Privacy Policy

Effective: May 17, 2026

This Privacy Policy explains what information AmaraCare collects, how we use it, who we share it with, how we protect it, and the choices you have. It is written to be readable on a phone in the middle of a hard day. If anything here is unclear, email us at privacy@amaracare.ai and we will explain.

A note about where we are. AmaraCare is an early-access product in active development, currently in MVP / closed-beta testing. Full HIPAA compliance is our target at general-availability launch. We are not there yet — the contract work with our service providers (Business Associate Agreements), an independent security audit, formal penetration testing, and counsel review of the policies you are reading are all in progress and must complete before we open the service more broadly. The security and privacy practices listed below are what we have actually built so far. Treat AmaraCare today as a tool to help you think and prepare, not as a clinical system of record. Please do not upload information you would not be comfortable being processed by our AI service providers under their standard commercial terms.

Who we are

AmaraCare is operated by Vestigo Partners. We can be reached at:

Privacy questions: privacy@amaracare.ai
Security reports: security@amaracare.ai
Support: support@amaracare.ai
Mailing address: available on request

The person currently responsible for privacy at AmaraCare is the founder. As the team grows, we will name a formal privacy contact and update this section.

How AmaraCare works (so you know what you're using)

AmaraCare is built around a few distinct systems. Knowing what they are makes the rest of this policy easier to follow.

A Patient Knowledge Graph (PKG). When you upload a document or tell Amara something, we extract structured facts (diagnosis, biomarkers, treatments, lab values, symptoms, goals) into a record we keep just for you. Every fact carries its source, so you and we can see which document or conversation it came from.
A document-reading pipeline. Uploaded PDFs, images, and scans go through a tiered text-extraction process: we try direct PDF text first, fall back to AI-based OCR for scans, and use a vision model as a last resort for tough images. This is how a faxed pathology report becomes searchable text that the rest of the system can use.
Chat with Amara. Your day-to-day conversations. Amara's answers are grounded in your record and in peer-reviewed evidence.
A Care Board. When a question is decision-grade, AmaraCare assembles a panel of AI specialists — what we call the Decision Clinic — that works through your case in four phases (open the question, review the evidence, close to a Decision Packet, and narrate the result in plain language for you). The panel always includes four core roles: a Chair who scopes the question and picks the panel, a Disease Specialist for the clinical analysis, a Pharmacist for medication safety, and an Evidence Auditor who independently verifies every cited source. Up to six conditional specialists join when your profile calls for them — a Pulmonologist when there's lung disease in your record, a Cardio-Oncologist when there's cardiac history, a Genetic Counselor when there's hereditary risk, a Geriatric Oncologist for older patients, Palliative Care when symptoms warrant it, and Mental Health when distress signals appear. The panel is deliberately lean: typically six to ten specialists chosen for your specific case, rather than the same large list every time. You watch the panel work in real time — each specialist appears as a chip on screen as they finish their turn. The result is a Decision Packet: when two reasonable paths exist and the choice depends on your values, both paths are surfaced as co-equal options rather than collapsed into a single recommendation. You can read the full panel reasoning in an expandable section, push back on the analysis through your own values (up to three refinements per question), and export the result as a PDF to bring into your next appointment.
A Living Brief. A short, periodically refreshed narrative summary of your situation, written by an AI writer persona. The Brief is how chat and the Care Board get up-to-speed context quickly without re-reading your entire record from scratch every time.
Evidence sources. Amara consults peer-reviewed literature (PubMed), the U.S. clinical-trial registry (ClinicalTrials.gov), the FDA's openFDA and DailyMed data, the National Cancer Institute's Physician Data Query (PDQ), and a curated drug-facts registry grounded in FDA-approved labels. These services receive only generic queries (cancer type, biomarker name, drug name), never your individually identifying information.
Multi-provider AI. We deliberately use AI models from several independent providers — currently Anthropic (Claude), Groq (open-weight models for fast inference, voice transcription, AND the cross-family Evidence Auditor that fact-checks the Care Board's clinical reasoning using Meta's Llama 3.3 70B), OpenAI (used specifically as a cross-family completeness verifier on the document extraction pipeline), and Mistral (OCR for scanned documents). Mixing model families is deliberate: it makes the system less likely to repeat the same mistake twice. We treat each provider as a service provider that processes information on our behalf (see "Service providers we work with").
Caregiver access. From day one, AmaraCare supports inviting a caregiver (spouse, adult child, friend) to read alongside you. You control who has access and can revoke it at any time.

