Privacy Policy

Last updated: April 2026

This document is provided for informational purposes only and does not constitute legal advice. You should consult your own attorney for guidance on privacy and data protection obligations specific to your practice or jurisdiction.

Who We Are

OpenFunctional is a clinical decision support platform built for functional medicine practitioners. We help doctors analyze patient health data to generate actionable, evidence-informed supplement and lifestyle recommendations.

Data We Collect

When practitioners or their patients use OpenFunctional, we may collect:

Contact information — name and email address
Health intake responses — answers provided through our intake questionnaire
Lab reports — uploaded lab results for clinical analysis
Account data — practitioner login credentials and practice information

How We Use Your Data

We use collected data to:

Power AI-driven clinical decision support for practitioners
Generate personalized supplement and wellness recommendations
Send intake forms and results to patients and practitioners via email
Improve platform accuracy, reliability, and user experience

We do not sell your data. Ever. Not to advertisers, data brokers, or anyone else. Your health information is not a product.

Third-Party Processors

We work with a limited set of trusted service providers to operate the platform:

Anthropic — AI analysis engine (processes health data to generate clinical insights)
Neon — PostgreSQL database hosting (stores account and health data, encrypted at rest)
Resend — Transactional email delivery (sends intake links and results)
Vercel — Application hosting and infrastructure

Each processor is selected for its security posture and commitment to data protection. We do not share data with any parties beyond what is necessary to operate the service.

HIPAA Commitment

We take the protection of health information seriously. OpenFunctional is actively working toward full HIPAA compliance, including establishing Business Associate Agreements (BAAs) with all third-party processors that handle protected health information. We encrypt data in transit and at rest, enforce role-based access controls, and maintain audit logs of data access.

This is an ongoing effort. If you have specific compliance questions, please contact us.

Data Retention

Health data, intake responses, and lab reports are stored for as long as the practitioner account remains active or until the practitioner deletes the data. Upon account closure, all associated data is deleted within 30 days.

Patient Rights

Patients who wish to access, correct, or delete their health information should contact their practitioner directly. Practitioners can manage patient data through the OpenFunctional portal. If you need additional assistance, you may also reach us at the contact below.

Security

We use TLS encryption for all data in transit, AES-256 encryption at rest for database storage, secure authentication with hashed passwords, and session management with automatic expiry. We regularly review our security practices and infrastructure.

Changes to This Policy

We may update this policy as our practices or legal requirements evolve. Material changes will be communicated through the platform. Continued use after changes constitutes acceptance.

Contact

Questions or requests regarding this policy can be directed to:
[email protected]