Privacy Policy

Account information: When you create an account, we collect your name, email address, password (hashed), and optionally your clinic or organization name.

Case data: You may enter patient identifiers (such as an internal patient ID), variant type, clinical notes, and information about family members (names, relationships, contact information). This data is stored in your account and not accessible to other users.

Usage data: We collect logs of how you use the platform — which pages you visit, what actions you take, and when. This is used to improve the product and diagnose issues.

Payment information: Payment processing is handled by Stripe. We do not store full credit card numbers. We receive a payment token and basic billing information from Stripe.

LineageAI is designed to support HIPAA-adjacent workflows. We are not currently a covered entity under HIPAA, but we understand our platform may be used in the context of protected health information (PHI).

Enterprise plan subscribers may enter into a Business Associate Agreement (BAA) with ChimeStream B.V. This agreement governs our handling of any PHI that may be present in your case data.

We recommend that users on the Pilot and Pro plans use de-identified patient identifiers (e.g., internal IDs rather than names and dates of birth) when entering case data, unless your institution has assessed the risk and the BAA is in place.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.

Your account data is retained for as long as your account is active. If you close your account, your data is retained in a deactivated state for 30 days, then permanently deleted.

You can export all case data at any time from your account settings in CSV or PDF format.

Compliance logs are retained for 7 years by default to support clinical documentation requirements, unless you request earlier deletion.

We use the following third-party services:

• Stripe: Payment processing. Subject to Stripe's privacy policy.
• Vercel / cloud hosting: Infrastructure and deployment. Data is hosted in the EU or US depending on your account region.
• OpenAI API: For generating outreach letter drafts. Data sent to OpenAI is subject to their API data usage policy. We do not send identifiable patient data to OpenAI.

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. To exercise any of these rights, contact us at hello@lineageai.io.

Residents of the European Union and EEA have additional rights under the GDPR, including the right to data portability and the right to restrict processing.