OrganAlert
Request access

Legal

Privacy Policy

How OrganAlert collects, uses, and protects information.

Last updated: June 2026

Draft — pending legal review. This page is a placeholder that reflects our intended practices. It is not yet a binding agreement; final language is subject to counsel review before any production use with protected health information.

1. Who we are

OrganAlert provides software that helps lung transplant programs evaluate organ-donor offers. We act as a Business Associate to the transplant centers (Covered Entities) that use our platform. This policy describes our general privacy practices; our handling of protected health information (PHI) is governed by the Business Associate Agreement with each center.

2. The two kinds of data we handle

  • Protected health information (PHI) — donor and recipient clinical data uploaded or generated in the platform. We process PHI only on documented instructions from the Covered Entity, for the purpose of providing the service.
  • Account & usage data — names and work email addresses of authorized users, organization details, authentication events, and audit metadata used to operate and secure the service.

3. How we use information

We use PHI solely to provide the evaluation service to the Covered Entity. We use account and usage data to authenticate users, enforce access controls, maintain security and audit records, provide support, and improve reliability. We do not sell personal information, and we do not use PHI to train machine-learning models.

4. Sharing & subprocessors

We share information only with infrastructure and AI subprocessors that are bound by appropriate agreements (including BAAs where PHI is involved). See our current subprocessor list.

5. Security

We encrypt PHI at rest and in transit, enforce least-privilege access and tenant isolation, and maintain an append-only audit log. See our security overview for details.

6. Retention

We retain PHI for as long as instructed by the Covered Entity and as required to provide the service, and we return or destroy it on termination per the BAA. Account and audit records are retained for the periods required by our compliance obligations.

7. Your rights

Requests by individuals to access, amend, or account for disclosures of their PHI are directed to the Covered Entity (the transplant center), which we support as their Business Associate.

8. Contact

Privacy questions: privacy@organalert.com.