Your account has been created successfully.
This is the only time your API key will be displayed. We do not store it in plain text and cannot recover it for you. Please copy and store it securely.
X-API-Key headerNeed help? Contact us at developers@healthsage.ai
Effective Date: February 2026
Last Updated: February 2026
By accessing or using the Clinical Data Transformer API ("CDT API", "Service", or "API") provided by Synfora B.V. ("Synfora", "we", "us", or "our"), you ("User", "you", or "your") agree to be bound by these Terms and Conditions ("Terms"). If you do not agree to these Terms, you may not access or use the Service.
IF YOU ARE USING THE SERVICE ON BEHALF OF AN ORGANIZATION, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO BIND THAT ORGANIZATION TO THESE TERMS.
The CDT API is provided as a beta service for evaluation and development purposes. The Service uses artificial intelligence to extract structured clinical information from unstructured text. The Service is not intended for use in production clinical environments or for making clinical decisions.
The CDT API is NOT a medical device, diagnostic tool, or clinical decision support system. The outputs of the Service are for informational and development purposes only and should not be used for patient care, diagnosis, treatment decisions, or any clinical purpose without independent verification by qualified healthcare professionals.
YOU MUST ONLY SUBMIT FULLY ANONYMIZED AND DE-IDENTIFIED DATA TO THE SERVICE.
You expressly agree that you will NOT submit any data that contains:
You are solely responsible for ensuring that all data submitted to the Service is properly anonymized in accordance with applicable laws and regulations, including but not limited to GDPR, HIPAA, and any local data protection laws. Synfora does not perform any anonymization or de-identification of data submitted to the Service.
We strongly recommend using synthetic data, publicly available clinical text samples, or professionally de-identified datasets for testing and evaluation purposes.
By using the Service, you acknowledge and confirm that:
Synfora is not a data processor within the meaning of Article 28 GDPR, as the Service is designed exclusively for fully anonymized data that does not constitute personal data.
Synfora does not actively monitor or screen submitted data for the presence of personal data or Protected Health Information. You are solely responsible for ensuring that all data submitted to the Service complies with Section 2.1.
If Synfora becomes aware that personal data has been inadvertently submitted to the Service, Synfora will take commercially reasonable steps to delete such data. You acknowledge that any submission of personal data constitutes a material breach of these Terms.
Notwithstanding the foregoing, the parties agree that in the event personal data is inadvertently processed through the Service, the Data Processing Agreement attached as Annex A shall apply to such processing.
Synfora does not permanently store the clinical text you submit to the Service. Data handling is as follows:
You may request deletion of any logs associated with your API key by contacting developers@healthsage.ai.
The Service uses the following third-party services to process your requests:
| Sub-Processor | Purpose |
|---|---|
| Microsoft Azure (EU West) | Cloud infrastructure |
| Azure OpenAI Service (EU & Switzerland) | AI model inference |
All sub-processors are contractually bound to process data in accordance with GDPR requirements. Data is processed exclusively within the European Union. Synfora does not use your data to train AI models.
By using the Service, you acknowledge that your (anonymized) data will be transmitted to the sub-processors listed above for the sole purpose of providing the Service.
THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SYNFORA EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO:
You acknowledge that the Service uses artificial intelligence and machine learning technologies that have inherent limitations, including but not limited to:
As a beta service, the CDT API may contain bugs, errors, and other problems. We may change, suspend, or discontinue any aspect of the Service at any time without notice.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SYNFORA, ITS DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, PARTNERS, SUPPLIERS, OR LICENSORS BE LIABLE FOR ANY:
IN ANY CASE, SYNFORA'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED FIFTY EUROS (€50), REGARDLESS OF THE AMOUNT YOU HAVE PAID TO SYNFORA FOR THE SERVICE.
NOTHING IN THESE TERMS SHALL LIMIT LIABILITY FOR DAMAGES CAUSED BY WILLFUL MISCONDUCT (OPZET) OR GROSS NEGLIGENCE (GROVE SCHULD) ON THE PART OF SYNFORA.
THE LIMITATIONS OF LIABILITY SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN SYNFORA AND YOU. THE SERVICE WOULD NOT BE PROVIDED WITHOUT SUCH LIMITATIONS.
SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN WARRANTIES OR LIABILITY. IN SUCH JURISDICTIONS, OUR LIABILITY SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.
You agree to indemnify, defend, and hold harmless Synfora, its affiliates, and their respective directors, officers, employees, agents, partners, suppliers, and licensors from and against any and all claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:
This indemnification obligation shall survive termination of these Terms and your use of the Service.
You may use the Service only for lawful purposes and in accordance with these Terms. The Service is intended for:
You agree NOT to use the Service:
The Service, including all software, algorithms, models, documentation, and other materials, is owned by Synfora or its licensors and is protected by intellectual property laws. These Terms do not grant you any ownership rights in the Service.
You retain ownership of the data you submit to the Service. By submitting data, you grant Synfora a limited, non-exclusive license to process the data solely for the purpose of providing the Service.
