IP Geolocation for Healthcare — Telehealth Licensing, PHI Geofencing, Patient-Data Residency, Pharma Routing

Why healthcare is its own axis: every telehealth consult that crosses a state, province, or member-state border is a five-jurisdiction decision in <40 ms — EU MRPQ (Directive 2005/36/EC) on professional-qualification recognition, GDPR Article 9 special-category processing (health data), Schrems II transfer-impact assessment if the EHR is US-hosted, HIPAA §164.308 administrative safeguards on PHI/EPHI access, and the destination-state licensure rule (a NY-licensed MD treating a FL patient without FL telemed-license = unauthorised practice + civil + criminal exposure under FL Stat. §456.072). IP-layer signals are upstream of every clinical decision — consult-routing, EHR-access gate, prescription-engine, and pharma-shipping eligibility. A wrong country resolve at consultation-init is a four-system breach within the same render frame and a regulatory event under both HIPAA (45 CFR 160-164) and GDPR (Art. 9, 32, 33).

The country an IP resolves to, the ASN it belongs to, and whether it’s a known datacenter, VPN, residential-proxy, or Tor exit are inputs to four separate healthcare control surfaces:

1. Cross-border telehealth licensing enforcement at consultation-start — destination-state / member-state licensure must match the practitioner’s registered jurisdiction before the consult-room opens. US: 50-state medical-board reciprocity is partial (Interstate Medical Licensure Compact covers 41 states; CA/FL/NY/TX gate independently). EU: MRPQ Directive 2005/36/EC + national derogations (DE Bundesärztekammer, NL BIG-register, FR ONM, UK GMC post-Brexit). Hard-fail-closed: ambiguous resolves return HTTP 451 and a redirect to in-jurisdiction-MD queue. Cross-border consult opened without licensure = practitioner + platform joint liability + state-board complaint.
2. HIPAA PHI / EPHI access geofencing + EHR allowlist — 45 CFR §164.308(a)(4) (information-access management) requires restricting PHI to identified workforce members at sanctioned access points. Hospital LAN, clinic VPN exit, and physician home-office allowlisted IPs only. Datacenter ASNs, residential-proxy ASNs (Bright Data, Oxylabs, Smartproxy, IPRoyal), VPN exit-nodes, and Tor relays are blocked at the EHR portal authentication layer before the workforce-member’s PHI session-token issues. Reduces breach exposure under HIPAA Breach Notification Rule (§164.404) and HHS OCR audit posture.
3. EU patient-data residency enforcement (GDPR Art. 9 + Schrems II) — health data is special-category under GDPR Art. 9(1) — processing prohibited except under Art. 9(2) carve-outs (consent, vital interests, public-health, medical diagnosis). Cross-border transfers to non-adequate third countries (US post-Schrems II) require SCCs + TIA + supplementary technical measures (encryption, pseudonymisation) per EDPB Recommendations 01/2020. EU-patient IP-resolve must route to EU-data-residency EHR; US-hosted EHR access for EU patient = §83 fine exposure (up to €20 M or 4 % global revenue, whichever is higher).
4. Cross-border pharma + controlled-substance prescription gating — DEA controlled-substance schedules (Schedule I-V, 21 CFR §1306) prohibit dispensing across state lines without state-of-residence verification; Ryan Haight Act §3 requires in-person eval for Schedule II-V telemedicine prescription. EU Falsified Medicines Directive (2011/62/EU) requires originator-country audit trail on every dispensation. Destination-country drug-schedule gates: cannabis/CBD legal NL/DE-medical/UK/CA but Schedule-I or banned in UAE/SG/HK/JP/MY (Misuse of Drugs Act SG = capital offence on import); psilocybin / MDMA-therapeutic legal AU/CA-research but Schedule-I in US/EU outside trial protocols.

A single REST call to IP Geo API returns all four signal classes — country/region/city/lat-lon, ASN, threat-flags (VPN/proxy/Tor/hosting/relay), risk score — on every plan, no add-on SKU, ≤40 ms median in EU.

