This page describes how data flows through the AVD Clinical platform — from user input, through our infrastructure and vendors, to storage and delivery. No patient data (PHI) is accepted on the current platform. See our HIPAA Notice for details.
1. Platform Overview
AVD Clinical is a static HTML/JavaScript site served via Cloudflare Pages. The backend is Supabase (PostgreSQL on AWS). There is no AVD-operated server between the user's browser and our infrastructure vendors — all client-side requests go directly to Supabase or Stripe via their published APIs.
2. Data Flow by Feature
2.1 Authentication (OTP Sign-in)
Data retained by Supabase Auth: email address, hashed OTP, session tokens (encrypted), phone number (if provided). Data retained by Resend/Twilio: delivery logs per their respective privacy policies. AVD Clinical receives only delivery status (sent/failed), not message content.
2.2 User Profile & Account Data
Profile data is accessible only to the authenticated account owner. AVD Clinical staff can access database tables only via the Supabase dashboard with MFA-protected admin credentials. No direct SQL connections from any application layer.
2.3 Medicine Reminder Data
This data never touches any third-party analytics, advertising, or data-enrichment system. It is not shared with Stripe, Resend, Twilio, or Cloudflare beyond the encrypted bytes they store/transmit. See HIPAA Notice for clarification on why this is personal health information rather than PHI.
2.4 Payments
2.5 Calculator Data
2.6 Contact Form & Newsletter
3. Where Data Is Stored
| Data type | Stored by | Region | Encryption at rest |
|---|---|---|---|
| Auth tokens, email, phone | Supabase | AWS us-east-1 | AES-256 |
| User profiles, roles | Supabase | AWS us-east-1 | AES-256 |
| Medicine reminders | Supabase | AWS us-east-1 | AES-256 |
| Calculator projects | Supabase | AWS us-east-1 | AES-256 |
| Watched resources | Supabase | AWS us-east-1 | AES-256 |
| Payment records, subscriptions | Stripe | US (Stripe-managed) | AES-256 (Stripe) |
| Email delivery logs | Resend | US | Per Resend policy |
| SMS delivery logs | Twilio | US | Per Twilio policy |
| Static site assets, CDN cache | Cloudflare | Global edge | Cloudflare-managed |
4. What AVD Clinical Does Not Collect
- Payment card numbers, CVV, or full bank account details (Stripe only)
- Protected Health Information (PHI) of patients or research subjects
- Clinical trial data, study results, or EDC/CTMS data
- Third-party analytics cookies or advertising identifiers
- Keystroke data, screen recordings, or session replay data
- Location data (no GPS or IP geolocation stored)
5. Data Deletion
Users may request deletion of all personal data by emailing [email protected]. Account data, profile, reminders, and calculator projects are deleted from Supabase within 30 days of a verified deletion request. Transaction records required for financial/legal compliance are retained for the period required by applicable law (typically 7 years) and then deleted.
Medicine reminder data can also be deleted by the user directly from the Reminders interface without contacting AVD Clinical.