Privacy Policy

Effective Date: January 1, 2026 · Last Updated: May 2026

HIPAA & Patient Data

Vancomyzer™ Version 1.0 does not store Protected Health Information (PHI) under its current architecture. All patient data entered into the calculator is processed in-session and is not persisted to any server, database, or log. This is a deliberate architectural decision — not a limitation. Your patients' data stays with you. As Dōsys expands into EMR integration and other PHI-handling capabilities, those features will be governed by a signed Business Associate Agreement before any PHI touches our infrastructure.

1. Information We Collect

1.1 Information You Provide

Account information: Name, email address, institution/hospital, professional role (when you create an account or submit a form).
Contact form submissions: Name, email, message content, and any information you choose to provide.
Pilot program applications: Name, title, hospital/health system, email, phone, number of beds, and current vancomycin monitoring method.
Resource downloads: Name, email, institution, and role (for gated content).

1.2 Information Collected Automatically

Analytics data: We use Plausible Analytics, a privacy-focused analytics platform that does not use cookies, does not track individuals, and does not collect personal data. Plausible provides aggregate website usage statistics only.
Essential cookies: We use essential cookies only for session management and authentication (for logged-in users). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

1.3 Information We Do NOT Collect

Protected Health Information (PHI) as defined by HIPAA.
Patient demographic data, clinical data, or drug levels entered into the Vancomyzer calculator.
Calculation results, dosing recommendations, or pharmacokinetic parameters.

2. How We Use Your Information

To provide, maintain, and improve the Service.
To communicate with you about your account, inquiries, or pilot program.
To send product updates and clinical dosing insights (you can unsubscribe at any time).
To analyze aggregate website usage to improve user experience (via privacy-friendly analytics only).

3. Data Sharing

We do not sell, rent, or trade your personal information. We may share your information with:

Subprocessors: Third-party services that help us operate the Service. See Section 4 for the full list, what data each one processes, and where they are located. Every subprocessor is contractually obligated to protect your data.
Legal obligations: When required by law, court order, or governmental request.

4. Subprocessors

The following vendors process limited categories of personal information on our behalf. None of them receive Protected Health Information.

Vendor	Role	Data Processed	Location
Render	Application hosting and persistent disk for the SQLite database that stores account credentials, audit logs, calculation logs, and pilot lead data.	Hashed passwords, email addresses, derived clinical values (no PHI), security audit events.	United States (AWS regions).
Stripe	Subscription billing for paid tiers (Individual Pro, Department, Hospital).	Billing email, name, payment method tokens. Card data is held by Stripe — Vancomyzer never sees raw card numbers.	United States.
Google Workspace	Outbound email transport (account approvals, password resets, pilot welcome emails, bug reports) via SMTP. Also hosts the pilot@dosys.health and sales@dosys.health mailboxes that receive customer correspondence.	Email addresses and email body content (which may contain non-PHI clinician correspondence — never patient PHI).	United States. Google Workspace offers a HIPAA Business Associate Agreement for covered customers.
GitHub	Source code repository for the Vancomyzer engine and the dosys.health marketing site.	Source code only — no user or patient data.	United States.
Plausible Analytics	Privacy-respecting web analytics on dosys.health and vancomyzer.com.	Aggregated page views. No IP collection, no cookies, no cross-site tracking, no user identifiers.	European Union (Germany) — GDPR-compliant by design.

Render

Role:: Application hosting and persistent disk for the SQLite database that stores account credentials, audit logs, calculation logs, and pilot lead data.
Data:: Hashed passwords, email addresses, derived clinical values (no PHI), security audit events.
Location:: United States (AWS regions).

Stripe

Role:: Subscription billing for paid tiers (Individual Pro, Department, Hospital).
Data:: Billing email, name, payment method tokens. Card data is held by Stripe — Vancomyzer never sees raw card numbers.
Location:: United States.

Google Workspace

Role:: Outbound email transport (account approvals, password resets, pilot welcome emails, bug reports) via SMTP. Also hosts the pilot@dosys.health and sales@dosys.health mailboxes that receive customer correspondence.
Data:: Email addresses and email body content (which may contain non-PHI clinician correspondence — never patient PHI).
Location:: United States. Google Workspace offers a HIPAA Business Associate Agreement for covered customers.

GitHub

Role:: Source code repository for the Vancomyzer engine and the dosys.health marketing site.
Data:: Source code only — no user or patient data.
Location:: United States.

Plausible Analytics

Role:: Privacy-respecting web analytics on dosys.health and vancomyzer.com.
Data:: Aggregated page views. No IP collection, no cookies, no cross-site tracking, no user identifiers.
Location:: European Union (Germany) — GDPR-compliant by design.

We review this list quarterly. To request notification when subprocessors are added or changed, email privacy@dosys.health.

5. Cookies

We use essential cookies only. No tracking.

We respect your data the way we respect your clinical judgment. Dōsys does not use Google Analytics, Facebook Pixel, advertising trackers, or any cookie-based tracking technology. Our analytics are powered by Plausible, which is fully cookieless and GDPR/CCPA-compliant by design.

6. Data Security

We implement industry-standard security measures to protect your information, including TLS encryption for all data in transit and encrypted storage for account data at rest. However, no method of electronic transmission or storage is 100% secure.

7. Data Retention

We retain the personal information we collect only for as long as it serves a legitimate purpose. Specific retention windows by data category:

Data category	Retention
Account credentials	Until account deletion + 30 days
Calculation log entries	24 months from creation
Security audit events	7 years (HIPAA-aligned baseline)
Bayesian fit diagnostics	24 months from creation
Pilot application leads	36 months from submission
Newsletter subscribers	Until unsubscribe
Email correspondence	36 months from last activity
Stripe billing records	7 years (tax/audit baseline)

Account credentials
Until account deletion + 30 days
Calculation log entries
24 months from creation
Security audit events
7 years (HIPAA-aligned baseline)
Bayesian fit diagnostics
24 months from creation
Pilot application leads
36 months from submission
Newsletter subscribers
Until unsubscribe
Email correspondence
36 months from last activity
Stripe billing records
7 years (tax/audit baseline)

You may request deletion of your account and associated personal data at any time by emailing privacy@dosys.health. We will action requests within 30 days as required by applicable state privacy laws.

8. Your Rights Under US State Privacy Laws

If you reside in a US state with a comprehensive consumer privacy law — including but not limited to California (CCPA/CPRA), Virginia (VCDPA), Colorado (CDPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Montana (MCDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Maryland (MODPA), and Minnesota (MCDPA) — you may have the following rights with respect to your personal information:

Right to know
Request access to the personal information we hold about you and how we use it.
Right to correct
Request correction of inaccurate personal information.
Right to delete
Request deletion of your personal information.
Right to portability
Request a copy of your personal information in a structured, machine-readable format.
Right to opt out
Opt out of the sale or sharing of your personal information for cross-context behavioral advertising. Dōsys does not sell personal information.
Right to opt out of profiling
Opt out of profiling that produces legal or similarly significant effects. Dōsys does not perform such profiling.
Right to non-discrimination
Exercise these rights without being denied service, charged different prices, or provided different quality of service.

To exercise any of these rights, email privacy@dosys.health with the subject line “Privacy Rights Request” and we will respond within the timeframe required by your state's law (generally 30–45 days).

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominently posted on the Service.

11. Contact

Dosys Health LLC
McAllen, Texas
privacy@dosys.health