What healthcare buyers care about (in order)

1. Consultation-init latency budget ≤ 40 ms. Patient-portal sign-in → consent → consult-room-handshake must complete in ≤ 2 s on a 4G connection; the IP-resolve sits inside the first-paint path for licensure-check + PHI-access-gate + EHR-region-pin. IP Geo API runs on EU edges (Hetzner Frankfurt) for ≤ 30-40 ms median across DE/NL/FR/IE/ES/IT/UK, ≤ 60 ms US-EU round-trip — well under the consult-init budget and ahead of EHR-API round-trip (typically 200-400 ms for Epic/Cerner/Allscripts FHIR R4).
2. HIPAA + GDPR + Schrems II + DAC7 audit-trail bundle. HIPAA Security Rule (§164.308-§164.316) requires audit logs of PHI-access events for 6 years; GDPR Art. 30 + Art. 32 require RoPA + technical-measures evidence for the lifetime of processing; Schrems II requires per-transfer TIA documentation. IP Geo API ships a deterministic-replay log-format on every paid tier — same country_code + region + is_vpn + is_proxy + risk_score at lookup-time gets persisted in the response envelope for audit-grade reconstruction by your HIPAA Privacy Officer / GDPR DPO.
3. Threat fields on every plan, not a paid add-on. Most US incumbents (MaxMind, ipinfo.io, ipstack) split datacenter/VPN/proxy classification into a paid Security Module or Privacy add-on. IP Geo API ships is_vpn, is_proxy, is_tor, is_hosting, is_relay, and a numeric risk_score on the free tier — critical for blocking residential-proxy PHI scraping (a single 2023 HHS OCR breach disclosed >2.5 M records via residential-proxy credential-stuffing on a patient-portal) and for telehealth licensure-circumvention detection.
4. ASN-level granularity for clinical-IP allowlisting. Country-only checks let an EU residential-proxy through to a US EHR; ASN + is_proxy flag catches them at the PHI-portal authentication layer before the session-token issues. We expose asn, asn_org, and is_proxy as first-class fields so your EHR access policy can allowlist the hospital’s announced ASN block (AS-EPIC-IL, AS-CERNER-MO) and reject at ASN granularity without maintaining a list yourself.
5. EU residency + GDPR Art. 9 + Schrems II posture. Patient IPs cannot be transferred to a US vendor without GDPR §28 DPA + SCCs + TIA + Art. 9 carve-out documented; Schrems II TIA must show that the destination jurisdiction (US) does not have surveillance law equivalent to GDPR Art. 23 — a near-impossible burden under FISA §702 and EO 12333. The entire chain (IP-resolve, telehealth licensure-check, PHI-access-gate, audit-log persistence) must be EU-data-residency end-to-end. IP Geo API is EU-only data-flow, signed DPA in 24h, no SCCs required, HIPAA BAA available on Business+ tier.

The four healthcare control surfaces, in code

1. Cross-border telehealth licensing enforcement (hard-fail-closed)

// /api/telehealth/consult-init.js — Node 20 / consult-room handshake
// Called on every consult-start BEFORE WebRTC offer/answer SDP exchange.
// Fail-closed: licensure-jurisdiction mismatch → HTTP 451 + redirect to in-jurisdiction-MD queue.
const fetch = require('undici').fetch;

// Practitioner's licensed jurisdictions (loaded from credential-verification system)
const PRACTITIONER_LICENSURE = {
  'dr-jane-doe-NPI-1234567890': {
    us_states: ['NY','NJ','CT','MA','RI'],      // IMLC partial coverage
    eu_member_states: ['NL','DE','BE'],          // MRPQ recognised + national derogation
    uk_gmc: true,
  },
};

// Hard-stop destinations — no license recognition for ANY consult
const NO_RECIPROCITY = new Set(['IR','KP','SY','CU','BY','RU','MM','VE','AF','SO']);

async function initConsult(req, res) {
  const ip = req.headers['cf-connecting-ip'] || req.ip;
  const practitionerId = req.session.npi;
  let geo;
  try {
    geo = await (await fetch(`https://ipgeo.10b.app/v1/${ip}?fields=country_code,region,city,is_vpn,is_proxy,is_tor,asn,risk_score`, {
      headers: { 'Authorization': `Bearer ${process.env.IPGEO_KEY}` },
      signal: AbortSignal.timeout(40)   // ≤ 40 ms hard budget
    })).json();
  } catch {
    // Fail-closed: no consult-room without successful geo-resolve
    return res.status(503).json({ error: 'geo_resolve_timeout', retry_after_s: 1 });
  }

  // Hard sanctions / no-reciprocity stop
  if (NO_RECIPROCITY.has(geo.country_code)) return res.status(451).json({ error: 'jurisdiction_not_supported' });

