Privacy Policy

Doctoremia is a coordination platform for in-person physician shadowing. To make that coordination work, we collect basic account information, profile information you choose to provide, and records of activity on the platform — applications, scheduling, document hand-off, and clinic verification. We use that information to operate the platform, to keep it secure, and to communicate with you about your account. We do not sell your personal information and we do not share it with advertisers.

The Service is intended for users who are 18 years of age or older. We do not knowingly collect information from individuals under 18. If you believe a minor has created an account, please contact us via our contact pageso we can remove it. Because the Service is not directed at minors, we do not maintain a children's privacy program under U.S. children's privacy law.

The information we collect falls into the categories below.

Account information

When you create an account, we collect the email address and password you provide, a record of which account type you selected (student, clinic staff, or volunteer), and a record confirming you agreed to our Terms of Service and Privacy Policy at signup (including the version accepted and the timestamp). We rely on a third-party authentication provider to handle authentication, password storage, and session tokens (see Section 7).

Student profile information

Information you choose to add to your student profile — for example, your name, school, year of study, location, areas of interest, and any free-form description you write about yourself.

Clinic profile information

Information clinic staff choose to add to a clinic profile — name, location, specialty notes, requirements, working hours, listed physicians, and any free-form description.

Application and scheduling records

When a student applies to a clinic, we record the application, any decision the clinic makes on it, and the date and metadata of those events. When a clinic publishes availability and a student requests a session, we record the request, the clinic's decision, and related scheduling metadata. These records exist to make the platform's coordination role work.

Documents

Students upload documents that clinics they apply to may require — for example, a signed form, a photo ID, or an immunization or vaccination record. These documents are stored in private storage and are accessible only to the student who uploaded them, the clinic they were shared with as part of an application, and platform administrators. We treat them with the same access controls described in Section 9.

Some documents you upload may contain sensitive information about you, including government-issued identification or health records. Upload only what a clinic actually requires for a specific application. Background-check reports should not be uploaded to the platform; see Section 11.

Messages

Where in-product messaging is offered, we store the messages users send through the platform, along with metadata needed to show the correct thread, sender, timestamps, and unread state.

Administrator decision metadata

When a Doctoremia administrator reviews a clinic and changes its verification status, we record the time of the change, the administrator who made it, and any reason the administrator entered. This audit information is stored on the clinic record so that future review decisions have context.

Authentication and session information

Our authentication provider records information about sign-in events — for example, sign-in time and IP address — for security and abuse-prevention purposes. We use HTTP-only session cookies provided by that provider; we do not separately collect or extend this information.

Application logs

Our hosting infrastructure records standard server-side logs (requests, errors, and related metadata) to diagnose problems and maintain platform availability. We do not use these logs for advertising and we do not share them with advertisers.

Email delivery information

When we send a transactional email — for example, a password reset — our email-delivery vendor records the send and basic delivery metadata. We do not duplicate this log in our own systems.

Cookies and similar technologies

We use first-party HTTP-only cookies for authenticated sessions. We do not place advertising or cross-site tracking cookies on the Service. You can generally control cookies through your browser settings, although disabling session cookies will prevent you from staying logged in.

The launch-list signup form

Our public pages display a signup form for launch updates. At this time, the form does not transmit submitted email addresses to any Doctoremia system. We will update this section before that changes; if and when we begin collecting submitted emails, we will store them only to send launch and product updates, and we will offer an unsubscribe option in every message.

We use the information described above to:

• operate, maintain, and improve the Service;
• authenticate users, prevent abuse, and enforce our Terms of Service and Acceptable Use Policy;
• run the platform's coordination workflow — applications, scheduling, document hand-off, clinic verification, and related in-product activity;
• communicate with you about your account, including transactional messages such as account confirmation and password reset;
• diagnose problems, monitor errors, and understand usage; and
• comply with legal obligations and respond to valid legal process.

We do not use your personal information for advertising, profiling for marketing, or sale. We do not train external machine-learning models on your private content.

The retention windows below describe how we currently intend to handle each category of information. Some windows describe future features (document exchange, messaging) and will become operative when those features ship; others describe vendor behavior we rely on rather than configure ourselves.

Account and profile information

We keep your account record and the information you add to your profile for as long as your account is active. If you ask us to delete your account, we delete the underlying account record from our authentication provider; that deletion cascades to your profile, to clinic records you own (if you are a clinic-staff user), and to application and scheduling records that depend on your account. We do not currently operate a separate grace-period or self-restoration window for account deletion; we may add one in the future and will update this section if we do.

Clinic records

A clinic record is kept while the clinic exists on the platform. Removing a clinic from public visibility is normally done by changing its verification status (see Section 6); fully deleting a clinic record cascades to associated specialties, requirements, working hours, listed physicians, availability, and applications tied to that clinic.