This section is a plain-language summary. A more technical version lives in our compliance and architecture documentation; we will share the relevant parts on request.

Information we collect

We only collect information that you give us or that the platform generates as you use it. We do not buy data about you from third parties.

Information you give us directly

What	Examples	When
Account	Email address, password (if you create one), authentication identifiers	When you sign up or sign in
About you	First name, age, sex at birth, zip code, who you are caring for	During onboarding
Your health information	Cancer type, diagnosis details, treatment history, biomarkers, symptoms, goals	When you tell us, in the onboarding form or in chat
Medical documents	PDFs, photos, and scans of pathology, imaging, lab results, clinical notes, genomic tests	When you upload them
Chat content	The questions you ask Amara and the answers we give back	Every conversation
Voice (if you use it)	Audio when you use the voice feature	Per session, only when you turn it on
Feedback	Thumbs-up / thumbs-down on responses, free-text comments	When you give it
Caregiver invitations	The email address you invite, the role you assign	When you invite a caregiver

Information the platform generates

What	Source
Extracted facts	We read your uploaded documents and extract structured facts (biomarkers, treatments, labs, dates) into your record
Care Board deliberations	When you ask for one, our specialist agents debate your case and we save the result
Living Brief	A short, periodically refreshed narrative summary of your situation, used to give Amara context
Memory profile	Recurring themes, questions, and emotional notes that help Amara remember you across conversations
Safety flags	If our safety pipeline detects acute distress in something you write, we record a flag so Amara can respond appropriately and so you can be shown crisis resources
Usage telemetry	Latency, model decisions, error rates — used to keep the platform working. No clinical content.

Information collected automatically

Device and connection: IP address, browser type, and approximate time of access — collected by our hosting provider in the normal course of serving a website.
Cookies: A session cookie that keeps you logged in. No advertising cookies. No cross-site trackers.

Information we do not collect

Social Security numbers
Payment card numbers (we do not bill you)
Photos of your face for identification
Location beyond the zip code you enter
Contacts from your phone or email

How we use your information

We use your information to help you. Specifically:

To answer your questions well. Your record, history, and previous messages let Amara give answers that are relevant to your situation, not generic.
To read and organize your documents. We run uploaded documents through an extraction pipeline so you can talk about them right away.
To run the Care Board. When you ask for a multi-specialist deliberation, we provide your context to the agents that participate.
To detect distress and connect you to help. If our safety pipeline detects language suggesting acute distress or risk, Amara responds with care and surfaces resources such as 988 Suicide & Crisis Lifeline and Crisis Text Line.
To keep the platform working. Logs, telemetry, and metrics help us find bugs, manage load, and improve quality over time.
To support you. When you email us with a question, we use your contact information to reply.
To keep your account secure. We log access to your information so we can investigate if anything looks unusual.

We do not:

Sell your information to anyone.
Use your information to target advertising.
Share your information with employers, insurers, or marketers.
Use your health information to train our own models or third-party foundation models outside of our service providers' standard terms (see below).

Service providers we work with

To operate AmaraCare we rely on a small set of service providers. Each one processes your information only as needed to provide their service, and each one has their own published terms and security practices. We list them here so you can see exactly who is involved.

Provider	What they do for us	What they receive
Supabase	Database, authentication, file storage	Your account, your profile, your documents, your chat history, your facts — at rest
Vercel	Application hosting and serverless functions	Traffic between you and AmaraCare flows through their infrastructure; functions process your information in memory to serve responses
Anthropic (Claude)	The AI model behind chat, document extraction, Living Brief, the Care Board's Disease Specialist, Chair, and Narrator, and several safety checks	Your relevant context for each request
OpenAI	Document extraction completeness verifier — checks that the structured extraction from your uploaded records didn't miss anything clinically important. Used only on the document extraction pipeline (cross-family check on Anthropic's extraction), feature-flagged off until BAA is confirmed. NOT used for chat, Care Board, or any other path.	The relevant document slices and the structured extraction to verify
Groq	Fast inference for the Pharmacist and conditional specialists in the Care Board, routine chat, and voice transcription	Your relevant context per request; raw audio when you use voice
Mistral AI	Reading scanned documents (OCR)	Images and text from documents that need OCR
Postmark	Sending you transactional email (sign-in links, security notices)	Your email address and the contents of the message we send

Each provider operates under their own published terms. Their default data-handling practices vary; for example, the AI providers above typically retain prompts for a limited period (around 30 days for Anthropic's standard API, similar windows for others) for abuse-prevention and operational purposes. We are working to narrow this where each provider supports it.

