Privacy Policy

1. What we collect at the application stage

Our public application form collects a bounded, intentionally minimal set of information: your name, contact information (email, phone, location), age range, the general condition or category you are navigating, a short narrative description of your situation and goals, your tier interest and timing, and an indication of what records you have available.

We do not ask for — and you should not send — medical records, laboratory results, imaging, genomic data, or other detailed protected health information at the application stage. If you do include such information in a free-text field, we treat it with the same safeguards described below but encourage you to hold it for the secure intake flow that follows acceptance.

2. What happens after acceptance

If your application is accepted, we send an engagement letter. After it is signed, medical records are shared through a separate, secure intake flow governed by the terms of that engagement letter. Handling of the information you share at that stage is covered by the engagement letter and applicable confidentiality obligations, and is subject to stricter access controls than the public application stage.

3. How we use application information

Information you submit on the application form is used solely to:

• Evaluate whether we are the right fit for your situation
• Respond to your inquiry and, if accepted, coordinate engagement
• Build the case file that supports your engagement (post-acceptance)
• Improve our process and methodology, in aggregated and de-identified form

We do not sell application data. We do not use it for advertising. We do not share it with third parties except the service providers described below, and only as necessary to run this website and communicate with you.

4. Service providers & business associates

We rely on a small set of service providers to operate this website and process applications. Each is bound to its own privacy and security commitments; where our use involves potentially protected health information, we pursue Business Associate Agreements (BAAs) or equivalent contractual safeguards with providers that support them. Current providers include:

• Vercel — web hosting and delivery
• Resend — transactional email for application notifications
• GitHub — source-code hosting (does not process application data)

No analytics, session-replay, or advertising trackers are deployed on this site. This is a deliberate choice.

5. How we protect your information

Our security practices are summarized on the Security & Data Practices page. In short:

• TLS/HTTPS encryption for all traffic
• Encryption at rest for data held with our hosting and email providers
• Access limited to the firm’s principals and, when applicable, a small number of engaged analysts under written confidentiality obligations
• No access granted to marketing, advertising, or analytics vendors — because we do not use them
• Retention bounded by the timelines described in Section 7

6. HIPAA posture

Ternary Health is not a HIPAA covered entity. We are not a health care provider in the HIPAA sense; we do not diagnose, prescribe, treat, transmit insurance claims, or operate as a health plan or clearinghouse. HIPAA does not, as a matter of law, apply to our handling of your information.

We have nonetheless elected to operate under HIPAA-aligned practices — encryption, minimum necessary collection, access discipline, vendor BAAs where available — because the sensitivity of the information our clients share warrants that standard of care, and because trust is the foundation of this work.

7. Retention

We apply two different retention standards depending on what is being retained:

• Your application data is retained for as long as is reasonably needed to respond to your inquiry and, if an engagement follows, to complete that engagement and its documented follow-up. Applications that do not result in an engagement are retained for no more than 12 months from submission, then deleted, unless you request earlier deletion.
• Engagement records (records, labs, imaging, case synthesis artifacts, outcomes) are retained per the terms of the signed engagement letter — typically seven years to align with HIPAA retention standards for compliance documentation and to support longitudinal case-outcome research in a de-identified form.
• Security and compliance logs — access logs, audit trails, incident records, policy documents — are retained for seven years, consistent with HIPAA administrative documentation retention standards, regardless of whether the underlying client data is still held.
• De-identified aggregated data derived from engagements (patterns, signal frequencies, evidence matrix updates) may be retained indefinitely for methodological improvement, subject to the privacy safeguards in section 5.

8. Your rights

You may request at any time: (i) a copy of the information we have about you; (ii) correction of inaccurate information; (iii) deletion of your application information. Email beau@ternaryi.com with the subject line “Privacy Request” and we will respond within 30 days.

We do not knowingly collect information from minors. Applications on behalf of a minor family member should be submitted by a parent or legal guardian.

9. Changes to this policy

We will update this policy as our practices evolve and as we add vendors or systems. The current version is always posted here, with the effective date updated accordingly. Material changes will be announced to active clients via email.

10. Contact

Privacy questions go to beau@ternaryi.com. For a formal written response, address the email to “Ternary Health — Privacy” in the subject line.