  // VPN / proxy / Tor → reject; clinical encounter must be from verified patient origin
  if (geo.is_vpn || geo.is_proxy || geo.is_tor) {
    return res.status(451).json({ error: 'anonymised_origin_not_permitted_for_clinical_encounter' });
  }

  const licensure = PRACTITIONER_LICENSURE[practitionerId];
  if (!licensure) return res.status(403).json({ error: 'practitioner_credentials_not_verified' });

  // Patient in US — destination-state licensure check
  if (geo.country_code === 'US') {
    if (!licensure.us_states.includes(geo.region)) {
      return res.status(451).json({
        error: 'cross_state_licensure_required',
        patient_state: geo.region,
        practitioner_licensed_states: licensure.us_states,
        redirect: `/queue/in-state-md/${geo.region}/`
      });
    }
  }
  // Patient in EU — member-state licensure + MRPQ recognition check
  else if (['NL','DE','BE','FR','ES','IT','PL','SE','DK','FI','AT','IE','PT','CZ','HU','GR','RO'].includes(geo.country_code)) {
    if (!licensure.eu_member_states.includes(geo.country_code)) {
      return res.status(451).json({
        error: 'mrpq_licensure_required',
        patient_country: geo.country_code,
        practitioner_licensed_eu: licensure.eu_member_states,
        redirect: `/queue/in-country-md/${geo.country_code}/`
      });
    }
  }
  // Patient in UK — GMC registration required
  else if (geo.country_code === 'GB' && !licensure.uk_gmc) {
    return res.status(451).json({ error: 'gmc_registration_required', redirect: '/queue/uk-md/' });
  }

  // Pin licensure-jurisdiction to session for audit replay
  return res.json({ consult_room_token: issueToken(req.session, geo), jurisdiction: geo.country_code, region: geo.region });
}

2. HIPAA PHI / EPHI access geofencing + EHR allowlist (hard-fail-closed)

# /api/ehr/phi-access-gate.py — FastAPI / EHR portal authentication layer
# Called immediately before the workforce-member's PHI session-token issues; rejects on score >= 70 or non-clinical ASN.
from fastapi import FastAPI, HTTPException, Request
import httpx, os

IPGEO_KEY = os.environ["IPGEO_KEY"]

# Hospital-system announced ASNs (clinical IP ranges only)
CLINICAL_ASNS = {
    'AS-EPIC-IL':       'Epic Systems (workforce SSO)',
    'AS-CERNER-MO':     'Cerner (Oracle Health) (workforce SSO)',
    'AS-ALLSCRIPTS-IL': 'Allscripts (workforce SSO)',
    'AS-MAYO-MN':       'Mayo Clinic enterprise',
    'AS-MASSGEN-MA':    'Mass General Brigham enterprise',
    'AS-CLEVELAND-OH':  'Cleveland Clinic enterprise',
    'AS-KAISER-CA':     'Kaiser Permanente enterprise',
}

# Residential-proxy ASNs — instant reject on PHI access
RES_PROXY_ASNS = {
    212238: 'Bright Data', 401116: 'Bright Data',
    396982: 'Oxylabs',     60068:  'Oxylabs',
    62240:  'Smartproxy',  16276:  'Smartproxy',
    35916:  'IPRoyal',     174:    'IPRoyal',
    21859:  'Tier3/Choopa', 32475: 'Tier3/Choopa',
}

# HIPAA-eligible clinician home-office allowlist (signed BAA + IT-attested workstation)
HOME_OFFICE_ALLOWLIST = set([
    '203.0.113.42',     # Dr. J. Doe, NPI 1234567890, attested 2026-04-12
    '198.51.100.17',    # Dr. K. Smith, NPI 9876543210, attested 2026-03-22
])

async def phi_access_gate(request: Request) -> dict:
    ip = request.headers.get('cf-connecting-ip') or request.client.host
    user_npi = request.session.get('npi')
    if not user_npi:
        raise HTTPException(401, 'workforce_member_not_authenticated')

    async with httpx.AsyncClient(timeout=0.04) as cx:
        r = await cx.get(f'https://ipgeo.10b.app/v1/{ip}',
            params={'fields': 'country_code,region,is_vpn,is_proxy,is_tor,is_hosting,is_relay,asn,asn_org,risk_score'},
            headers={'Authorization': f'Bearer {IPGEO_KEY}'})
    g = r.json()

