Privacy Policy

At AtPost Portal by Amsler Labs LLC ("AtPost", "we", "us", or "our"), we are committed to protecting your privacy and maintaining the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our healthcare training platform and associated applications.

Account Information

When you create an account, we collect:

• Personal Identifiers: Full name, email address, job title, professional role
• Authentication Data: Password (encrypted), authentication tokens, multi-factor authentication settings
• Profile Information: Avatar/photo (optional), professional certifications, organization affiliation

Usage Information

As you use our platform, we automatically collect:

• Training Activity: Applications accessed, training sessions completed, progress data, achievement unlocks, XP earned, skill assessments
• Technical Data: IP address, browser type, device information, operating system, timestamps, session duration
• Performance Data: Response times, error logs, feature usage analytics
• Interaction Data: Clicks, navigation patterns, favorited applications, preferences

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Maintain your session, remember your login, persist preferences
• Functional Cookies: Remember language settings, theme preferences, dashboard layouts
• Analytics Cookies: Understand usage patterns, improve platform performance

See our Cookie Policy for more details.

Educational Content Interactions

Within training applications, we may collect:

• Quiz responses and assessment scores
• Simulation performance metrics
• Study session duration and frequency
• Reference material bookmarks

We use your information for the following purposes:

Platform Operations

• Create and manage your account
• Authenticate your identity and maintain session security
• Provide access to training applications
• Track your learning progress and achievements
• Personalize your training experience
• Process subscription payments (if applicable)

Communication

• Send account verification and security notifications
• Provide customer support and respond to inquiries
• Send product updates and new feature announcements
• Deliver training completion certificates (if applicable)
• Send marketing communications (with your consent, opt-out available)

Platform Improvement

• Analyze usage patterns to improve application performance
• Conduct research to enhance educational content
• Identify and fix technical issues
• Develop new features and applications
• Generate aggregated, de-identified statistics

Compliance and Legal

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and Acceptable Use Policy
• Protect against fraud, abuse, and security threats
• Maintain audit logs for HIPAA compliance (retained 6+ years)
• Respond to lawful requests from authorities

We do not sell your personal information. We may share your information in the following limited circumstances:

Service Providers (Business Associates)

We work with trusted third-party service providers who assist us in operating our platform:

• Supabase: Database hosting, authentication, and backend infrastructure (HIPAA-compliant with BAA)
• Cloud Infrastructure: Secure hosting and content delivery
• Email Services: Transactional and notification emails
• Payment Processors: Subscription billing (if applicable)
• Analytics Providers: Usage analytics and performance monitoring

All service providers are contractually obligated to protect your information and use it only for authorized purposes.

Within Your Organization

If you are part of an organization account:

• Organization administrators may view training progress and completion data
• Aggregated performance reports may be shared with training officers
• Your profile information may be visible to other organization members

Legal Requirements

We may disclose your information if required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to lawful requests from public authorities
• Protect our rights, property, or safety, or that of our users
• Investigate potential violations of our Terms of Service
• Report security breaches as required by HIPAA

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control.

We implement industry-standard security measures to protect your information:

Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt), multi-factor authentication (MFA) available
• Access Controls: Role-based access control (RBAC), principle of least privilege
• Network Security: Firewall protection, DDoS mitigation, intrusion detection
• Monitoring: 24/7 security monitoring, automated threat detection

Administrative Safeguards

• Regular security audits and vulnerability assessments
• Employee training on data privacy and security
• Incident response and breach notification procedures
• Business Associate Agreements (BAAs) with all service providers
• Documented security policies and procedures

Physical Safeguards

• Data centers with restricted physical access
• Environmental controls (temperature, humidity, fire suppression)
• Redundant power and network connectivity
• Regular backups with secure off-site storage

For more details, see our Information Security page.

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: Profile and usage data retained while your account is active
• Deleted Accounts: Most personal data deleted within 30 days of account deletion request
• Audit Logs: Retained for 6 years minimum to comply with HIPAA requirements
• Aggregated Data: De-identified analytics may be retained indefinitely for research
• Legal Holds: Data may be retained longer if required for legal proceedings

After retention periods expire, data is securely deleted or anonymized beyond recovery.

You have the following rights regarding your personal information:

Access and Portability

• Right to Access: Request a copy of all personal data we hold about you
• Right to Data Portability: Export your data in a machine-readable format (JSON)
• How to exercise: Go to Settings → Data Export or email [email protected]

Correction and Deletion

• Right to Rectification: Correct inaccurate or incomplete personal information
• Right to Erasure: Request deletion of your account and associated data
• How to exercise: Update profile in Settings or request deletion via Settings → Account → Delete Account

Control and Restriction

• Right to Restrict Processing: Limit how we use your information
• Right to Object: Opt out of marketing communications
• Right to Withdraw Consent: Revoke previously given consent at any time
• How to exercise: Adjust preferences in Settings → Email Preferences

California Residents (CCPA)

If you are a California resident, you have additional rights:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (with certain exceptions)
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

European Residents (GDPR)

If you are in the European Economic Area, you have additional rights under GDPR:

• Right to lodge a complaint with a supervisory authority
• Right to data portability in a structured, commonly used format
• Right to object to processing based on legitimate interests
• Right to withdraw consent for marketing communications

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

AtPost Portal by Amsler Labs LLC is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA):

Business Associate Agreements (BAA)

We have executed Business Associate Agreements with all service providers that handle potentially sensitive data, including our database provider (Supabase). These agreements ensure HIPAA compliance throughout our data processing chain.

No Patient Data

Our platform is intended for healthcare professional training and education. We do not collect, store, or process actual patient data or Protected Health Information (PHI). All training scenarios use:

• De-identified case studies
• Simulated patient data
• Educational examples with no real patient identifiers

Audit Logging

We maintain comprehensive audit logs of all system access and data operations, retained for a minimum of 6 years as required by HIPAA regulations.

Breach Notification

In the unlikely event of a data breach involving sensitive information, we will:

• Notify affected users within 60 days
• Report to the Department of Health and Human Services (HHS) if required
• Provide details about the breach, data affected, and remediation steps
• Offer credit monitoring services if social security numbers or financial data are compromised

For more details on our security practices, see our Information Security page.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that such transfers comply with applicable data protection laws:

• US-Based Storage: Primary data storage is in the United States
• GDPR Compliance: We use Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy Decisions: We rely on adequacy decisions where applicable
• Data Protection: All international transfers maintain the same level of protection as required by this policy

9. Children's Privacy

Our platform is intended for use by healthcare professionals and students aged 18 and older. We do not knowingly collect personal information from individuals under the age of 13.

If you are under 18 but at least 13 years old, you may only use our platform with the consent and supervision of a parent, guardian, or educational institution.

If we learn that we have collected information from a child under 13, we will delete that information as quickly as possible. If you believe we have collected information from a child under 13, please contact us immediately at [email protected].

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email (if you have an account)
• Display a prominent notice on our platform
• Obtain your consent if required by law

We encourage you to review this policy periodically. Your continued use of our platform after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: