use reasonable confidentiality measures.
  • De-identified and Aggregated Information: Heartflow may disclose automatically collected and other aggregate non-personally identifiable information to interested third parties to help them understand usage, viewing, and demographic patterns.
  • To Protect Us and Others: We may disclose Customer information if required by law or in the good-faith belief that such action is necessary to comply with local, state, or federal laws, or to respond to a court order, subpoena, or warrant. We also reserve the right to disclose information we believe is appropriate or necessary to protect the rights, property, or personal safety of Heartflow, our Customers, or other third parties.
  • In the Event of a Merger or Sale: In the event that Heartflow is acquired by or merged with a third-party entity, we reserve the right to transfer or assign the information we have collected from Customers as part of the transaction.

5. Security of Personal Information

Heartflow uses commercially reasonable physical, managerial, and technical safeguards to protect the integrity and security of your personal information. However, we cannot ensure or warrant the security of any information you transmit to Heartflow, and you do so at your own risk. If we learn of a security systems breach, we will attempt to notify you using the contact information you provided so that you can take appropriate protective steps. We may also post a notice on the Site.

6. Data Retention

We retain personal information for as long as needed to provide our services, and to comply with our legal and compliance obligations (including auditing), resolve potential or actual disputes, and enforce our agreements.

7. Children’s Privacy

Heartflow does not knowingly collect or maintain personally identifiable information on the Site from persons under 13 years of age, and no part of the Site is directed to persons under 13. If we learn that we have collected information from a child under 13 without verifiable parental consent, we will take appropriate steps to delete this information.

8. Third-Party Sites

The Site may contain links to third-party websites. Heartflow is not responsible for the content or privacy practices of these other websites. We encourage you to read the privacy policy of any other website you visit to understand their policies regarding the information they may collect from you. This Privacy Policy applies only to the Heartflow Site.

9. Your Choices and Rights

You may decline to share your personally identifiable information with Heartflow, but this may mean we cannot provide you with some of the features and functionality on the Site. For additional information on your rights and choices see Section 14, Jurisdiction Specific Disclosures.

10. International Visitors and Data Transfer

The Site is hosted in the United States. If you use the Site from the European Union or other regions with laws governing data collection and use that may differ from U.S. law, you are transferring your personally identifiable information to the United States. By providing your information on the Site, you consent to this transfer.

11. In the Event of a Merger or Sale

In the event that Heartflow is acquired by or merged with a third-party entity, we reserve the right, in any of these circumstances, to transfer or assign the information that we have collected from Customers as part of such merger, acquisition, sale, reincorporation, reorganization, or other change of control.

12. Changes and Updates to this Privacy Policy

This Privacy Policy may be revised periodically without further notice, and this will be reflected by a “last modified” date. Your continued use of the Site constitutes your agreement to this Policy and any future revisions. For material changes that are less restrictive on our use or disclosure of your personal information, we will make reasonable efforts to notify you and obtain your consent before implementing such revisions.

13. Heartflow Contact Information

If you have any questions or comments about this Privacy Policy, would like to opt in or opt out of any contact or disclosure preferences, or need to update your personal information, please contact Heartflow at: privacy@Heartflow.com.

14. Jurisdiction Specific Disclosures

Supplemental Notice for California Residents

This Supplemental California Privacy Notice only applies to our processing of personal information about California individuals.

Do Not Track. We currently do not support the Do Not Track (“DNT”) browser setting or respond to DNT signals.

CCPA/CPRA Rights. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with certain rights. You have the right to know what categories of personal information we have collected about you and whether we disclosed that information for a business purpose. You also have the right to request:

  • Specific pieces of personal information we have collected.
  • Deletion of personal information.
  • Amendment of personal information.
  • That we transmit personal information to another entity.
  • To opt out of selling or sharing the information we collect.
  • To limit the use of Sensitive Personal Information that we collect.

You may submit a verifiable consumer request to exercise any of these rights. We will take steps to verify your identity before fulfilling your request. California residents also have the right not to receive discriminatory treatment for exercising their rights conferred by the CCPA.

Supplemental EEA+ Privacy Notice

This Supplemental EEA+ Privacy Notice applies if you are located in the European Economic Area, the United Kingdom, or Switzerland.

Data Controller: Heartflow, Inc. is the data controller.