We also use several reference-only services that never receive your individually identifying information — only generic queries like cancer type, drug name, or gene symbol. These include PubMed, ClinicalTrials.gov, openFDA, RxNorm, the National Cancer Institute's Physician Data Query (PDQ), HGNC, Open Targets, and cBioPortal. They power the evidence side of Amara's answers.

We will update this list when a service provider changes. We do not sell your information to any of them or to anyone else.

How AI processes your information

This section deserves to be plain.

When you chat, upload a document, or run a Care Board, parts of your information are sent to AI service providers to produce the response. We send only the context needed to answer the question well — but in most cases that includes substantial detail: your record, your recent conversation, and the documents that are relevant.

Which AI providers see what:

Anthropic (Claude models) — chat answers, document extraction, the Living Brief writer, and the Care Board's Chair (panel scoping), Disease Specialist (clinical analysis), and Narrator (patient prose), plus several safety checks.
OpenAI (gpt-5-mini) — used specifically as the document extraction completeness verifier, which independently checks Anthropic's structured extraction for clinically important items it may have skipped. We deliberately route this verifier to a different AI company than the model that produced the extraction — cross-family verification — so the role that fact-checks doesn't share the same training and the same blind spots as the role that did the work. OpenAI is not used for general chat, the Care Board's audit step (which moved to Meta Llama 3.3 70B on Groq on 2026-05-22), or any other path.
Groq (open-weight models, including OpenAI GPT-OSS and Llama, plus OpenAI Whisper for voice) — fast chat answers, the Care Board's Pharmacist and conditional specialists (Pulmonologist, Cardio-Oncologist, Genetic Counselor, Geriatric Oncologist, Palliative Care, Mental Health), formatted UI text (biomarker pills, trial cards), and audio transcription when you use the voice feature.
Mistral — OCR for scanned documents and low-quality PDFs (when our first-pass text extraction can't read the file).

Each provider operates under its own published terms. The standard commercial AI APIs we use typically retain prompt and response traffic for a short operational window (around 30 days for Anthropic's default API, similar windows for others) for abuse-prevention and operational purposes. None of these providers train their public models on the traffic we send.

We are actively building a redaction layer that strips obvious identifying details (names, dates, contact info, institution names) before traffic leaves AmaraCare for an AI provider, and restores them on the way back. That work is not yet in production. Today, your information is sent to AI providers under each provider's commercial terms. We will update this section the day the redaction layer ships, and again when each provider's contractual commitments (Business Associate Agreements) are signed.

We use multiple independent AI providers deliberately. Mixing model families and companies makes the system less likely to repeat the same mistake — for example, a citation that one model would fabricate, another model is more likely to catch. We do not use your health information to train our own models, and we do not opt in to any "use my data for training" feature with our AI providers.

How we protect your information

We follow industry-standard security practices and we are building toward full HIPAA compliance as a condition of general-availability launch. The list below describes what is in place today (the "✓" items) and what is on the roadmap (the "→" items). We do not list anything as in-place that isn't actually shipping.

Encryption

✓ Encryption in transit. All traffic between you and AmaraCare uses modern TLS (version 1.2 or higher). We use HSTS preloading so your browser will refuse to connect over plain HTTP.
✓ Encryption at rest — disk level. Our database and file storage are encrypted at the disk level with AES-256. This is the default for our hosting provider and protects against physical disk theft and backup-file leakage.
✓ Encryption at rest — field level for documents. On top of disk encryption, the contents of uploaded medical documents (extracted text, AI-generated titles, AI-generated summaries) are individually encrypted with AES-256-GCM. Even a database credential compromise would not expose document contents in readable form. Encryption keys live outside the database.
→ Extending field-level encryption to additional record types. A planned follow-up will extend field-level encryption to other sensitive columns (patient profile, chat messages, AI-extracted facts, the Living Brief). Today these are protected by disk-level encryption only.

Access control

✓ Row-level security on every database table. Every table that holds your information enforces, at the database, that only you and people you have invited can read or change it.
✓ Caregiver access is explicit and revocable. Sharing access is a deliberate action by the patient. Removing access takes effect immediately.
✓ Administrative access is gated by a database flag, not an email list. The platform does not hardcode "admins by email." Admin status is set by a database column, with a deliberately manual grant procedure. There is no developer-mode bypass in production.
→ Multi-factor authentication for patients. Currently we support email + password, magic-link sign-in, and Google sign-in. MFA for patient accounts is on the roadmap; a leaked-password check (against the HaveIBeenPwned database) will be enabled before general availability.