Application and scheduling records

We keep application and scheduling records for as long as both the student account and the clinic record involved still exist. If either side is deleted, the related application and scheduling records are removed as a consequence. As we add complaint, dispute, and moderation features, we may retain certain records past account deletion in a de-identified form so that platform-level review is still possible; we will update this section if we do.

Administrator decision metadata

Verification and rejection metadata on a clinic record is kept for as long as the clinic record itself is kept. If the administrator who made a decision later deletes their own account, the audit metadata for the decision is preserved with that administrator reference cleared.

Documents

Uploaded documents are retained until you delete them, the related application is deleted, or your account is deleted — at which point the underlying file is removed from storage along with the associated metadata. You can delete documents you own at any time from the document library in your dashboard. We intend to add automatic post-decision cleanup and will update this section when we do.

Messages

Messages are retained while both participants' accounts exist; they are removed when either account is deleted, except where preservation is required for ongoing complaint, dispute, or moderation review under rules we disclose at the time those features are offered.

Vendor-managed retention

Some categories of data are stored and aged by the vendors we use:

• Authentication audit logs and IP recordsare retained per our authentication provider's defaults;
• Email-delivery logsfollow our email-delivery vendor's plan defaults.

These windows reflect the vendor's own retention practices and may change over time. Where we change a vendor or change a plan configuration that affects retention, we will update this section.

A Doctoremia administrator reviews each clinic profile before it appears in public discovery. Verification is a manual review for basic profile completeness and apparent legitimacy. Verification is not certification. It is not a license confirmation, malpractice-history check, board-status check, accreditation, endorsement, or assessment of clinical quality. The information used during review is the information visible on the clinic profile itself plus a small amount of administrator metadata described in Section 3.

We rely on a small number of service providers to operate the platform. Each acts only on our instructions for the purposes described above, and each has its own published privacy practices.

• Supabase — authentication, database, and file storage.
• Vercel — application hosting and content delivery.
• Resend — transactional email delivery.

We may add or change service providers over time; we will update this section when we do.

We do not sell your personal information, and we do not share it with advertisers. We share information only in the following situations:

• With other users, as required by the platform's workflow. When you apply to a clinic, the clinic sees the application and the parts of your student profile that are visible to clinics. When a clinic publishes its profile and is verified, the public-facing portions of that profile are visible to anyone using the platform.
• With our service providers listed in Section 7, who handle data on our behalf to run the platform.
• To comply with the law — for example, in response to valid legal process — or to protect the rights, property, or safety of Doctoremia, our users, or the public.
• In a business transition such as a merger, acquisition, or asset sale, in which case we will require the recipient to honor commitments made in this Privacy Policy or give affected users a chance to object.

We use reasonable technical and organizational measures to protect information on the platform. Connections are encrypted in transit. Database access is gated by row-level security so that, for example, a student cannot read another student's application and a clinic cannot read another clinic's record. Sessions rely on HTTP-only cookies that are not exposed to client-side scripts. No method of online transmission or storage is fully secure; we cannot guarantee that information will never be accessed in unauthorized ways, but we work to prevent it.

You can:

• review and update most of your profile information from inside the platform;
• change your password from the account-settings surface;
• request deletion of your account by contacting us via our contact page;
• ask us a question about the information we hold about you, also via the contact page.

We will respond to reasonable requests within a reasonable time. We may ask you to demonstrate control of the email address on file before we act on a request, and we may decline requests that are unreasonable, repetitive, or would require us to disclose information about other users.

Doctoremia does not conduct, verify, adjudicate, or store background checks. Some clinics may require a background check; that requirement is handled by the clinic. Please do not upload background-check reports, fingerprint records, or related materials to the Service.

Students may upload documents — including government-issued photo identification and health records such as immunization certificates — where a specific clinic requires them as part of an application. These uploads go through the document library feature described in Section 3. Storing a copy that a clinic requested is not the same as identity verification: Doctoremia does not adjudicate, validate, or authenticate identity documents. The clinic that requested the document uses it to evaluate the application and decides whether to accept the student.

Doctoremia does not collect biometric data and does not run any platform-side credentialing process.

Doctoremia is a coordination platform; it is not a healthcare provider, a covered entity, or a business associate under the Health Insurance Portability and Accountability Act. Please do not upload, paste, or message protected health information (PHI) to the Service. If a clinic or student needs to share clinical information, that exchange should happen outside the Service.

The Service is for users 18 and older. We do not knowingly collect information from children. If you believe a minor has used the Service, please contact us via our contact page and we will remove the information.

The Service is offered from and intended for use within the United States, with an initial focus on Georgia. If you access the Service from outside the United States, you understand that the information you provide will be processed in the United States, which may have different data-protection rules than your location. You access the Service at your own initiative and are responsible for compliance with local law.

We may update this Privacy Policy from time to time. The current version is the version posted on this page. We will update the “Last updated” date above when we make changes and, for material changes, take reasonable steps to bring the change to your attention.

Questions, requests, and concerns about privacy can be sent through our contact page.