Draft — legal review pending. This privacy policy has not been reviewed by legal counsel. Do not rely on it for compliance purposes.

Privacy Policy

SocialRightLabs (“we,” “our,” or “us”) is committed to transparency about data practices in the Clinical Temporal Decision Engine. This policy describes what data we collect, how we use it, and your rights.

Last updated: May 22, 2026. This is a draft document.

1. Data We Collect

Account data: Name, email address, organization name, and role — provided during pilot enrollment or contact request.

Technical data: IP address, browser type, pages visited, and timestamps — collected via standard web server logs.

API usage data: Endpoint accessed, response status, latency, and authentication events. No request payload data is logged in telemetry.

Pipeline metadata: Execution status, guideline version, quality gate results, and error reports. Patient-level data never enters logging or monitoring systems.

Current state: All demonstrations, testing, and development use synthetic data only. No real patient data is collected or processed.

2. How We Use Data

We use collected data to:

Provide and maintain the Clinical Temporal Decision Engine
Process pipeline executions and generate decision support outputs
Monitor system health, performance, and security
Communicate about service updates, incidents, and support requests
Improve pipeline accuracy through deterministic rule refinement

We do not sell personal data. We do not use patient data for advertising, profiling, or automated decision-making about individuals.

3. PHI Handling

The Clinical Temporal Decision Engine is designed with PHI-aware boundaries. In its current state, no real PHI is processed. When PHI processing begins in production deployments:

PHI is encrypted at rest (Azure Storage encryption) and in transit (TLS)
Patient identifiers are never written to logs or telemetry streams
Access controls are enforced via Managed Identity and per-tenant API keys
Data retention is configurable per deployment
A Business Associate Agreement (BAA) will be executed where legally required

HIPAA compliance is planned but not yet achieved. No HIPAA certification is claimed.

4. Data Sharing and Sub-Processors

We use the following Azure services to deliver the platform:

Azure App Service (application hosting)
Azure Cosmos DB (structured data storage)
Azure Event Hubs (pipeline event streaming)
Azure Key Vault (secrets management)
Azure Monitor / Application Insights / Log Analytics (observability)

We share account and support data with Microsoft 365 (Exchange Online) for email communication. We do not share data with other third parties except as required by law.

5. Data Retention

Pipeline execution logs: Configurable (default 30 days). API access logs: Configurable. Account data: Retained for the duration of the pilot or service relationship. Exact retention periods will be finalized before production deployment.

6. Data Subject Rights

Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict processing of, or port your personal data. To exercise these rights, contact:

privacy@socialrightlabs.com

Jurisdiction-specific appendices (GDPR, KVKK, UK GDPR) are planned but not yet published. This policy is a structural template pending legal review.

7. Cookies and Tracking

This website does not use advertising cookies, tracking pixels, or third-party analytics. Essential session cookies may be used for authenticated console access. No consent banner is currently required.

8. International Data Transfers

Data is stored and processed in Azure regions selected by the deploying organization. Cross-border transfer mechanisms will be addressed in jurisdiction-specific appendices before production deployments involving personal data from regulated jurisdictions.

9. Changes to This Policy

We will post updates to this page and update the “Last updated” date. Material changes will be communicated via email to active pilot participants. Continued use after changes constitutes acceptance.

10. Contact

For privacy inquiries or to exercise your data subject rights:

privacy@socialrightlabs.com

Support inquiries may also be routed to support@socialrightlabs.com.

Legal correspondence may also be routed through legal@socialrightlabs.com.

Demonstrations use synthetic data only. No real patient data is used in development, testing, or demonstration.

Not a medical device. Does not diagnose, treat, or prescribe.

Not HIPAA, FDA, SOC2, or ISO certified. Compliance program is planned.

Last updated: May 22, 2026. This is a draft document.

1. Data We Collect

Account data: Name, email address, organization name, and role — provided during pilot enrollment or contact request.

Technical data: IP address, browser type, pages visited, and timestamps — collected via standard web server logs.

API usage data: Endpoint accessed, response status, latency, and authentication events. No request payload data is logged in telemetry.

Pipeline metadata: Execution status, guideline version, quality gate results, and error reports. Patient-level data never enters logging or monitoring systems.

Current state: All demonstrations, testing, and development use synthetic data only. No real patient data is collected or processed.

2. How We Use Data

We use collected data to:

Provide and maintain the Clinical Temporal Decision Engine
Process pipeline executions and generate decision support outputs
Monitor system health, performance, and security
Communicate about service updates, incidents, and support requests
Improve pipeline accuracy through deterministic rule refinement

We do not sell personal data. We do not use patient data for advertising, profiling, or automated decision-making about individuals.

3. PHI Handling

The Clinical Temporal Decision Engine is designed with PHI-aware boundaries. In its current state, no real PHI is processed. When PHI processing begins in production deployments:

PHI is encrypted at rest (Azure Storage encryption) and in transit (TLS)
Patient identifiers are never written to logs or telemetry streams
Access controls are enforced via Managed Identity and per-tenant API keys
Data retention is configurable per deployment
A Business Associate Agreement (BAA) will be executed where legally required

HIPAA compliance is planned but not yet achieved. No HIPAA certification is claimed.

4. Data Sharing and Sub-Processors

We use the following Azure services to deliver the platform:

Azure App Service (application hosting)
Azure Cosmos DB (structured data storage)
Azure Event Hubs (pipeline event streaming)
Azure Key Vault (secrets management)
Azure Monitor / Application Insights / Log Analytics (observability)

We share account and support data with Microsoft 365 (Exchange Online) for email communication. We do not share data with other third parties except as required by law.

5. Data Retention

6. Data Subject Rights

Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict processing of, or port your personal data. To exercise these rights, contact:

privacy@socialrightlabs.com

Jurisdiction-specific appendices (GDPR, KVKK, UK GDPR) are planned but not yet published. This policy is a structural template pending legal review.

7. Cookies and Tracking

8. International Data Transfers

9. Changes to This Policy

10. Contact

For privacy inquiries or to exercise your data subject rights:

privacy@socialrightlabs.com

Support inquiries may also be routed to support@socialrightlabs.com.

Legal correspondence may also be routed through legal@socialrightlabs.com.

Demonstrations use synthetic data only. No real patient data is used in development, testing, or demonstration.

Not a medical device. Does not diagnose, treat, or prescribe.

Not HIPAA, FDA, SOC2, or ISO certified. Compliance program is planned.