Privacy notice

Placeholder — to be replaced with the clinic's legal-reviewed text before launch.

What we collect

Upstream collects the information you provide on the metabolic-health intake form (goal, lifestyle responses, sleep patterns, medications) along with measurements captured during your appointment (RMR, VO₂max, body composition, blood pressure, lab markers). Your specialist may also record clinical notes and the actions included in your Metabolic Health Plan.

Why we collect it

Your information is used solely to build, deliver, and adapt your personal Metabolic Health Plan, and to schedule retests and follow-up communications. We do not sell or share your data with third parties for marketing.

Who can see it

• Your specialist and authorised clinic staff with admin access to Upstream.
• Software providers that process data on our behalf under signed Business Associate Agreements: Cloudflare (network), Anthropic (clinical-result extraction), Resend (email delivery).

How long we keep it

Active patient records are retained for the duration of the clinical relationship and seven years thereafter, in accordance with applicable medical-records regulations. Off-site encrypted backups are retained on a 90-day rolling window.

Your rights

You can request a copy of your data at any time, or ask to have your record redacted (your name, date of birth, email, and free-text answers will be removed; the audit trail is preserved for compliance reasons). Contact your specialist or the clinic's privacy officer.

Security

All data is transmitted over TLS, stored on a single tenant server in Australia, and accessed only after authentication via the central auth service. Audit logs record every clinical change, retained for at least six years per HIPAA.

Last reviewed: not yet (placeholder). Replace this notice with clinic-counsel-approved text before any real patient data is entered.