SpineNavigator

HomePrivacy Policy

Privacy Policy

Effective date: May 23, 2026 · Last updated: May 23, 2026

SpineNavigator (“we”, “us”, “our”) is committed to protecting your personal and health information. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By using the SpineNavigator platform, you acknowledge that you have read and understood this Privacy Policy.

1. Who This Policy Applies To

This Policy applies to all users of the SpineNavigator platform, including:

  • Surgeons and clinical staff who have registered an account;
  • Patients who access the platform through a secure link provided by their clinic.

2. Information We Collect

2.1 Account and Identity Information

  • Full name and email address (for surgeons and staff accounts);
  • Role within the clinic (e.g., surgeon, registered nurse, physician assistant);
  • Clinic affiliation.

2.2 Health and Clinical Information (Protected Health Information / PHI)

  • Surgery type, diagnosis, and surgery date provided during patient onboarding;
  • Questions submitted by patients through the chat interface;
  • AI-generated responses produced from the clinic's approved protocol documents;
  • Conversation history between patients and the AI assistant.

2.3 Usage and Technical Information

  • Session logs (login times, page visits) for security and audit purposes;
  • Device type and browser information;
  • IP address (for security monitoring only).

We do not collect advertising identifiers, sell your data, or use your information for marketing purposes.

3. How We Use Your Information

  • To authenticate your identity and provide you access to the Platform;
  • To generate AI-assisted responses from your surgeon's approved protocol documents;
  • To enable communication between patients and their authorized care team;
  • To maintain audit logs required for healthcare compliance (HIPAA / PHIPA);
  • To monitor for and investigate security incidents;
  • To improve the reliability and accuracy of the Platform.

4. Legal Basis for Processing

We process personal and health information on the following legal bases:

  • Contract: Processing necessary to provide the services you or your clinic has engaged us for;
  • Legal obligation: Compliance with HIPAA, PHIPA, and other applicable healthcare laws;
  • Legitimate interests: Maintaining security, preventing fraud, and improving the Platform.

5. Data Sharing and Disclosure

We do not sell your personal or health information. We may share it only in these circumstances:

5.1 Your Care Team

Your treating surgeon and authorized clinic staff can review your conversation history within their clinic's SpineNavigator account.

5.2 Infrastructure and Service Providers

We use the following categories of sub-processors, each bound by data processing agreements:

  • Cloud hosting and authentication: Supabase (database, auth, storage);
  • AI inference: Anthropic (Claude AI models — prompts and responses only, not stored by Anthropic);
  • Transactional email: Resend (invitation and notification emails).

5.3 Legal Requirements

We may disclose information if required to do so by law, court order, or government request, or to protect the rights, property, or safety of SpineNavigator, its users, or the public.

6. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

  • TLS 1.3 encryption for all data in transit;
  • AES-256 encryption for data at rest;
  • Role-based access controls (surgeons can only access their own clinic's data);
  • Row-level security enforced at the database level;
  • Invitation-only patient access via time-limited secure links.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to using best-practice measures.

7. Data Retention

Patient health information and conversation history are retained for the duration of the care relationship and for a minimum of 7 years following the last patient interaction, to comply with healthcare record-keeping requirements.

Staff accounts are retained for as long as the clinic maintains its account. Upon clinic termination, data is retained for 90 days before deletion unless a longer retention is legally required.

8. HIPAA and PHIPA Compliance

The Platform is designed to support compliance with:

  • HIPAA (Health Insurance Portability and Accountability Act) — for clinics operating in the United States. Clinics must execute a Business Associate Agreement (BAA) with SpineNavigator before accessing PHI through the Platform. Contact us to request a BAA.
  • PHIPA (Personal Health Information Protection Act, Ontario) — for clinics operating in Ontario, Canada. Information custodians remain responsible for compliance with PHIPA obligations relevant to their clinical operations.

9. Cookies and Tracking

The Platform uses the following cookies:

  • Session authentication cookies: Strictly necessary for logging you in and maintaining your session. These expire at the end of each session or within 8 hours.

We do not use advertising cookies, third-party tracking pixels, or analytics platforms that collect personally identifiable information.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal and health information:

  • Access: Request a copy of the information we hold about you;
  • Correction: Request correction of inaccurate information;
  • Deletion: Request deletion of your information, subject to legal retention obligations;
  • Portability: Request a machine-readable export of your data;
  • Objection: Object to certain types of processing.

To exercise any of these rights, contact your clinic directly or reach us at bdthombre@gmail.com. We will respond within 30 days.

11. Children's Privacy

The Platform is not directed to individuals under 18. Patients under 18 may access the Platform only through an account held by a parent or legal guardian. If we become aware that we have collected information from a child under 13 without parental consent, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered clinics of material changes by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy questions, data requests, or to report a potential data breach:

SpineNavigator — Privacy
bdthombre@gmail.com

We take privacy seriously. All inquiries will receive a response within 5 business days.