Butterfly Network ("Butterfly")
Global Privacy FAQs

Last Updated: 04 February 2026

This guide provides healthcare professionals with clear information regarding Butterfly’s commitment to privacy, data protection, and global regulatory compliance, including, without limitation, the General Data Protection Regulation (GDPR).

1. Our Privacy & Security Framework

Does Butterfly have a formal privacy program? Yes. We employ a "Privacy by Design" approach supported by a dedicated privacy program. To support our customers' compliance, we provide:

Expert Oversight: A Data Protection Officer (DPO) oversees our privacy commitments.
Contractual Safeguards: Our standard agreements include a compliant Data Processing Addendum (DPA).
Security Controls: We implement robust technical and organizational measures to protect the information you entrust to us.

Who manages information security at Butterfly? Security is a primary focus for our organization. Our security program is led by a Chief Information Security Officer (CISO) and a dedicated team responsible for maintaining and updating our technical safeguards.

2. Handling Patient Data

What type of data is processed within the Butterfly Platform? Healthcare professionals determine what information is uploaded, which typically includes patient identifiers (name, DOB, gender), Medical Record Number (MRN) scans, and clinical notes. Butterfly treats all Patient Data hosted on the platform as personal information.

Where is this data stored? Data storage is determined by your organization’s geographic location using AWS data centers:

Europe: Frankfurt (eu-central-1).
Australia & New Zealand: Sydney (ap-southeast-2).
Canada: Montreal.
United States & Rest of World: Northern Virginia (us-east-1) and Oregon (us-west-2).

While data remains in these regions, Butterfly personnel in the United States may access it strictly for necessary service support, security, and maintenance.

3. Global Compliance & GDPR

What are the roles of each party under the GDPR?

Data Controller: The medical professional or hospital, as they determine the purpose and means of processing Patient Data.
Data Processor: Butterfly, acting on behalf of the controller to provide the Services.
Data Subject: The patient.

How does Butterfly facilitate international data transfers? GDPR allows data to be transferred outside the EEA provided appropriate safeguards are in place. Butterfly utilizes Standard Contractual Clauses (SCCs) within our Data Processing Addendum to ensure lawful data transfers to our U.S. facilities.

4. Supporting Your Patients

How does Butterfly handle Data Subject Access Requests (DSARs)? Under various privacy laws, patients have the right to access, rectify, or delete their data.

Direct Requests: If a patient contacts Butterfly directly, we will promptly redirect the request to you, the healthcare provider.
Collaborative Support: We provide reasonable assistance to help you fulfill patient requests for data copies or transfers to other professionals.

How does Butterfly handle government or law enforcement requests? We believe customers should maintain control of their data. Our practice is to:

Redirect lawful third-party requests to the customer whenever practical and legally permitted.
Limit any required disclosure to the specific data requested.
Notify the customer of the request unless legally prohibited from doing so.

5. Working with Sub-processors

We conduct security and risk assessments on all third parties that interact with Patient Data and/or personally identifiable information. These partners are contractually bound to uphold security standards equivalent to our own. Our primary sub-processors include:

Amazon Web Services (AWS): Cloud hosting.
Splunk: Data indexing and monitoring.
New Relic: Performance monitoring.

Additional Resources

Please refer to our Privacy Policy and Cookie Notice for additional information.

Contact Us