Trust & Security

Data Flow

Last updated: July 2026  ·  What data moves where — and what controls apply at each step

This page describes how data flows through the AVD Clinical platform — from user input, through our infrastructure and vendors, to storage and delivery. No patient data (PHI) is accepted on the current platform. See our HIPAA Notice for details.

1. Platform Overview

AVD Clinical is a static HTML/JavaScript site served via Cloudflare Pages. The backend is Supabase (PostgreSQL on AWS). There is no AVD-operated server between the user's browser and our infrastructure vendors — all client-side requests go directly to Supabase or Stripe via their published APIs.

2. Data Flow by Feature

2.1 Authentication (OTP Sign-in)

Email OTP flow
User
Enters email address
TLS 1.2+ in transit · goes directly to Supabase Auth API
Supabase Auth
Supabase Auth
Triggers OTP email via Resend
6-digit code · 10-minute expiry · single-use · hashed before storage
Resend
Resend
Delivers OTP email to user's inbox
User
User
Enters 6-digit code
Code verified by Supabase · session token issued · stored in browser
Supabase Auth
SMS OTP flow (same pattern, different carrier)
Supabase Auth
Triggers SMS via Twilio
Phone number passed to Twilio · not stored by AVD Clinical in plaintext
Twilio

Data retained by Supabase Auth: email address, hashed OTP, session tokens (encrypted), phone number (if provided). Data retained by Resend/Twilio: delivery logs per their respective privacy policies. AVD Clinical receives only delivery status (sent/failed), not message content.

2.2 User Profile & Account Data

User
First name, last name, professional role (optional)
Written to profiles table in Supabase PostgreSQL · Row-Level Security enforced
Supabase DB

Profile data is accessible only to the authenticated account owner. AVD Clinical staff can access database tables only via the Supabase dashboard with MFA-protected admin credentials. No direct SQL connections from any application layer.

2.3 Medicine Reminder Data

User
Medication name, dose, doctor, pharmacy, refill date, notes (all optional)
Written directly to reminders table · AES-256 at rest · RLS-protected · never shared
Supabase DB
Supabase DB
Reminder data returned on login
Displayed in browser only · no server-side rendering · never logged to AVD systems
User

This data never touches any third-party analytics, advertising, or data-enrichment system. It is not shared with Stripe, Resend, Twilio, or Cloudflare beyond the encrypted bytes they store/transmit. See HIPAA Notice for clarification on why this is personal health information rather than PHI.

2.4 Payments

User
Opens Stripe payment link or embedded Stripe checkout
Browser connects directly to Stripe's servers · card data never touches AVD Clinical
Stripe
Stripe
Transaction confirmation: amount, product ID, masked card descriptor, customer email
AVD Clinical receives metadata only — no card number, CVV, or bank account
AVD Clinical
AVD Clinical
Stripe sends receipt email to customer
Sent by Stripe directly · not via AVD Clinical email infrastructure
User

2.5 Calculator Data

User
Budget parameters: countries, site counts, cost inputs, scenario names
Stored in saved_projects table · RLS-protected · no patient data accepted
Supabase DB
User
PDF / Word / CSV export generated client-side
Exports are created entirely in the browser — no data sent to a server for export generation
User's device

2.6 Contact Form & Newsletter

User
Name, email, message (contact form) or email (newsletter)
Submitted to Cloudflare Pages form handler · forwarded to [email protected] via Resend
Cloudflare / Resend

3. Where Data Is Stored

Data typeStored byRegionEncryption at rest
Auth tokens, email, phoneSupabaseAWS us-east-1AES-256
User profiles, rolesSupabaseAWS us-east-1AES-256
Medicine remindersSupabaseAWS us-east-1AES-256
Calculator projectsSupabaseAWS us-east-1AES-256
Watched resourcesSupabaseAWS us-east-1AES-256
Payment records, subscriptionsStripeUS (Stripe-managed)AES-256 (Stripe)
Email delivery logsResendUSPer Resend policy
SMS delivery logsTwilioUSPer Twilio policy
Static site assets, CDN cacheCloudflareGlobal edgeCloudflare-managed

4. What AVD Clinical Does Not Collect

5. Data Deletion

Users may request deletion of all personal data by emailing [email protected]. Account data, profile, reminders, and calculator projects are deleted from Supabase within 30 days of a verified deletion request. Transaction records required for financial/legal compliance are retained for the period required by applicable law (typically 7 years) and then deleted.

Medicine reminder data can also be deleted by the user directly from the Reminders interface without contacting AVD Clinical.

6. Further Information