Supplepedia Trust Center
Our commitment to data privacy and security is embedded in everything we build. This page provides transparency into how we protect your information.
Compliance & Commitments
Supplepedia supports GDPR and CCPA privacy rights, encrypts data in transit and at rest, and applies privacy-by-design principles including fail-closed vendor gates and audit logging.
Important: How Supplepedia handles health data depends on your practitioner relationship tier.
Tier 2 (default): Standard practitioner invites include clinical engagement. Defined clinical content (notes, context, messages, alerts, assessments) is PHI under HIPAA. Your practitioner is the Covered Entity; Supplepedia acts as their Business Associate under a signed BAA.
Tier 1 (optional): Practitioners can downscale to protocol-only sharing. No Tier 2 clinical content is stored.
Self-directed supplement tracking outside a practitioner relationship is consumer wellness data. Supplepedia is not a full clinical EHR.
Security Controls
- Authentication via Clerk with practitioner MFA and idle timeout support
- HTTPS/TLS in transit and AES-256-GCM encryption for sensitive fields at rest
- Append-only audit trail for practitioner data access
- Cookie consent gating for analytics and advertising on the website
- No payment card data stored. Billing handled by Stripe, Apple, and Google
Subprocessors
We use third-party services including Clerk, Neon, Stripe, Loops, Sentry, Cloudflare, Railway, Google Analytics, and Meta. See our Privacy Policy for full disclosures.
Contact
For security inquiries or data rights requests, contact [email protected].