AI processing and PHI minimization

✓ We send only what is needed. Each AI request includes the parts of your record that are relevant to the question, not your entire history every time.
✓ No model training on your data. We do not use your health information to train our own models. We do not opt in to any "use my data for training" feature with our AI providers.
→ Local redaction before AI calls. We are building a redaction layer that strips obvious identifying details (names, dates, contact info, institution names) before traffic leaves AmaraCare for an AI provider, and restores them to the response afterward. This is not yet in production. Today, AI traffic is sent under each provider's commercial terms.
✓ Caregiver flow uses the same access model. Caregivers see what you have granted them; nothing more.

Audit and monitoring

✓ Access logging. Reads and writes to your information are recorded with the actor, the action, and the timestamp, so that if a security event occurs we can reconstruct what was touched.
✓ Crisis-language detection. A safety pipeline scans for signals of acute distress or risk and surfaces resources (988 Suicide and Crisis Lifeline, Crisis Text Line) when appropriate.
✓ Drug-fact verification. Every drug claim Amara shows you is grounded in our internal Drug-Facts Authority — a curated registry whose entries are traceable to an FDA drug label or a named clinical reviewer. We re-verify against the FDA on a regular cadence.
✓ Post-generation checks. AI responses are scanned automatically for hallucinated drug names, fabricated citations, and known-wrong patterns before you see them.

Browser and network hardening

✓ Security response headers. We set Strict-Transport-Security (with preload), X-Content-Type-Options nosniff, X-Frame-Options DENY (to block clickjacking), a strict Referrer-Policy, a restrictive Permissions-Policy (camera, geolocation, and other capabilities disabled by default; microphone allowed only on our own origin when you use voice), and a baseline Content Security Policy.
✓ Strict build settings. TypeScript and lint checks are required to pass before deployment. We do not ship code that bypasses these checks.

Vendor management

✓ Vendor selection includes security posture. We choose service providers partly on the basis of their published security practices, their geographic data-handling, and their healthcare track record.
✓ Minimal vendor footprint. As of this writing we use seven service providers that can see your information (Supabase for database/storage/auth; Vercel for hosting; Anthropic, OpenAI, Groq, and Mistral for AI; Postmark for transactional email). Reference-only data sources (PubMed, ClinicalTrials.gov, FDA openFDA/DailyMed, RxNorm, HGNC, Open Targets, cBioPortal) never see your individually identifying information.
→ Business Associate Agreements with all PHI-touching providers. Required for general-availability launch. Negotiations are in progress.

PII and privacy hygiene

✓ We do not sell your information. Not to data brokers, not to advertisers, not to anyone.
✓ No advertising cookies, no tracking pixels. We do not use third-party analytics that see your health information.
✓ Minimal data collection. We do not collect Social Security numbers, payment-card numbers, biometrics, or contacts from your phone or email.
✓ Soft-delete window. When you delete content or close your account, we remove it from active systems within 30 days; database backups age out over the provider's retention window.
✓ 18-and-older only. We do not knowingly collect information from anyone under 18.
→ Formal penetration test. Required before general availability.
→ Independent compliance audit. Targeted at general availability; the framework (HIPAA + SOC 2 readiness) is documented internally and being executed.

How to reach our security team

If you discover a potential vulnerability, please email security@amaracare.ai. We ask that you do not exploit the issue beyond what is needed to demonstrate it and that you give us a reasonable window before public disclosure. We will respond promptly, work in good faith to fix the issue, and credit you in release notes if you would like.

We continue to invest in security as the product grows.

How long we keep your information

We keep your information for as long as your account is active, or for as long as needed to provide the service to you. Specifically:

Account and profile: kept while your account is active. Deleted on your request.
Documents and chat content: kept while your account is active. Removed from active systems within 30 days of your deletion request.
Backups: our database provider retains backups according to their service tier (a rolling window of a few days to a few weeks). Information removed from active systems will age out of backups over that window.
Service-provider retention: each AI provider retains traffic for their own operational window (typically up to 30 days). We do not control this directly.
Telemetry and logs: retained on a rolling basis to keep the platform running; not used for any other purpose.

If you want everything we hold about you removed, email privacy@amaracare.ai and we will help.

Your choices and rights

You have meaningful rights over the information we hold about you. You can:

Get a copy. Ask for an export of your information in a readable format. We will provide it within a reasonable time (target: 30 days).
Correct it. Tell us something is wrong, and we will fix it or, where applicable, give you the tools to fix it yourself in the platform.
Delete it. Ask us to delete your account and information. We will soft-delete immediately and remove from active systems within 30 days.
Export your documents and chat. Take your information with you.
Ask who we shared it with. We will tell you, based on the service-provider list above and any other recipients.
Close your account at any time. No questions asked.