Lawful Bases for Processing: We process personal data based on your consent, to perform a contract with you, to comply with a legal obligation, to protect your vital interests, or for our legitimate interests. You can withdraw your consent at any time with future effect.

Your Rights: In the EEA, Switzerland, and the UK, you have the following rights relating to your personal data, subject to the conditions under the GDPR:

  • Right to request access: You have the right to obtain confirmation as to whether your personal data is being processed, and to request access to that data.
  • Right to rectification: You have the right to obtain the rectification of inaccurate personal data concerning you.
  • Right to erasure (right to be forgotten): You have the right to ask us to erase your personal data.
  • Right to object: Under certain circumstances, you may object to the processing of your personal data, including for direct marketing purposes.
  • Right to restriction of processing: In limited circumstances, you have the right to request a restriction on the processing of your personal data.
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another entity.

You also have the right to lodge a complaint with a supervisory authority. You can exercise your rights by contacting us at privacy@Heartflow.com.

Data Privacy Framework

Heartflow complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Heartflow has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Heartflow has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles require that we remain potentially liable if any third-party processing personal data on our behalf fails to comply with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF Principles (except to the extent we are not responsible for the event giving rise to any alleged damage).Heartflow’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us as described below with any questions or concerns relating to our EU-U.S. DPF, the Swiss-U.S. DPF, or UK Extension to the EU-U.S. DPF Certifications. In compliance with the EU-U.S. DPF, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF, Heartflow commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, Swiss-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF, the Swiss-U.S. DPF, or the UK Extension to the EU-U.S Principles, those Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Your Choices. There is no law or contract between you and us stating that individuals in the EEA, Switzerland, or UK have to use our Services. We ask you to provide your name, organization, and eligibility information to verify your eligibility to receive certain Services from us, certain essential details about yourself and your lifestyle in an intake form and initial questionnaire so that we may recommend Providers to you. We cannot provide you with a recommendation or access to such unless you provide such information. You do not have to provide personal data that is not shown as required to receive our Services (as indicated within the platform); the only consequence of not providing this personal data is that it will not be taken into consideration when we recommend Providers to you and when you receive such services. You do not have to consent to our use of personal data for advertising purposes. If you do not allow us to collect the data we automatically collect from users of our Services, some of our Services may not work properly or be as tailored to you as they could otherwise be, but they will still generally be usable.

To the extent that you have given consent, you can withdraw your consent at any time with future effect by contacting us as described below. Such a withdrawal will not affect the lawfulness of the processing prior to the withdrawal of consent.

Data Retention. See Section 4 for information on Heartflow’s data retention practices. Generally, your personal data will be stored by us/our service providers only to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected.

Your Rights. In the EEA, Switzerland and the UK you have the following rights relating to your personal data, subject to the conditions under the GDPR and/or applicable local data protection law:

  • Right to request access to personal data: You have the right to obtain from us confirmation as to whether your personal data is being processed, and, where that is the case, to request access to that personal data and details about how we process your personal data, including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients, the existence of automated decision-making, including profiling and you have the right to obtain copies of the personal data. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
  • Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure (right to be forgotten): You have the right to ask us to erase your personal data.
  • Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time, to the processing of your personal data, including profiling, by us. This includes the right to object to our processing of your personal data where we are pursuing our legitimate interests or those of a third party. If we process your personal data based on our legitimate interests or those of a third party, you can object to this processing, and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for legal reasons. Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.
  • Right to restriction of processing: In limited circumstances, you have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes.
  • Right to data portability: You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
  • You also have the right to lodge a complaint with a supervisory authority (only for EEA and UK).
  • In some jurisdictions such as France, if applicable pursuant to local law, you also have the right to provide us with guidelines as to the processing of your personal data after your death.
  • You can exercise your rights by completing this form.
  • You may view a list of supervisory authorities in the EEA, UK and Switzerland and their respective contact information here (however, you have the right to lodge a complaint in the Member State of your habitual residence, place of work or an alleged infringement of the GDPR):
Jurisdiction Data Protection Authority’s Website
EEA https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom https://ico.org.uk/global/contact-us/
Switzerland https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

Other Jurisdictions

If you do not see your jurisdiction above please do not interpret that to mean that we do not respect your privacy: we encourage you to still contact us using the contact details above with your questions or concerns.

Discover how you can use Heartflow to advance your approach to coronary artery disease diagnosis, treatment and management.

Contact Us