Privacy Policy

This Privacy Policy describes how Pathology Pilot ("we," "us") collects, uses, and protects information in connection with our educational pathology decision-support service (the "Service"). For privacy questions or to exercise your rights, contact us at privacy@pathologypilot.app.

We collect only what we need to operate the Service.

a) Account data (you provide)

• Email address (used as your login identifier and for transactional emails).
• Display name (optional).
• Password — stored only as a bcrypt hash; we never see or store your plaintext password.
• Account timestamps (created, last login).

b) Subscription & billing data

• Subscription status, plan, and renewal date.
• Lemon Squeezy customer ID and subscription ID (returned by Lemon Squeezy webhooks).
• Signed customer-portal URLs that let you manage your subscription.
• We do not see, store, or process your card number, CVC, expiry, or bank details. These are handled exclusively by Lemon Squeezy and their PCI-DSS compliant payment processors.

c) Case data (you create)

• The organ you selected.
• The clinical, morphology, IHC, and molecular signals you ticked.
• The ranked differential the Service returned.
• Any free-text note you added.

d) Feedback you submit

• Usefulness and clarity ratings.
• Free-text comments and bug reports.
• The organ and top diagnoses that the feedback refers to.

e) Technical / log data (collected automatically)

• IP address (for security and rate-limiting; retained briefly).
• Browser user-agent and language.
• Pages visited, API endpoints called, response timing, error logs.
• Authentication tokens (httpOnly cookies and a localStorage Bearer fallback) — used only to keep you signed in.

We process your data only for the following purposes:

• Operating your account — authentication, session management, saving your cases, and powering the differential engine.
• Billing — recording subscription status changes pushed to us by Lemon Squeezy via signed webhooks; gating Pro content accordingly.
• Service improvement — analysing aggregated, de-identified usage patterns and reading your feedback to improve content and UX.
• Communications — transactional emails (e.g., password reset, billing receipts, important service notices). We do not send marketing email without your explicit opt-in.
• Security & abuse prevention — detecting and stopping fraud, brute-force attempts, and policy violations.
• Legal compliance — complying with applicable laws, court orders, or other legal processes.

We do not sell your personal data. We do not use your personal data to train external machine-learning models. We do not share your saved cases or feedback publicly without your consent.

If you are in the EEA or UK, the legal bases we rely on are:

• Contract — to provide the Service you signed up for (account, cases, billing).
• Legitimate interests — to keep the Service secure, improve content, and prevent fraud (balanced against your privacy rights).
• Consent — for any optional features that require it (e.g., future marketing email).
• Legal obligation — to comply with applicable laws and tax/record-keeping rules.

We use a small number of carefully selected service providers ("sub-processors") to operate the Service. We share only the data each one needs to perform its function.

We may add or change sub-processors. Material changes will be posted here and, for significant updates, communicated by email.

• Account data — for as long as your account exists. After deletion, residual backups are purged within 30 days.
• Saved cases & feedback — until you delete them or your account.
• Billing records — kept for at least the period required by applicable tax/accounting law (typically 6–10 years), even after account deletion.
• Webhook event logs — retained for fraud detection and dispute resolution, typically up to 24 months.
• Server logs — short-term (typically ≤ 30 days for application logs, ≤ 90 days for security logs).

We take reasonable technical and organizational measures to protect your data, including:

• HTTPS / TLS for all traffic.
• Passwords stored as bcrypt hashes (work factor ≥ 12).
• JWT session tokens served via httpOnly + Secure + SameSite cookies, with a short access-token lifetime and refresh-token rotation.
• Server-side authorization on every API endpoint — Pro content is gated by signed subscription state, never by client-side checks alone.
• HMAC-SHA256 signature verification on every billing webhook before any state change.
• Idempotent webhook handling via a unique index on event IDs, to prevent replay attacks.
• Least-privilege access controls for our team.

No system is perfectly secure. If you suspect unauthorized access to your account, contact security@pathologypilot.app immediately.

Depending on where you live, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your account and associated data ("right to be forgotten"), subject to legal retention requirements.
• Portability — receive your data in a machine-readable format.
• Restriction / objection — limit or object to certain processing.
• Withdraw consent — where processing is based on consent.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@pathologypilot.app from the address on file. We will respond within 30 days.

We use only the cookies and storage we need to make the Service work:

• pp_access — httpOnly session cookie (12 hours).
• pp_refresh — httpOnly refresh cookie (30 days).
• pp_token — Bearer-token fallback stored in your browser's localStorage so authenticated requests succeed even if third-party cookies are blocked.

We do not use third-party advertising or cross-site tracking cookies. We may add a privacy-respecting, self-hosted analytics tool in the future; if we do, we will update this Policy.

The Service is intended for medical professionals and trainees aged 18 or older. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us at privacy@pathologypilot.app and we will delete the account.

Our infrastructure and sub-processors may process data outside your country of residence, including in the United States and the European Union. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent transfer mechanisms.

We may update this Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

Privacy inquiries: privacy@pathologypilot.app
Security inquiries: security@pathologypilot.app
General support: support@pathologypilot.app