    # Hard reject — VPN/proxy/Tor/relay on PHI access path
    if g['is_vpn'] or g['is_proxy'] or g['is_tor'] or g['is_relay']:
        _audit_log('phi_access_denied', user_npi, ip, g, reason='anonymised_origin')
        raise HTTPException(403, 'anonymised_origin_blocked_on_phi_access')

    # Hard reject — residential-proxy ASN
    if g['asn'] in RES_PROXY_ASNS:
        _audit_log('phi_access_denied', user_npi, ip, g, reason=f'residential_proxy_{RES_PROXY_ASNS[g["asn"]]}')
        raise HTTPException(403, 'residential_proxy_blocked_on_phi_access')

    # Soft-allow path: clinical ASN OR home-office allowlist OR risk_score < 30
    asn_org = g.get('asn_org', '')
    is_clinical_asn = any(c in asn_org for c in CLINICAL_ASNS.keys())
    is_home_office = ip in HOME_OFFICE_ALLOWLIST
    is_low_risk    = g['risk_score'] < 30

    if not (is_clinical_asn or is_home_office or is_low_risk):
        _audit_log('phi_access_denied', user_npi, ip, g, reason='non_clinical_origin')
        raise HTTPException(403, 'non_clinical_origin_requires_step_up_mfa')

    # Pin session origin for HIPAA Security Rule §164.312(b) audit
    _audit_log('phi_access_granted', user_npi, ip, g, reason='clinical_origin_verified')
    return {'session_origin': g['country_code'], 'asn_org': asn_org, 'risk_score': g['risk_score']}

def _audit_log(event, npi, ip, geo, reason):
    # HIPAA Security Rule §164.312(b) — audit controls retained 6 years
    # Deterministic-replay log-format with full IP Geo API response envelope for breach-investigation reconstruction
    pass

3. EU patient-data residency enforcement (GDPR Art. 9 + Schrems II)

// /api/ehr/route-by-residency.js — Node edge / EHR API gateway routing
// Routes EU-patient EHR API calls to EU-residency EHR shard; US-patient EHR calls to US-residency shard.
// Schrems II: zero cross-Atlantic patient-data egress without TIA + supplementary measures.
const fetch = require('undici').fetch;

const EHR_SHARDS = {
  'EU-FRA': { region: 'EU', endpoint: 'https://ehr-eu-fra.internal/fhir/r4/', scc_required: false },
  'EU-AMS': { region: 'EU', endpoint: 'https://ehr-eu-ams.internal/fhir/r4/', scc_required: false },
  'UK-LON': { region: 'UK', endpoint: 'https://ehr-uk-lon.internal/fhir/r4/', scc_required: false },
  'US-IAD': { region: 'US', endpoint: 'https://ehr-us-iad.internal/fhir/r4/', scc_required: true  },
  'CA-YYZ': { region: 'CA', endpoint: 'https://ehr-ca-yyz.internal/fhir/r4/', scc_required: false },
  'AU-SYD': { region: 'AU', endpoint: 'https://ehr-au-syd.internal/fhir/r4/', scc_required: false },
};

const EU_MEMBER_STATES = new Set(['DE','NL','FR','IE','ES','IT','PL','SE','DK','FI','AT','PT','CZ','HU','GR','RO','BE','BG','HR','CY','EE','LV','LT','LU','MT','SI','SK']);

async function pickEhrShard(req) {
  const ip = req.headers['cf-connecting-ip'] || req.ip;
  const geo = await (await fetch(`https://ipgeo.10b.app/v1/${ip}?fields=country_code,is_vpn,is_proxy`, {
    headers: { 'Authorization': `Bearer ${process.env.IPGEO_KEY}` },
    signal: AbortSignal.timeout(40)
  })).json();

  // VPN/proxy on a patient-portal session = Schrems II + GDPR Art. 9 risk → fall back to EU-residency
  if (geo.is_vpn || geo.is_proxy) {
    return EHR_SHARDS['EU-FRA'];  // Default to EU residency on anonymised origin (highest protection)
  }

  const cc = geo.country_code;
  if (EU_MEMBER_STATES.has(cc)) return cc === 'NL' || cc === 'BE' || cc === 'LU' ? EHR_SHARDS['EU-AMS'] : EHR_SHARDS['EU-FRA'];
  if (cc === 'GB') return EHR_SHARDS['UK-LON'];
  if (cc === 'US') return EHR_SHARDS['US-IAD'];  // SCC + TIA on the BAA, but US-patient stays US-residency
  if (cc === 'CA') return EHR_SHARDS['CA-YYZ'];
  if (['AU','NZ'].includes(cc)) return EHR_SHARDS['AU-SYD'];

