Privacy Policy

Effective: June 11, 2026

1. Overview

Titrately ("we," "us," or "our") provides a clinical decision-support module for ADHD medication titration. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform.

2. Information We Collect

Titrately operates as an embedded module within host EHR/telehealth platforms. We process the following categories of data:

• Clinical Telemetry: Symptom scores, side-effect reports, sleep quality bands, medication adherence data submitted via daily check-ins.
• Pharmacogenomic Data: CYP2D6 and CYP2C19 gene/phenotype results ingested from laboratory sources.
• Episode Data: Drug names, formulations, dose levels, titration step history.
• Vitals: Heart rate, blood pressure when provided by the host EHR or manual entry.
• Account Data: Email address, role, host organization association for authenticated users.

We do not collect patient names, dates of birth, Social Security numbers, or unencrypted medical record numbers. Patient identifiers are tokenized before storage.

3. How We Use Information

• To provide titration timeline visualization and triage alerts to prescribers.
• To surface CPIC pharmacokinetic dosing reference cards when pharmacogenomic data is available.
• To compute adherence, tolerability, and sleep regression alerts.
• To generate de-identified, consent-verified outcome datasets for research (K4 data registry).
• To send check-in reminders to patients via configured notification channels.

4. Data Sharing

We do not sell personal or clinical data. Data may be shared with:

• Host Organizations: Clinical data is scoped to the originating host via Row-Level Security. Each host sees only their own patients.
• Research Partners: Only de-identified, consent-verified outcome data with all PHI stripped. Research consent is separate from clinical consent.
• Service Providers: Infrastructure providers (hosting, database, notification delivery) under data processing agreements.

5. Data Security

• All data encrypted in transit (TLS 1.3) and sensitive fields encrypted at rest (AES-256-GCM).
• Row-Level Security enforces host-level data isolation at the database layer.
• Append-only audit log records all data access and modifications.
• JWT-based authentication with short-lived access tokens and refresh token rotation.
• Rate limiting and input validation on all API endpoints.

6. Data Retention

Clinical data is retained for the duration of the patient's active care relationship with the host organization. Audit logs are retained for a minimum of 7 years. De-identified research data may be retained indefinitely. Patients or host organizations may request deletion of clinical data by contacting us.

7. Patient Rights

Patients may exercise their rights through their host healthcare organization or by contacting us directly:

• Right to access their clinical telemetry data.
• Right to request correction of inaccurate data.
• Right to request deletion (subject to clinical record retention requirements).
• Right to withdraw research consent at any time without affecting clinical care.

8. HIPAA Compliance

Titrately operates as a Business Associate under HIPAA when processing Protected Health Information on behalf of Covered Entity host organizations. Business Associate Agreements (BAAs) are executed with each host.

9. Contact

For privacy inquiries: privacy@titrately.com