Privacy Policy
Last updated: 2026-05-17 · Version 0.1 (Beta)
Draft — not legal advice. This document is a placeholder for the formal Privacy Policy. The final version must be reviewed by qualified counsel before being relied upon.
⚠ PHI DISCLAIMER
This is a research intelligence tool. Do NOT enter Protected Health Information (PHI), patient names, medical record numbers, dates of birth, addresses, or any identifying health data into any field of this service — including the chatbot. We are not a HIPAA-compliant service in v1, no Business Associate Agreement is in place, and you should treat this service as if it were a public discussion board for the purpose of de-identifying anything you submit.
1. What we collect
- Account data: email address, hashed password, display name, optional profile picture, account-creation timestamp, last login timestamp.
- OAuth data: if you sign in with Google, we receive your Google subject ID, email, and profile name.
- Usage data: server logs (IP, user-agent, request path, status) for security and rate-limiting purposes.
- Chat queries: the text you submit to the chatbot is sent to Anthropic's Claude API to generate responses. We do not currently persist chat history in v1.
2. What we do NOT collect
We do not knowingly collect PHI, patient identifiers, or HIPAA-covered data. If you accidentally submit such information, contact us immediately and we will work in good faith to remove it.
3. How we use it
- To authenticate you and provide the Service.
- To send transactional email (welcome, password reset).
- To enforce rate limits and detect abuse.
- To improve the Service.
4. Third-party processors
- Anthropic — processes chat queries to generate model responses.
- Resend — sends transactional email on our behalf.
- Railway — hosts the application and database.
- Google — OAuth identity provider (only if you choose to sign in with Google).
5. Cookies
We set an HttpOnly, SameSite=Lax JWT cookie to keep you signed in, and a CSRF token cookie for form protection. No tracking or analytics cookies in v1.
6. Data retention
When you delete your account, we perform a soft delete: your record is marked deleted and you can no longer sign in, but the row is retained for security and audit purposes. Contact us for a hard deletion request.
7. Your rights
You can update your profile, change your password, and delete your account at any time from the Profile page. For other data requests, email mikewallacemba@gmail.com.
8. Children
The Service is not directed at children under 13 and we do not knowingly collect data from them.
9. Contact
Questions: mikewallacemba@gmail.com