Subject to these Terms, you own the outputs generated by the Service from your data. However, this ownership does not extend to the underlying models, algorithms, or technology used to generate such outputs.
If you provide feedback, suggestions, or ideas about the Service, you grant Synfora a perpetual, irrevocable, royalty-free license to use such feedback for any purpose.
You are responsible for maintaining the confidentiality of your API keys and for all activities that occur under your account. You must immediately notify Synfora of any unauthorized use of your API keys.
The Service is subject to usage limits as described in the API documentation at cdt-beta.healthsage.ai. We reserve the right to modify these limits at any time without prior notice. Exceeding applicable usage limits may result in throttling, temporary suspension, or termination of access.
We may impose rate limits on API requests. Excessive usage may result in temporary or permanent suspension of access.
You may stop using the Service at any time. API keys are non-transferable and non-renewable.
We may suspend or terminate your access to the Service at any time, for any reason, without notice, including but not limited to:
Upon termination, your right to use the Service immediately ceases. Sections 3, 4, 5, 6, 8, 11, and 12 shall survive termination.
These Terms shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.
Any disputes arising out of or relating to these Terms or the Service shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.
Before initiating any legal proceedings, the parties agree to attempt to resolve any dispute amicably through good-faith negotiations for a period of at least thirty (30) days.
These Terms constitute the entire agreement between you and Synfora regarding the Service and supersede all prior agreements and understandings.
If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
The failure of Synfora to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.
You may not assign or transfer these Terms or your rights hereunder without our prior written consent. Synfora may assign these Terms without restriction.
We reserve the right to modify these Terms at any time. We will notify you of material changes by posting the updated Terms on our website or through the Service. Your continued use of the Service after such changes constitutes acceptance of the modified Terms.
Any notices to Synfora should be sent to: developers@healthsage.ai
Synfora shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, labor disputes, or internet service failures.
If you have any questions about these Terms, please contact us at:
Synfora B.V.
Email: developers@healthsage.ai
Website: www.healthsage.ai
BY CLICKING "I AGREE", CREATING AN API KEY, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS AND CONDITIONS.
YOU SPECIFICALLY ACKNOWLEDGE AND AGREE THAT:
Pursuant to Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation)
This Data Processing Agreement ("DPA") forms an integral part of the CDT API Terms and Conditions ("Terms") between Synfora B.V. ("Processor" or "Synfora") and the User ("Controller" or "you").
This DPA applies only in the event that personal data (as defined in Article 4(1) GDPR) is inadvertently or otherwise processed through the Service. Under the Terms, the Service is designed exclusively for anonymized data. This DPA serves as a legal safety net to provide GDPR Article 28 compliance in the event that personal data enters the Service contrary to Section 2.1 of the Terms.
This DPA is governed by the laws of the Netherlands. In the event of any conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of personal data.
Terms with a capital letter that are used in this DPA but not defined herein shall have the meaning given to them in the GDPR (including Personal Data, Data Subject, Controller, Processor, and Personal Data Breach) or in the Terms.
"Applicable Data Protection Law" means the GDPR and any applicable national implementing legislation, including but not limited to the Dutch GDPR Implementation Act (Uitvoeringswet AVG), and any binding guidance issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
"Data Subject Request" means a complaint about the processing or a request by a Data Subject to exercise their rights under Chapter III of the GDPR.
"Personal Data Breach" means (i) an investigation or seizure by governmental officials of Personal Data, or a suspicion that this will take place; or (ii) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as defined in Article 4(12) GDPR.
"Sub-Processor" means any third party engaged by Synfora to process Personal Data on behalf of the Controller in connection with the Service.
2.1 This DPA applies to the processing of Personal Data by Synfora on behalf of the Controller in the context of providing the Service under the Terms.
2.2 The nature and purpose of the processing is the extraction of structured clinical information from unstructured text using artificial intelligence, as described in the Terms. Personal Data processed under this DPA is limited to any Personal Data that may inadvertently be contained in text submitted to the Service.
2.3 The categories of Data Subjects may include patients, healthcare professionals, or other individuals whose Personal Data is inadvertently contained in submitted text. The types of Personal Data may include names, dates, identifiers, health data, or other categories of Personal Data as defined in Article 9 GDPR.
2.4 The duration of the processing corresponds to the duration of the Service use under the Terms, plus any retention period specified in Section 3.1 of the Terms.
3.1 Synfora shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which Synfora is subject. In such case, Synfora shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
3.2 Synfora shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
3.3 Synfora shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4 Synfora shall not process Personal Data outside the European Economic Area (EEA) without the prior written consent of the Controller.
3.5 Synfora shall process Personal Data with due care and in accordance with its obligations under the GDPR and other applicable data protection legislation.
4.1 Synfora shall implement appropriate technical and organizational security measures, taking into account the state of the art and the costs of implementation, to ensure a level of security appropriate to the risk of the processing, including as appropriate:
4.2 Upon reasonable request, Synfora shall provide the Controller with a copy of any relevant security certifications (such as ISO 27001) or, if not available, a written description of the security measures implemented, to demonstrate compliance with this Article.
