Privacy Policy

1. Overview

Uptake Anesthesia ("we," "our," "the Service") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your information.

2. Data We Collect

2a. Account Information

When you create an account, we collect:

• Email address — for authentication and account recovery
• Display name — optional, shown in the interface
• Specialty and institution — optional, for profile personalization
• Authentication provider — if you sign in with Google, we receive your name and email from Google; we do not receive your Google password

2b. Usage Data

• Clinical questions — questions you submit are sent to third-party APIs (Anthropic, PubMed, ClinicalTrials.gov) for processing. We do not permanently store your questions on our servers.
• Conversation history — stored locally in your browser (localStorage/IndexedDB). Conversations are not transmitted to or retained on our servers beyond the duration of each request.
• Analytics events — anonymized usage events (e.g., feature usage, error occurrences) are collected via PostHog for product improvement. These events do not include the content of your clinical questions.

2c. Payment Information

If you make a voluntary donation, payment processing is handled entirely by Stripe, Inc.We do not receive, process, or store your credit card number, bank account details, or other payment credentials. We receive only a Stripe customer ID and donation status to manage your account.

2d. Technical Data

• IP address — used for rate limiting and abuse prevention; not stored long-term
• Browser type and device — collected by analytics for compatibility and performance monitoring
• Error reports — application errors are reported to Sentry for debugging; these may include request metadata but do not include the content of your clinical questions

3. How We Use Your Data

• Provide the Service — authenticate your account, process your questions, return evidence-based responses
• Improve the Service — analyze anonymized usage patterns to improve features and performance
• Prevent abuse — enforce rate limits, detect automated or malicious access
• Communicate — send transactional emails (account verification, password reset) via our authentication provider
• Process donations — manage voluntary donation subscriptions through Stripe

We do not use your data to serve personalized advertisements. Any advertisements displayed in the Service are non-targeted and are served in a privacy-isolated sandbox with no access to your data.

4. Third-Party Services

To provide the Service, your data is processed by the following third parties, each governed by their own privacy policies:

5. Protected Health Information (PHI)

This Service is not HIPAA-compliant and is not designed to store, process, or transmit Protected Health Information.

• Do not enter patient names, medical record numbers, dates of birth, or any individually identifiable health information
• We do not knowingly collect or retain PHI
• If PHI is inadvertently submitted, we cannot guarantee its confidentiality as it may be processed by third-party services listed above

6. Data Retention

• Account data — retained while your account is active; deleted upon account deletion request
• Conversation history — stored only in your browser; cleared when you clear browser data or start a new chat
• API response cache — cached for up to 24 hours in Redis for performance; automatically expires
• Rate limit counters — reset on a rolling 24-hour window
• Analytics data — retained by PostHog per their retention policies
• Error reports — retained by Sentry for up to 90 days

7. Cookies & Local Storage

• Authentication cookies — set by Supabase to maintain your login session
• Disclaimer acceptance — stored in localStorage to remember your acknowledgment
• Conversation history — stored in localStorage/IndexedDB for chat persistence
• Analytics cookies — set by PostHog for anonymized usage tracking

We do not use advertising cookies or cross-site tracking cookies. Any advertisements displayed are served in a sandboxed iframe that cannot access your cookies or data.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data (via your account settings)
• Delete your account and associated data
• Export your personal data in a portable format
• Opt out of analytics tracking

To exercise these rights, contact us through the information provided within the Service. We will respond to requests within 30 days.

9. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• HTTPS encryption for all data in transit
• Secure authentication via Supabase with bcrypt password hashing
• Server-side rate limiting to prevent abuse
• Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
• Input sanitization to prevent cross-site scripting (XSS)
• No server-side storage of clinical questions or conversation content

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.