  // Default — patient outside listed residency zones → EU shard with explicit consent banner
  return EHR_SHARDS['EU-FRA'];
}

4. Cross-border pharma + controlled-substance prescription gating

# /api/rx/dispense-eligibility.py — FastAPI / e-prescription routing & dispensation gate
# Called on every Rx-send before the pharmacy-API call; hard-fails on schedule-mismatch or destination-ban.
from fastapi import HTTPException, Request
import httpx, os

IPGEO_KEY = os.environ["IPGEO_KEY"]

# DEA Controlled Substances Act schedules — US
DEA_SCHEDULES = {
    'oxycodone': 'II',     'fentanyl': 'II',    'morphine': 'II',
    'adderall':  'II',     'ritalin':  'II',
    'ketamine':  'III',    'codeine':  'III',
    'tramadol':  'IV',     'alprazolam': 'IV',  'diazepam': 'IV',
    'pregabalin':'V',
}

# Ryan Haight Act §3 — in-person eval required for Schedule II-V telemed Rx (US)
RYAN_HAIGHT_REQUIRES_INPERSON = {'II','III','IV','V'}

# Destination-country drug-schedule gates
COUNTRY_BANS = {
    'cannabis_thc':   {'banned': ['AE','SA','SG','HK','JP','MY','KR','ID','PH','VN','TH','KW','QA','OM','BH'],
                       'medical_legal': ['NL','DE','PT','IT','GR','CZ','HR','LU','MT','CY','PL','IE','UK','CA','AU','NZ','IL']},
    'cbd':            {'banned': ['AE','SA','SG','HK','JP-rec','RU','BY'],
                       'medical_legal': ['EU','UK','US','CA','AU','NZ']},
    'psilocybin':     {'banned': ['everywhere_except_research'],
                       'research_legal': ['AU','CA','CH','NL']},
    'mdma':           {'banned': ['everywhere_except_research'],
                       'research_legal': ['AU','CH','CA']},
    'kratom':         {'banned': ['AU','DK','PL','SE','LT','LV','RO','MY','TH','SG','VN','LK','BT']},
}

async def check_rx_dispense_eligibility(req: Request, rx: dict) -> dict:
    patient_ip = req.headers.get('cf-connecting-ip') or req.client.host
    practitioner_npi = req.session['npi']

    async with httpx.AsyncClient(timeout=0.04) as cx:
        r = await cx.get(f'https://ipgeo.10b.app/v1/{patient_ip}',
            params={'fields': 'country_code,region,is_vpn,is_proxy,risk_score'},
            headers={'Authorization': f'Bearer {IPGEO_KEY}'})
    g = r.json()

    if g['is_vpn'] or g['is_proxy']:
        raise HTTPException(451, 'anonymised_origin_blocked_on_controlled_substance_dispense')

    drug = rx['substance']
    schedule = DEA_SCHEDULES.get(drug)
    patient_country = g['country_code']
    patient_state = g['region']

    # US — DEA + Ryan Haight + state-of-residence verification
    if patient_country == 'US' and schedule:
        if schedule in RYAN_HAIGHT_REQUIRES_INPERSON and not rx.get('in_person_eval_documented'):
            raise HTTPException(451, f'ryan_haight_in_person_eval_required_for_schedule_{schedule}')
        if patient_state not in rx.get('practitioner_dea_state_licensure', []):
            raise HTTPException(451, f'practitioner_not_dea_registered_in_{patient_state}')

    # EU — Falsified Medicines Directive 2011/62/EU originator-country audit
    if patient_country in ('NL','DE','FR','IE','ES','IT','PL','SE','DK','FI','AT','PT','CZ','HU','GR','RO','BE'):
        _fmd_audit_log(rx, g, practitioner_npi)

    # Destination-country drug-schedule gate
    for restricted, gates in COUNTRY_BANS.items():
        if restricted in drug.lower() and patient_country in gates.get('banned', []):
            raise HTTPException(451, f'{restricted}_banned_in_{patient_country}')

    return {
        'eligible': True,
        'patient_country': patient_country,
        'patient_region': patient_state,
        'dea_schedule': schedule,
        'fmd_logged': patient_country in ('NL','DE','FR','IE','ES','IT'),
        'audit_id': _audit_log_id(rx, g, practitioner_npi),
    }

def _fmd_audit_log(rx, geo, npi): pass
def _audit_log_id(rx, geo, npi): return 'rx-audit-' + npi[-4:]

Pricing math — when does IP Geo API pay for itself for a healthcare operator?