4.3 The Controller has the right to verify compliance with the security measures set out in this Article following a suspected security or privacy breach. Any audit shall be conducted by a mutually agreed independent third party, at the Controller's expense, and shall be subject to reasonable confidentiality obligations.
5.1 Synfora shall actively monitor for potential Personal Data Breaches.
5.2 In the event of a Personal Data Breach, Synfora shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of the breach. The notification shall include:
5.3 Synfora shall take all commercially reasonable steps to contain and remediate any Personal Data Breach as quickly as possible. Synfora shall cooperate with the Controller and follow the Controller's reasonable instructions regarding the investigation and remediation of the breach.
5.4 Notification of a Personal Data Breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and/or to affected Data Subjects shall be made by the Controller only. Synfora shall not disclose information about a breach to Data Subjects or third parties without the Controller's prior written consent, unless required by law.
6.1 Synfora shall provide reasonable assistance to the Controller in fulfilling the Controller's obligations to respond to Data Subject Requests under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
6.2 If Synfora receives a Data Subject Request directly, Synfora shall forward it to the Controller without undue delay and in any event within forty-eight (48) hours.
6.3 Upon request, Synfora shall provide the Controller with all relevant information concerning the processing of Personal Data to enable the Controller to demonstrate compliance with applicable data protection law.
6.4 Synfora shall assist the Controller, upon request, in carrying out data protection impact assessments (DPIAs) and prior consultations with the supervisory authority where required.
7.1 By accepting the Terms, the Controller consents to the use of the Sub-Processors listed in Section 3.2 of the Terms as of the date of acceptance.
7.2 Synfora shall provide the Controller with at least thirty (30) days' advance written notice before engaging any new Sub-Processor or materially changing the scope of an existing Sub-Processor's engagement. The Controller may object to such changes in accordance with Section 3.2 of the Terms.
7.3 Synfora shall impose on each Sub-Processor, by way of a written agreement, data protection obligations that are substantially similar to, and no less protective than, those set out in this DPA. Synfora shall provide the Controller with a copy of any sub-processing agreement upon request.
7.4 Synfora shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations under this DPA.
7.5 Sub-Processors shall not process Personal Data outside the EEA without the Controller's prior written consent, in accordance with Article 3.4 of this DPA.
8.1 Synfora shall not retain Personal Data longer than strictly necessary for the purposes of providing the Service.
8.2 Upon termination or expiration of the Terms, or upon the Controller's written request, Synfora shall, at the Controller's choice, either:
8.3 Synfora shall provide written confirmation of the deletion or destruction of Personal Data upon the Controller's request.
8.4 If return or destruction is not technically feasible, Synfora shall promptly inform the Controller, continue to protect the Personal Data in accordance with this DPA, and refrain from any further processing of such data.
9.1 The costs of processing inherent to the normal performance of this DPA and the exercise of Data Subject rights are deemed included in any fees payable under the Terms.
9.2 Costs of audits conducted under Article 4.3 shall be borne by the Controller, unless the audit reveals a material breach of this DPA by Synfora, in which case Synfora shall bear the reasonable costs of the audit.
10.1 This DPA enters into effect upon acceptance of the Terms and shall remain in force for the duration of the Terms, including any extensions.
10.2 Termination of the Terms, for whatever reason, shall result in the termination of this DPA.
10.3 Obligations that by their nature are intended to survive termination shall continue after termination, including obligations relating to confidentiality, data return/destruction, and cooperation with breach investigations.
10.4 The Controller may terminate the Terms and this DPA with immediate effect by written notice if Synfora indicates that it can no longer comply with the reliability and security requirements applicable to the processing of Personal Data under applicable law.
11.1 This DPA is governed by the laws of the Netherlands.
11.2 Any disputes arising out of or in connection with this DPA shall be submitted exclusively to the competent court in Amsterdam, the Netherlands, in accordance with Section 12.2 of the Terms.
| Element | Description |
|---|---|
| Subject matter | Extraction of structured clinical information from unstructured text submitted to the CDT API |
| Nature of processing | Automated processing (AI inference) of text data; no manual review; data processed in memory and not stored |
| Purpose of processing | To provide the CDT API Service as described in the Terms |
| Categories of Data Subjects | Patients, healthcare professionals, or other individuals whose data may inadvertently be contained in submitted text |
| Types of Personal Data | Names, dates, identification numbers, health data (Article 9 GDPR), and other identifiers that may be present in clinical text |
| Duration of processing | Duration of the API request (seconds); API metadata logs retained up to 90 days |
| Transfers outside EEA | None. All processing within EEA. |
As of the effective date of these Terms, the following Sub-Processors are engaged:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure | EU West (Netherlands) | Text in transit |
| Azure OpenAI Service | AI model inference | EU (Sweden) | Text for extraction |
| Role | Contact |
|---|---|
| Processor (Synfora B.V.) | Data Protection contact: developers@healthsage.ai Breach notification: developers@healthsage.ai Data Subject Requests: developers@healthsage.ai |
| Controller (User) | As provided during API key registration |
© 2026 Synfora B.V. All rights reserved.