← Back to SpineOS
Privacy Policy
Effective Date: March 28, 2026 · Last Updated: July 6, 2026
1. Overview
SpineOS ("we", "us", "our") is a spine surgery planning and recovery platform
prototype. This page describes the privacy principles, current safeguards, and
production controls required before SpineOS is used with real patient data. Do
not enter real Protected Health Information (PHI) into a demo, development, or
staging environment unless a production deployment, Business Associate Agreement
coverage, and clinic-approved operating procedures are in place.
2. Information We Collect
- Account information: name, email address, role (clinician or patient).
- Clinical data: surgical measurements, imaging metadata, PROM scores,
check-in data (pain levels, activity, wound photos), and clinical notes.
- Device and usage data: browser type, session timestamps, and
anonymized usage analytics (via Vercel Analytics).
- HealthKit data: walking speed, step asymmetry, and related
recovery metrics (iOS app only, with your explicit consent).
3. How We Use Your Information
- Providing and improving the SpineOS platform.
- Supporting clinical decision-making for your care team.
- Tracking post-operative recovery progress.
- Generating assistive AI clinical note drafts (reviewed by your surgeon before use).
- Sending appointment reminders and recovery notifications.
- Complying with legal and regulatory obligations.
4. HIPAA Readiness
SpineOS is being built toward HIPAA-aligned operation for PHI, but this repository
is not itself a production HIPAA environment. Current implementation evidence
includes:
- Row-Level Security (RLS) migrations for tenant and patient isolation.
- Session timeout logic with a 15-minute idle limit and 8-hour absolute limit.
- Multi-factor authentication support for clinician/admin workflows, including server-side MFA backstop migrations.
- Application audit hooks and database audit triggers for implemented PHI-bearing workflows.
- Consent records for Privacy/Terms, HIPAA authorization, and clinic-linkage authorizations.
- Patient profile controls to view consent history and withdraw revocable consent types.
- Separate HIPAA readiness documentation that tracks remaining production controls.
Production use with PHI still requires, at minimum:
- Executed BAAs with all infrastructure and service providers that handle PHI.
- Applied and verified migrations, access reviews, and tenant-isolation testing.
- Immutable audit-log retention and backup/disaster-recovery procedures.
- Clinic-approved privacy, security, incident-response, and workforce procedures.
5. Data Sharing
We do not sell personal information. Demo and development environments should use synthetic data only. In a production PHI deployment, data may be shared only with:
- Your healthcare provider and care team (as authorized by you).
- Infrastructure subprocessors covered by appropriate BAAs and deployment controls.
- Approved assistive AI or analytics services only when PHI handling, de-identification,
audit logging, and vendor agreements have been reviewed and enabled for that deployment.
- Law enforcement, when required by valid legal process.
6. Your Rights
In a production PHI deployment, HIPAA and applicable privacy laws may provide rights to:
- Access your health records via the data export feature.
- Export a DSAR JSON bundle from the patient app for implemented data categories.
- Request corrections to inaccurate information.
- Request an accounting of disclosures of your PHI.
- Restrict certain uses and disclosures.
- Withdraw revocable Privacy/Terms or HIPAA authorization records in the patient app. Withdrawal records the change and may alert the care team; it does not delete clinical records or end clinic-linkage by itself.
- Close your account through a close-not-delete workflow that stops future self-service use and revokes sessions while retaining clinical records as required by law and clinic policy.
- Receive breach notifications within 60 days of discovery.
7. Data Retention
Retention rules are deployment- and clinic-policy-specific. The production target is:
- Clinical records: retained for the duration required by applicable state law (minimum 6 years).
- Audit logs: retained for a minimum of 6 years per HIPAA requirements.
- Account data: retained while your account is active. Account closure is a soft deactivation, not deletion of clinical records.
- Analytics data: anonymized and aggregated; no individual-level retention.
8. Security Measures
- HTTPS/TLS in hosted environments and encrypted storage through the selected infrastructure provider.
- Multi-factor authentication support and server-side session revocation.
- Role and tenant access controls through Supabase Auth, RLS, and application gates.
- Security assessments, penetration testing, and workforce training before production PHI use.
- Incident response procedures with HIPAA breach-notification review when applicable.
9. Cookies and Tracking
SpineOS uses essential storage for authentication session management where enabled.
Demo analytics may use Vercel Analytics for aggregate performance metrics. SpineOS
does not use advertising cookies or cross-site tracking.
10. Children's Privacy
SpineOS is intended for use by adults and authorized healthcare providers.
We do not knowingly collect information from children under 13.
Minors' accounts must be created and managed by a parent or legal guardian.
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be
communicated via email or in-app notification at least 30 days before taking effect.
12. Contact
For privacy-related inquiries, data access requests, or to report a concern:
Email: privacy@spineos.ai
HIPAA Privacy Officer: Available upon request.