Privacy Policy
Last updated: June 5, 2026. Effective: June 5, 2026.
1. Who we are
PPHrisk is operated by Epigenuity LLC, a Delaware limited liability company with offices in Tucson, Arizona. We can be reached at privacy@pphrisk.com.
2. Scope of this policy
This policy describes how Epigenuity handles personal information collected through the PPHrisk service at pphrisk.com and its sub-pages. It applies to clinicians using the calculator and team features, as well as visitors to the marketing site. It does not apply to information you choose to share separately by email, phone, or in person.
3. Types of information processed
3a. Protected Health Information (PHI) read from an EHR
When PPHrisk is launched from a SMART-on-FHIR–capable EHR (Epic, Cerner / Oracle Health), the EHR provides PPHrisk with a short-lived access token scoped to a single patient. PPHrisk uses that token to read the patient's chart data — specifically: name, date of birth, conditions, observations, medication statements, medication requests, and procedures.
All PHI is processed in your browser and is never transmitted to or stored on any Epigenuity-controlled server. The access token lives only in your browser's session storage and is destroyed when the tab is closed.
3b. Locally stored assessment records (your device only)
PPHrisk's "local roster" feature stores risk assessments you save — including any free-text labels and notes you enter — in your browser's local storage. This data is on your device only; we do not have access to it. You can clear it any time by signing out, clearing site data in your browser, or using the in-app delete control.
3c. De-identified team-feed records (in our database)
When you sign in with a whitelisted institutional email and save an assessment, a copy is also sent to our Supabase-hosted database. The copy contains:
- A label you provide (which you commit to making non-identifying — for example, "Bed 7" or "Room 412")
- The risk-scoring framework used (CMQCC, AWHONN, or ACOG)
- The assessment stage (admission, intrapartum, postpartum)
- The risk-factor IDs you selected (e.g., "priorPPH", "macrosomia") — these are clinical categories, not patient identifiers
- The computed risk tier (LOW, MEDIUM, HIGH)
- Optional notes (you commit not to include PHI here)
- Your user ID, email address, and name (for attribution and audit)
- A creation timestamp
We do not collect patient names, MRNs, dates of birth, addresses, phone numbers, or any other direct or indirect identifier. If you accidentally enter PHI in the label or notes field, please contact privacy@pphrisk.com and we will delete the record.
3d. Simulation-drill records
For users with team access, drill logs (date, scenario type, scenario description, participant counts, role categories, debrief notes, action items) are stored in the same de-identified database. Drill records do not contain patient information.
3e. Account information
When you sign in, we store your email address (used as the account identifier) and any optional profile fields you provide (display name, title, organization name, NPI). Authentication is provided by Supabase Auth via magic-link or one-time code.
3f. Operational logs
Our hosting provider (Vercel) records standard HTTP request logs, including IP address, request path, response code, and user agent, for operational and security purposes. These logs are retained for up to 30 days. We do not use them for marketing or profiling.
3g. Analytics
We currently do not use third-party analytics, advertising trackers, fingerprinting scripts, or cross-site tracking cookies. If we add privacy-respecting aggregate analytics (e.g., Plausible or similar) in the future, we will update this policy and disclose them here.
4. How we use information
- To provide the calculator and decision-support functionality
- To enable the team-feed and compliance-reporting features for signed-in users
- To authenticate users and prevent unauthorized access
- To diagnose and resolve operational or security problems
- To respond to user requests for support, privacy, or deletion
We do not use information to advertise, profile, profile-share, or sell.
5. Legal basis (HIPAA posture)
When PPHrisk is launched from a covered entity's EHR, the PHI it reads is processed within the covered entity's own system boundary — PPHrisk acts as an extension of the user's browser session and does not exfiltrate PHI to a downstream system. We believe this read-only, transient, session-bound use is consistent with HIPAA's minimum necessary standard for treatment, payment, and healthcare operations (TPO), and does not in itself create a business associate relationship.
For team-feed records, only de-identified information is transmitted to Epigenuity-controlled systems. If a covered entity prefers to establish a Business Associate Agreement with Epigenuity covering this de-identified data flow, we will execute the covered entity's standard form. Contact privacy@pphrisk.com.
6. Data sharing
We share information only with:
- Supabase, Inc. — database and authentication hosting (San Francisco, CA). Subject to Supabase's standard data-processing agreement.
- Vercel, Inc. — application hosting and CDN (San Francisco, CA). Subject to Vercel's standard data-processing agreement.
- Resend, Inc. — transactional email delivery for sign-in codes. Subject to Resend's standard agreement.
- Law enforcement or regulators — only if compelled by valid legal process, and we will notify you unless legally prohibited.
We do not sell information to any party. We do not share information for advertising. We do not engage in cross-context behavioral advertising as defined by the California Privacy Rights Act.
7. Data retention
- De-identified team-feed records and simulation-drill records are retained while the team is active. We do not currently auto-delete; you can soft-delete (archive) records via the in-app interface, and you can request hard deletion by emailing us.
- Account records are retained while the account is active. We delete on request within 30 days.
- Operational logs are retained for up to 30 days at our hosting providers.
8. Your rights
You may request access, correction, or deletion of your account or de-identified records at any time by emailing privacy@pphrisk.com. We will respond within 30 days. California, Colorado, Connecticut, Virginia, and similar-state residents have additional rights under their respective privacy laws; this email address is the channel for all such requests.
9. Security
We implement the following safeguards:
- Transport encryption: TLS 1.3 enforced at the Vercel edge; HSTS preload-listed
- Database encryption at rest: Supabase Postgres with industry-standard at-rest encryption
- Authentication: Supabase Auth with magic-link / one-time code; no plaintext passwords stored
- SMART-on-FHIR: OAuth 2.0 with PKCE; no client secrets; short-lived tokens; no offline_access scope
- Database access controls: Row-level security tied to email-domain whitelist for institutional access
- No PHI persistence: we eliminate breach surface for the highest-risk data by not storing it
See our Security Disclosure page for vulnerability reporting and technical details.
10. Children's privacy
PPHrisk is a clinical tool for use by healthcare professionals only. It is not directed to children, and we do not knowingly collect information from anyone under 18. If you believe we have inadvertently collected such information, contact us at privacy@pphrisk.com and we will delete it.
11. International users
PPHrisk is hosted in the United States. If you access it from outside the U.S., your information will be processed in the U.S. By using the service, you consent to that processing.
12. Changes to this policy
If we materially change this policy, we will update the "Last updated" date at the top and, for signed-in users with attached email addresses, send a notification. Continued use after the effective date constitutes acceptance of the change.
13. Contact
Epigenuity LLC
Attention: Privacy Officer
Tucson, Arizona
privacy@pphrisk.com
PPHrisk is a product of Epigenuity LLC. This privacy policy is provided for informational purposes; it does not create a contract, and it is not a substitute for legal advice.