Legal Document · Effective June 17, 2026
Sensitive Information Policy
How Patient X handles special-category health data, the limitations of our protections, and your hold harmless obligations. Governed by the laws of the State of Delaware, USA.
Critical Infrastructure Disclosure
All data you enter into Patient X — including sensitive health information — is stored on Supabase Inc.'s database infrastructure. Supabase personnel with appropriate database credentials have the technical ability to access your raw health data. While Supabase is contractually bound by their Data Processing Agreement to handle your data responsibly, Patient X cannot guarantee that Supabase will not access, disclose, or be compelled by legal process to produce your health information. You assume this risk by using the Service.
1What Constitutes Sensitive Information on Patient X
"Sensitive Information" on the Patient X platform refers to any data that falls into special categories recognised by applicable law as warranting heightened protection. On Patient X, this includes:
- Health and medical data — all numeric scores (pain, wellbeing, mobility, mental clarity) and any notes referencing medical conditions, diagnoses, symptoms, treatments, or medications
- Mental and behavioural health information — any content in notes fields that describes psychological, psychiatric, or emotional health
- Substance use information — any references in notes to alcohol use, drug use, or related treatments
- Disability or functional limitation data — information about chronic conditions, physical limitations, or disability status that may be inferred from mobility or other scores
- Information about minors — any health data entered by a guardian that pertains to a child under 18
All health data entered on Patient X is treated as sensitive regardless of whether it falls into a statutory special category. We apply our highest level of care to all health records on the platform.
2Technical Protections for Sensitive Data
We implement the following technical and organisational measures to protect sensitive health information:
| Protection | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all data between your browser and our servers |
| Encryption at rest | AES-256 encryption provided by Supabase managed PostgreSQL |
| Password security | Bcrypt hashing with per-account salt; passwords never stored in plaintext |
| Authentication | JWT tokens with server-side validation; sessions expire on inactivity |
| API access control | All health data endpoints require authenticated session; cross-account access blocked |
| Database access control | Row-level security policies on Supabase restrict data to account owner |
Important limitation: Row-level security at the database level restricts application-level access. However, Supabase database administrators with root-level credentials retain the technical ability to query data regardless of application-level access controls. This is an inherent property of shared database infrastructure.
3Special Categories — Extra Protections
Certain categories of health data carry additional sensitivity and legal protection under federal and state law:
Mental Health Information: Notes or scores that indicate psychological or psychiatric conditions may be subject to heightened protections under state mental health confidentiality laws. Patient X does not share this information with any third party except as authorised by you or required by law.
Substance Use Information: Any content that may indicate alcohol or substance use disorder is treated with particular sensitivity and is not disclosed to third parties except with your consent or as compelled by law.
Disability and Functional Limitation Data: Data that may imply a disability is not shared with employers, insurers, or government agencies without a valid legal compulsion.
Minors' Health Data: Where health data pertains to a minor, a parent or legal guardian must have authorised data entry. Such data is subject to the Children's Online Privacy Protection Act (COPPA) and applicable state laws. We will not share a minor's health data without guardian authorisation except where required by law.
4Who Can See Your Sensitive Data
You — Primary Account Holder
Full access to all your health data, entries, and reports at all times.
Recipients You Explicitly Authorise
Healthcare providers, guardians, or next-of-kin you share specific reports with. Their access is limited to the specific reports you share.
Patient X Personnel
Access is limited to technical support staff who require access to resolve specific issues you have reported. Access is logged and audited. Patient X personnel are bound by confidentiality obligations.
Supabase Inc. — Database Provider
Technical access possible. Supabase database administrators have the ability to access raw data stored in our PostgreSQL database. This access exists regardless of Patient X's application-level security measures. Supabase is bound by their Data Processing Agreement and privacy policies, but Patient X cannot prevent Supabase from accessing your data. By using Patient X you acknowledge and accept this limitation.
Law Enforcement & Legal Process
Patient X may be legally required to disclose your sensitive health data in response to a valid court order, subpoena, search warrant, or other binding legal process. We will attempt to notify you of such demands where legally permitted to do so. Supabase may independently receive and comply with legal demands for data without notifying Patient X.
