Privacy Policy

Medic Oath is an open-access medical research platform operated by Andre Hoyle (andrew.hoyle@imperium-bi.co.uk). We are registered in the United Kingdom. Our mission is to remove profit as a gatekeeper to medical discovery.

• Account data: Email address, display name, role selection (when you register via Supabase Auth)
• API keys: Your Anthropic API key, encrypted with AES-256-GCM before storage. We never log, return, or transmit your key in plaintext.
• Usage data: Pages visited, features used, hypothesis generation requests. No IP addresses are stored.
• Contributed content: Patient stories, research submissions, bounty claims, community posts — all stored in Supabase.
• Genomic data: If you contribute via the MedisNet citizen science module, see our Genomic Data Privacy Policy.

• To provide platform functionality (authentication, hypothesis generation, research tools)
• To improve the platform (aggregate usage analytics — never individual tracking)
• To send transactional emails (account verification, password resets) — never marketing
• We do NOT sell, rent, or share your personal data with any third party
• We do NOT use your data for advertising
• We do NOT train AI models on your personal data

• Supabase: Database, authentication, and storage. Data stored in Supabase's EU/US regions. Subject to Supabase's Privacy Policy.
• Anthropic: When you use AI features with your own API key, your prompts are sent to Anthropic's API. Subject to Anthropic's Privacy Policy. Medic Oath does not see or store your API call content.
• Vercel: Hosting and CDN. Subject to Vercel's Privacy Policy.
• PubMed/NCBI: Literature search queries are sent to the public PubMed E-utilities API. No personal data is included in these requests.

Medic Oath uses only essential cookies required for authentication (Supabase session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required under UK/EU law for essential-only cookies.

• API keys encrypted with AES-256-GCM at rest
• All connections over HTTPS (TLS 1.3)
• Supabase Row Level Security (RLS) for data isolation
• No plaintext passwords stored (Supabase Auth handles hashing)
• ENCRYPTION_KEY stored server-side only, never exposed to client

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your account and all associated data
• Portability: Receive your data in a machine-readable format
• Object: Object to processing of your personal data
• Withdraw consent: At any time, without affecting prior lawful processing

To exercise any right, email andrew.hoyle@imperium-bi.co.uk. We respond within 30 days.

• Account data: retained until you delete your account
• API keys: deleted immediately when you remove them, or when your account is deleted
• Research contributions: retained permanently as part of the open research record (this is the purpose of the platform)
• Usage logs: retained for 90 days, then deleted

Medic Oath is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us for immediate deletion.

We will update this policy as the platform evolves. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.

For all privacy inquiries and data subject requests: andrew.hoyle@imperium-bi.co.uk

Data controller: Andre Hoyle, United Kingdom

This is the sole contact address for all privacy, data protection, and legal matters related to Medic Oath.