At Business €99/mo: a single blocked cross-state telehealth violation that would have triggered a state-medical-board complaint saves the platform legal-defence (~€15 K), board-discipline (~€5-50 K per practitioner), and one residential-proxy PHI scrape blocked = average disclosed-breach cost €380 / record (HHS OCR 2024 data) × even 100 records = €38 K. Most health-systems recoup the €99/mo Business tier on a single avoided licensure event per year.

Honest limits — when IP geolocation is not the right signal

1. CG-NAT regions — in MENA, parts of LATAM, and rural India, CG-NAT collapses thousands of subscribers behind one egress IP. Country-resolve stays accurate but city-resolve degrades; never gate a telehealth consult on city + ASN alone in CG-NAT-heavy markets. We expose city_confidence so the platform can fall back to country-only licensure + an explicit patient-location prompt before consult-room open.
2. iCloud Private Relay + Proxy-on-by-default OS-modes — Apple’s iCloud Private Relay shifts the egress IP to a Cloudflare/Akamai relay-block; we classify these as is_relay=true so the consult-init can prompt the patient to disable Private Relay for the duration of the clinical encounter (HIPAA / GDPR Art. 9 explicit-consent path).
3. Mobile-data IP rotation — 4G/5G subscribers can hop between cell-tower egress IPs mid-consult; do not invalidate a consult-room on IP-change alone. Pin the consult-session’s licensure-jurisdiction to the at-consult-init snapshot for the duration of the clinical encounter.
4. MaxMind is_anonymous_proxy deprecation — MaxMind sunset is_anonymous_proxy in 2024 Q3; if your existing HIPAA Security-Officer Sigma rules reference it, migrate to is_proxy + is_vpn + is_relay + is_hosting composite. We expose all four for forward-compatibility on the §164.312(b) audit-trail.
5. State-of-residence verification ≠ patient-location-at-consult — DEA Schedule II in-person eval requires documented state-of-residence at the time of Rx, not just at consult-init. IP geolocation is a strong corroborating signal but not the legal-evidentiary record; pair with a documented patient-attestation field (driver’s license, utility-bill, insurance address) for the Ryan Haight + DEA-audit chain.

Use-cases that compose with healthcare

Every healthcare stack composes 3-5 IP-layer use-cases. The relevant primary deep-dives:

• Geoblocking & compliance — ../use-cases/geoblocking-compliance/ — HIPAA + GDPR Art. 9 + Schrems II patient-data residency, cross-state telehealth licensure-jurisdiction gating.
• Fraud detection — ../use-cases/fraud-detection/ — residential-proxy PHI credential-stuffing, telehealth-license-circumvention via VPN, controlled-substance Rx-shopping detection.
• Bot / WAF security — ../use-cases/bot-security/ — patient-portal credential-stuffing, scraping of pharma-pricing endpoints, datacenter ASN filtering at PHI authentication layer.
• Visitor analytics — ../use-cases/visitor-analytics/ — cookieless geographic distribution of consult-volume + Rx-fulfilment by region for clinical-operations reporting.
• Geo personalization — ../use-cases/geo-personalization/ — multi-language patient-portal defaults, currency display on private-pay self-service tier, regional pharmacy-network routing.

Compare IP Geo API to the providers healthcare teams evaluate

If you’re shortlisting vendors for a telehealth-platform refactor, an EHR-region-pin rollout, or a HIPAA + GDPR posture audit, these head-to-heads cover the providers most often shortlisted in the IP-geolocation market:

• IP Geo API vs MaxMind — ../compare/maxmind/ — REST SaaS vs MMDB-download licensing, BAA-availability, traits-field deprecation pain.
• IP Geo API vs ipinfo.io — ../compare/ipinfo-io/ — EU residency, EUR billing, Privacy Detection add-on vs bundled threat fields.
• IP Geo API vs ipstack — ../compare/ipstack-com/ — HTTPS-on-free, EU hosting, Security Module bundling.
• IP Geo API vs ipapi.co — ../compare/ipapi-co/ — bundled-everything pricing, attribution-backlink obligations.
• IP Geo API vs ipgeolocation.io — ../compare/ipgeolocation-io/ — separately-priced Security API SKU vs bundled threat block, USD vs EUR billing.
• IP Geo API vs IP2Location — ../compare/ip2location-com/ — REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost.
• IP Geo API vs DB-IP — ../compare/db-ip-com/ — attribution-free free tier, EU-edges-only, bundled threat detection.

