Privacy Policy
Effective: June 4, 2026 ย ยทย Last updated: June 4, 2026
โ๏ธ Health Information Notice
OncoCompass handles sensitive health information including cancer diagnoses, treatment details, symptoms, and vitals. We treat this information with the highest level of care and in accordance with applicable health privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) where applicable. We never sell your health data. Ever.
1. Who We Are
OncoCompass ("we," "us," or "our") operates the OncoCompass web application at oncocompass.vercel.app and any associated mobile applications (collectively, the "Service"). OncoCompass is a patient navigation and symptom guidance tool designed for oncology patients and their caregivers.
For privacy inquiries, contact us at: privacy@oncocompass.health
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Email address used to create and access your account
- Profile information: First name, age, biological sex (optional)
- Protected Health Information (PHI): Cancer type and stage, diagnosis date, treatment type and regimen, symptom assessments, daily vitals (temperature, blood pressure, heart rate, oxygen saturation, weight), symptom scores (fatigue, nausea, pain, appetite), diary notes, and visit preparation notes
- Care plan information: Treatment timeline, provider specialty, appointment dates
- Questions you ask: Content of AI-assisted queries about your care
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, time spent in the app
- Device information: Browser type, operating system, device type
- Log data: IP address, access times, referring URLs
2.3 Information We Do Not Collect
- We do not collect Social Security Numbers, government IDs, or insurance information
- We do not collect payment card information (processed by Stripe)
- We do not collect location data beyond what you voluntarily enter
- We do not use advertising trackers or sell data to advertisers
3. HIPAA and Protected Health Information
HIPAA Applicability: HIPAA directly governs "Covered Entities" (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates. OncoCompass is a patient-facing application and may operate as a Business Associate when working with Covered Entities. We are committed to meeting HIPAA standards for the protection of Protected Health Information (PHI).
3.1 What Constitutes PHI in Our App
The following information you provide may constitute Protected Health Information (PHI) under HIPAA when combined with your identity:
- Cancer diagnosis, type, and stage
- Treatment type, regimen, and timeline
- Symptom logs, scores, and clinical notes
- Vital signs (temperature, blood pressure, heart rate, Oโ saturation, weight)
- Clinical trial participation or interest
- Visit preparation content and appointment notes
3.2 How We Protect PHI
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Encryption at rest: All database data is encrypted at rest via Supabase (AES-256)
- Access controls: Row-level security ensures you can only access your own data
- Authentication: Passwordless magic-link authentication reduces credential theft risk
- Minimum necessary: We collect only the health data needed to provide the Service
- No selling of PHI: We never sell, rent, or trade your health information
3.3 Permitted Uses of PHI
We use your health information only to:
- Provide and personalize the OncoCompass Service
- Generate AI-powered symptom assessments and care guidance
- Maintain your care plan and symptom history
- Improve the Service (in de-identified, aggregated form only)
We do not use PHI for advertising, profiling, or sale to third parties.
3.4 Business Associate Agreements
We enter into Business Associate Agreements (BAAs) with our infrastructure providers who may have access to PHI, including our database provider (Supabase). If you are a Covered Entity or Business Associate seeking a BAA with OncoCompass, contact us at privacy@oncocompass.health.
4. How We Use Your Information
- Provide the Service: Deliver personalized symptom assessments, care plans, and educational content
- AI-powered features: Your health context is used to generate relevant guidance and questions. AI responses are generated using your care plan data and symptom history
- Clinical trial matching: Your cancer type and stage are used to search ClinicalTrials.gov
- Symptom tracking: Your diary entries are stored and displayed to you only
- Account management: Authenticate you, manage your subscription, send service emails
- Service improvement: Analyze usage patterns in de-identified, aggregated form to improve features
- Legal compliance: Comply with applicable laws and respond to lawful requests
5. When We Share Information
We do not sell, rent, or trade your personal or health information. We share information only in these limited circumstances:
5.1 Service Providers (Sub-processors)
| Provider | Purpose | Data Shared | BAA |
|---|---|---|---|
| Supabase | Database & authentication | All user data | Available |
| Vercel | Hosting & CDN | Request logs, IP | No PHI stored |
| Stripe | Payment processing | Email, payment data | No PHI shared |
| AI Provider | AI-powered responses | Health context queries | Data not retained |
| ClinicalTrials.gov | Clinical trial search | Condition search terms | Public API, no account |
5.2 Caregiver Sharing
If you choose to share your care plan with a caregiver, that person will have view-only access to your care plan. You control this sharing and can revoke it at any time from your account settings.
5.3 Legal Requirements
We may disclose information if required by law, court order, or governmental authority, or to protect the safety of any person or prevent fraud. We will notify you of such requests where legally permitted.
6. Your Privacy Rights
You have the following rights regarding your health and personal information:
Right to Access
Request a copy of all data we hold about you
Right to Correct
Update or correct inaccurate information
Right to Delete
Request deletion of your account and all associated data
Right to Portability
Export your data in a machine-readable format
Right to Restrict
Limit how we process your health information
Right to Accounting
Request a log of disclosures of your PHI
To exercise any of these rights, email us at privacy@oncocompass.health. We will respond within 30 days. You may also delete your account and all associated data directly from your account settings.
7. Data Retention
- Active account data: Retained for as long as your account is active
- Deleted accounts: All personal and health data is permanently deleted within 30 days of account deletion
- Backups: May persist in encrypted backups for up to 90 days after deletion
- Aggregated analytics: De-identified, non-reversible usage data may be retained indefinitely
- Legal holds: Data may be retained longer if required by law
8. Security
We implement administrative, technical, and physical safeguards to protect your health information:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for all data at rest
- Row-level security policies preventing cross-user data access
- Passwordless authentication (magic link) reducing credential vulnerabilities
- Regular security reviews and dependency updates
- Access limited to authorized personnel only
Data breach notification: In the event of a breach involving your PHI, we will notify you and appropriate authorities within the timeframes required by HIPAA (60 days) and applicable state laws.
9. Children's Privacy
OncoCompass is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with health information, contact us at privacy@oncocompass.health and we will delete it promptly.
10. Medical Disclaimer
OncoCompass is not a covered healthcare provider, health plan, or healthcare clearinghouse. The Service provides navigation guidance, educational information, and patient tools โ it does not provide medical diagnosis, treatment recommendations, or clinical care. Always consult your licensed oncology team for medical decisions. If you are experiencing a medical emergency, call 911 immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes โ especially those affecting how we handle your health information โ we will:
- Post the updated policy with a new effective date
- Send an email notification to registered users
- Display an in-app notice for 30 days following significant changes
Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
For privacy questions, data requests, or to report a concern:
OncoCompass โ Privacy Officer
Email: privacy@oncocompass.health
We aim to respond to all privacy inquiries within 5 business days and will resolve data requests within 30 days as required by law.
Legal review notice: This privacy policy was prepared as a starting framework. Prior to broad public launch, review by a healthcare attorney with HIPAA expertise is strongly recommended to ensure full compliance with applicable federal and state laws including HIPAA, CCPA, and state-specific health privacy regulations.