To exercise any of these, email privacy@amaracare.ai. We do not require a particular form or magic words — just describe what you want.

We will respond as quickly as we reasonably can. If we ever need more time, we will tell you and explain why.

Caregiver and family access

Many cancer patients want a spouse, adult child, or close friend to read alongside them. AmaraCare supports this from day one.

You control access. You decide who has access to your record and what role they have.
You can revoke at any time. Removing access takes effect immediately.
We treat caregiver activity the same as your own. Caregivers see what you have granted them; nothing more.

If you signed up as a caregiver for someone else, you have access only to the patient or patients who have granted it to you.

Cookies and local storage

We use a session cookie to keep you logged in. We use minimal local storage for app preferences (for example, your prognosis disclosure preference and your dark-mode setting if you use it).

We do not use third-party analytics that receive your health information. We do not use advertising cookies or tracking pixels. We do not place cookies for any purpose unrelated to making the application work for you.

Use by people under 18

AmaraCare is intended for adults — people 18 or older. We do not knowingly collect information from anyone under 18. If you believe we have inadvertently collected such information, email privacy@amaracare.ai and we will delete it.

Where we operate

AmaraCare is currently offered to people in the United States and is hosted on infrastructure based in the United States. We are not making representations about non-US privacy frameworks (such as the EU GDPR or the UK GDPR) at this time. If we expand internationally, we will update this section before doing so.

Security incident notification

If we discover a security incident that affects your information, we will notify you without unreasonable delay. We will tell you what happened, what information was involved, what we are doing about it, what you can do, and how to reach us. We do not commit to a specific number of days because we would rather move fast than wait for a calendar to expire — but we will not delay notification once we understand the scope.

We also keep an internal incident response procedure that we exercise and improve over time.

Changes to this policy

When we make a material change to this policy, we will update the "Effective" date at the top, change the version number, and notify active users — typically by an in-app banner and an email to the address on file. Prior versions are available in our compliance documentation history.

Minor wording fixes or formatting changes will not trigger a notification.

How to reach us

For any privacy question, request, or concern:

Email: privacy@amaracare.ai
Security reports: security@amaracare.ai
Support: support@amaracare.ai
Mailing address: available on request — email privacy@amaracare.ai and we will provide it

Change log

Date	Version	What changed
2026-04-09	1	Initial internal draft. Not published. Contained HIPAA framing and an internal-only ATTORNEY REVIEW banner.
2026-05-17	2	Early-access rewrite for publication. Removed HIPAA-framed citations and "BAA pending" language while keeping the substance of user rights. Reframed security controls as industry-standard practices and updated to reflect field-level encryption is active on document contents. Added explicit AI-processing disclosure section. Replaced "60-day breach clock" language with a plain-language "without unreasonable delay" commitment. Added caregiver access section. First version reachable from the live application. Counsel review still pending before general availability.
2026-05-17	3	Reframed the early-access notice to be explicit that full HIPAA compliance is the target at general-availability launch — not a position we are abandoning, a milestone we have not yet reached. Added a "How AmaraCare works" architecture overview so users understand what they are interacting with (Patient Knowledge Graph, document OCR pipeline, Care Board specialists, Living Brief, evidence sources, multi-model AI, caregiver access). Expanded the AI-processing section to name which provider handles which workload and to be precise about retention. Rewrote "How we protect your information" as a comprehensive list of security and PII practices, grouped by encryption, access control, AI processing and PHI minimization, audit and monitoring, browser/network hardening, vendor management, and PII hygiene. Each item flagged as in-place ("✓") or on the roadmap to general availability ("→").
2026-05-17	4	Updated the Care Board description to match the V4 Decision Clinic architecture that ships in this release: four always-on roles (Chair, Disease Specialist, Pharmacist, Evidence Auditor) plus up to six profile-aware conditional specialists (Pulmonologist, Cardio-Oncologist, Genetic Counselor, Geriatric Oncologist, Palliative Care, Mental Health); typically six-to-ten specialists per panel instead of twenty-something; real-time panel view; parallel-paths Decision Packet with values-pushback (up to three refinements per question) and PDF export. Added OpenAI as a fourth AI service provider, used specifically as the cross-family Evidence Auditor so the role that fact-checks claims comes from a different model family than the role that makes them. Vendor count updated from six to seven. AI Model Disclosures section now names which provider handles which Care Board role.