Privacy Policy

Effective Date: March 28, 2026 · Last Updated: May 17, 2026

1. Overview

SpineOS ("we", "us", "our") is a spine surgery planning and recovery platform prototype. This page describes the privacy principles, current safeguards, and production controls required before SpineOS is used with real patient data. Do not enter real Protected Health Information (PHI) into a demo, development, or staging environment unless a production deployment, Business Associate Agreement coverage, and clinic-approved operating procedures are in place.

2. Information We Collect

• Account information: name, email address, role (clinician or patient).
• Clinical data: surgical measurements, imaging metadata, PROM scores, check-in data (pain levels, activity, wound photos), and clinical notes.
• Device and usage data: browser type, session timestamps, and anonymized usage analytics (via Vercel Analytics).
• HealthKit data: walking speed, step asymmetry, and related recovery metrics (iOS app only, with your explicit consent).

3. How We Use Your Information

• Providing and improving the SpineOS platform.
• Supporting clinical decision-making for your care team.
• Tracking post-operative recovery progress.
• Generating assistive AI clinical note drafts (reviewed by your surgeon before use).
• Sending appointment reminders and recovery notifications.
• Complying with legal and regulatory obligations.

4. HIPAA Readiness

SpineOS is being built toward HIPAA-aligned operation for PHI, but this repository is not itself a production HIPAA environment. Current implementation evidence includes:

• Row-Level Security (RLS) migration drafts for tenant and patient isolation.
• Session timeout logic with a 15-minute idle limit and 8-hour absolute limit.
• Application audit hooks and database audit-trigger drafts for PHI-bearing writes.
• Configuration guidance for Supabase and Vercel environments.
• Separate HIPAA readiness documentation that tracks remaining production controls.

Production use with PHI still requires, at minimum:

• Executed BAAs with all infrastructure and service providers that handle PHI.
• Applied and verified migrations, access reviews, and tenant-isolation testing.
• Immutable audit-log retention and backup/disaster-recovery procedures.
• Clinic-approved privacy, security, incident-response, and workforce procedures.

5. Data Sharing

We do not sell personal information. Demo and development environments should use synthetic data only. In a production PHI deployment, data may be shared only with:

• Your healthcare provider and care team (as authorized by you).
• Infrastructure subprocessors covered by appropriate BAAs and deployment controls.
• Approved assistive AI or analytics services only when PHI handling, de-identification, audit logging, and vendor agreements have been reviewed and enabled for that deployment.
• Law enforcement, when required by valid legal process.

6. Your Rights

In a production PHI deployment, HIPAA and applicable privacy laws may provide rights to:

• Access your health records via the data export feature.
• Request corrections to inaccurate information.
• Request an accounting of disclosures of your PHI.
• Restrict certain uses and disclosures.
• Receive breach notifications within 60 days of discovery.

7. Data Retention

Retention rules are deployment- and clinic-policy-specific. The production target is:

• Clinical records: retained for the duration required by applicable state law (minimum 6 years).
• Audit logs: retained for a minimum of 6 years per HIPAA requirements.
• Account data: retained while your account is active, plus 30 days after deletion request.
• Analytics data: anonymized and aggregated; no individual-level retention.

8. Security Measures

• HTTPS/TLS in hosted environments and encrypted storage through the selected infrastructure provider.
• Multi-factor authentication support.
• Role and tenant access controls through Supabase Auth, RLS, and application gates.
• Security assessments, penetration testing, and workforce training before production PHI use.
• Incident response procedures with HIPAA breach-notification review when applicable.

9. Cookies and Tracking

SpineOS uses essential storage for authentication session management where enabled. Demo analytics may use Vercel Analytics for aggregate performance metrics. SpineOS does not use advertising cookies or cross-site tracking.

10. Children's Privacy

SpineOS is intended for use by adults and authorized healthcare providers. We do not knowingly collect information from children under 13. Minors' accounts must be created and managed by a parent or legal guardian.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.

12. Contact

For privacy-related inquiries, data access requests, or to report a concern:
Email: privacy@spineos.ai
HIPAA Privacy Officer: Available upon request.