Privacy Policy

Patient X Project ("Patient X," "we," "us," "our"), a business registered in the State of Delaware, USA, operates the Patient X platform (the "Service") available at px.drseanhall.com and any associated mobile or web applications.

Patient X is the data controller for the personal data you provide. We are committed to protecting your privacy and handling your health information with care, transparency, and in accordance with applicable law. This Privacy Policy explains what data we collect, why we collect it, how long we retain it, and who may have access to it.

For privacy inquiries, contact us at privacy@px.drseanhall.com.

2a. Account Information

• Full name (first and last), email address, encrypted password hash
• Account role (Patient, Guardian, Practitioner, Next of Kin)
• Account creation date and last login date

2b. Health & Wellness Data

Health data you voluntarily enter, which may include: pain scores, wellbeing scores, mobility scores, mental clarity scores (all on a 1–10 scale), free-text notes, the date and time of each entry, and generated health reports. This data is classified as sensitive personal information. See our Sensitive Information Policy for additional details.

2c. Technical Usage Data

• IP address, browser type and version, operating system
• Pages visited, timestamps of access, referral URLs
• API request logs (retained in Vercel infrastructure — see Section 6)

2d. Device Information

• Device type (desktop, mobile, tablet)
• Screen resolution (used for display optimisation only)

2e. Data We Do Not Collect

We do not collect: payment card numbers (we currently offer no paid features), Social Security numbers, biometric identifiers, genetic data, precise GPS location, or government-issued identification numbers.

We process your personal data on the following legal bases (applicable to all users, with GDPR-specific basis noted for EU/UK residents):

• Contract performance — providing the Service you registered for
• Legitimate interests — operating, improving, and securing the Service
• Legal obligation — compliance with applicable law, court orders, or regulatory requests
• Consent — for optional features you explicitly opt into

For special-category health data (Art. 9 GDPR), we process on the basis of your explicit consent given at registration and reiterated by each health entry you create.

• To create, maintain, and manage your account
• To store, display, and analyse your self-reported health data
• To generate health reports at your request
• To enable you to share reports with healthcare providers or trusted contacts you designate
• To provide technical support and respond to your inquiries
• To send service-related communications (account alerts, security notifications)
• To detect, prevent, and respond to fraud, abuse, and security incidents
• To comply with applicable legal obligations
• To improve and develop the Service using aggregated, de-identified data

We do not sell your personal information to any third party. We do not use your health data for targeted advertising. We do not share individually identifiable health data with insurance companies, employers, pharmaceutical companies, or data brokers.

We retain data for the following periods:

On account deletion we will delete or anonymise your personal data within 30 days, except where retention is required by law or for legitimate legal defence.

6a. Infrastructure Providers

6b. Healthcare Providers You Authorise

When you use the sharing feature to send a health report to a healthcare provider or trusted contact, that recipient will receive the contents of that specific report. You control what is shared and with whom. Patient X does not independently verify the identity or credentials of recipients you invite, and is not responsible for how recipients use shared data.

6c. Legal Compulsion

Patient X may disclose your data, including health data, when required to do so by valid legal process including court orders, subpoenas, warrants, or applicable law. Where legally permitted, we will attempt to notify you before complying with such demands. We may also disclose data to prevent imminent harm to you or others where we have a good-faith belief that disclosure is necessary.

6d. Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your data may be transferred to the successor entity. We will notify you of any such transfer and the applicable privacy policy of the successor.

Depending on your location, you may have the following rights regarding your personal data:

• Access — Request a copy of all personal data we hold about you
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your account and associated data
• Portability — Request your health data in a machine-readable format (CSV/JSON)
• Restriction — Request that we restrict processing of your data
• Objection — Object to processing based on legitimate interests
• Withdraw Consent — Withdraw consent at any time (without affecting prior processing)

California Residents (CCPA/CPRA): You have the right to know what personal information is collected, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising these rights.

EU/UK Residents (GDPR/UK GDPR): You have the rights listed above under Articles 15–22 of the GDPR. You may also lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@px.drseanhall.com. We will respond within 30 days (or 45 days where an extension is permitted by law).

We implement industry-standard technical and organisational measures to protect your data, including:

• Encryption in transit via TLS 1.2 or higher for all data communications
• Encrypted storage provided by Supabase's managed PostgreSQL (AES-256 at rest)
• Password hashing using bcrypt with per-account salting
• JSON Web Token (JWT) based authentication with server-side validation
• Access-controlled API endpoints requiring authentication for all health data
• Role-based access controls preventing cross-account data access

Important limitation: No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify affected users and, where required, regulatory authorities within 72 hours of becoming aware of the breach.

Patient X is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA). If you are between 13 and 17, a parent or legal guardian must review and consent to these policies on your behalf before you use the Service. If we become aware that we have collected data from a child under 13 without appropriate consent, we will delete it promptly.

Patient X is operated from the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. The U.S. does not have the same data protection laws as the European Union or other jurisdictions. Where required by GDPR, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to legitimise cross-border transfers.

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) and by posting the updated policy with a revised effective date. Your continued use of the Service following notification constitutes acceptance of the updated policy.

This Privacy Policy is governed by the laws of the State of Delaware, USA. Any dispute arising from this policy shall be resolved in accordance with the arbitration and governing law provisions in our Terms of Service.