5Data Breach Notification Procedures
In the event of a confirmed data breach affecting your sensitive health information, Patient X will:
- Contain the breach as promptly as technically feasible
- Assess the scope and nature of data affected
- Notify affected users by email within 72 hours of confirming the breach
- Notify applicable regulatory authorities as required by law
- Provide a description of: the type of data involved; likely consequences; and steps taken or proposed
- Provide guidance on steps you can take to protect yourself
Note: Patient X may not be the first to receive notification of a breach if it occurs within Supabase's or Vercel's infrastructure. Patient X's ability to notify you promptly depends on the cooperation and timely notification by its infrastructure providers.
6User Responsibilities for Sensitive Data
You are responsible for:
- Maintaining the confidentiality of your account credentials
- Using strong, unique passwords and enabling any available security features
- Not entering sensitive data on shared or public devices without appropriate precautions
- Reviewing and revoking sharing permissions regularly
- Notifying us promptly at security@px.drseanhall.com if you suspect unauthorised access to your account
- Understanding and accepting the limitations of protection described in this Policy before entering sensitive data
7Hold Harmless — Sensitive Information
To the maximum extent permitted by applicable law, you hereby release, waive, discharge, and hold harmless Patient X Project and its officers, directors, members, employees, contractors, infrastructure providers, agents, successors, and assigns (collectively "Released Parties") from and against any and all claims, actions, losses, liabilities, costs, and expenses arising from:
- Disclosure of your sensitive health data by a third-party infrastructure provider (including but not limited to Supabase Inc. and Vercel Inc.) pursuant to their own legal obligations, internal policies, or security incidents
- Disclosure of your sensitive health data pursuant to valid legal process including court orders, subpoenas, or warrants served on Patient X, Supabase, or Vercel
- Unauthorised access to your data resulting from a breach of Supabase's or Vercel's own security measures
- Your decision to share sensitive health reports with recipients you designate, and any subsequent use or misuse of that data by those recipients
- Loss, corruption, or unavailability of sensitive health data due to technical failures within Patient X's infrastructure
- Harm arising from decisions made by healthcare providers in reliance on sensitive data you have shared through the Service
8Limitation of Liability — Sensitive Data
WITHOUT LIMITING THE GENERAL LIMITATION OF LIABILITY IN THE TERMS OF SERVICE, PATIENT X'S LIABILITY ARISING FROM A BREACH, LOSS, OR UNAUTHORISED DISCLOSURE OF SENSITIVE HEALTH INFORMATION SHALL IN NO EVENT EXCEED ONE HUNDRED UNITED STATES DOLLARS (USD $100.00) PER INCIDENT, TO THE MAXIMUM EXTENT PERMITTED BY THE LAWS OF THE STATE OF DELAWARE.
PATIENT X IS NOT LIABLE FOR ANY SENSITIVE DATA EVENTS THAT ARISE FROM THE INDEPENDENT ACTIONS, OMISSIONS, OR SECURITY FAILURES OF SUPABASE INC., VERCEL INC., OR ANY OTHER THIRD-PARTY INFRASTRUCTURE PROVIDER.
9Research and Analytics
Patient X may use aggregated, de-identified data (from which all personally identifiable information has been removed in accordance with applicable law) for research, service improvement, and analytical purposes. Such use will not identify you individually. We will not use individually identifiable sensitive health information for research without your separate, explicit opt-in consent.
10Governing Law
This Sensitive Information Policy is governed by the laws of the State of Delaware, USA. Disputes arising under this Policy are subject to the arbitration and governing law provisions in the Terms of Service.
11Changes to This Policy
We may update this Policy as our practices evolve or as required by law. We will notify you of material changes by email and by posting the revised Policy. Your continued use of the Service constitutes acceptance of the revised Policy. We recommend that you review this Policy periodically.
12Contact
For questions about sensitive information handling:
Patient X Project
Registered in the State of Delaware, USA
Privacy: privacy@px.drseanhall.com
Security: security@px.drseanhall.com
Legal: legal@px.drseanhall.com