Read also — narrative deep-dives

Seven 2026-dated comparison articles with code-level migration sketches and latency / pricing math at 100K / 1M / 10M req/mo:

• IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) →
• IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? →
• IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question →
• IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency →
• IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question →
• IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? →
• IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? →

Migration walkthroughs — drop-in code-level guides

Already on an incumbent? These step-by-step migration guides ship with field-by-field maps, code diffs, shadow-mode validation, and rollback notes:

• Migrate from MaxMind GeoIP2 to IP Geo API (2026) → — drop the weekly .mmdb sync, swap to a REST call with the same field shape.
• Migrate from ipinfo.io to IP Geo API (2026) → — loc-string parsing, org ASN+name regex split, Authorization-header edge-stripping.
• Migrate from ipstack to IP Geo API (2026) → — HTTP→HTTPS scheme flip, security.* empty-vs-populated branch behaviour.
• Migrate from ipapi.co to IP Geo API (2026) → — per-day rate-limit fragmentation, attribution-backlink scrub.
• Migrate from ipgeolocation.io to IP Geo API (2026) → — Security API SKU consolidation, apiKey-in-URL log-leak hardening.
• Migrate from IP2Location to IP Geo API (2026) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-to-EUR-monthly billing migration.
• Migrate from DB-IP to IP Geo API (2026) → — MMDB/CSV-download decommission, CC-BY-4.0 attribution-backlink scrub, countryCode3 ISO-3 vs ISO-2 gotchas.

Industry deep-dives

Other vertical-specific surfaces using the same IP Geo API primitives:

• Fintech — KYC, sanctions screening, and payment fraud → — country-of-origin + ASN + threat-fields for KYC + OFAC/EU-sanctions + per-transaction risk scoring.
• Ad-tech — RTB enrichment, IVT/SIVT filtering, click fraud → — sub-40 ms bid-enrichment, datacenter ASN blocking, IAB-TCF v2.2 vendor-list readiness.
• iGaming — Licence-jurisdiction enforcement, anti-circumvention, self-exclusion → — hard-fail-closed posture for MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, residential-proxy ASN block-list, GamStop/CRUKS/ROFUS/Spelpaus/OASIS register routing by IP-country.
• SaaS monetization — PPP geo-pricing, VAT/sales-tax routing, trial-abuse defence → — PPP-adjusted tiering at checkout-page first paint, EU OSS / US Wayfair nexus routing, residential-proxy ASN block-list, OFAC/EU/BIS feature-gating.
• Streaming media — Licensing windows, VPN-bypass defence, CDN steering, SSAI ad-insertion → — per-territory licensing enforcement, residential-proxy ASN block-list, CDN POP steering + adaptive-bitrate ladder, SSAI per-event blackout enforcement.
• E-commerce — Tax-jurisdiction routing, carding defence, PPP pricing, shipping-zone steering → — EU OSS / UK VAT / US Wayfair tax routing, BIN-vs-IP carding defence, PPP-adjusted pricebook, 9-warehouse fulfilment routing.

Get started — healthcare-friendly procurement

• Free tier: 1 000 lookups / day, no credit card. Useful for pilot integration in dev / staging telehealth-funnel + EHR-allowlist tuning.
• Starter €29/mo: 33 K lookups / day, all threat fields, EU residency, ≤40 ms median latency. Sufficient for single-jurisdiction clinic ≤ 50 K monthly consults.
• Business €99/mo: 500 K lookups / day, SLA-backed, priority queue, full PHI-geofence + telehealth-licensure classification fields, HIPAA BAA available. Multi-jurisdiction health-system ≤ 1 M monthly consults with HIPAA + GDPR + Schrems II audit-grade per-consult logs.
• DPA + BAA + Schrems II TIA: one-page artifacts, EU-only data flows, signed in 24h — drop into your HIPAA Security Rule §164.308 + GDPR Article 30 RoPA + Schrems II TIA bundle without legal review.

Sign up at https://ipgeo.10b.app/pricing and start with a sandbox key today.