Effective 2026-07-17 · v2026-07-03.2

Thylib Privacy Policy

Version: 2026-07-03.2 Effective: 2026-07-17

Thylib is operated by Perceptive One LLC ("Thylib", "we", "us", "our"), the data controller for the personal information described here. This Policy describes what Thylib collects, how we use it, who we share it with, and the rights you have — including the heightened rights that apply to consumer health data under state law.

1. What we collect

  • Account information — your Google account ID, email, display name, and self-declared country of residence.
  • Health records (consumer health data) — when you connect a patient portal that supports SMART on FHIR (e.g. Epic MyChart), we sync the FHIR resources you authorize: Patient, Condition, Observation (labs, vitals), MedicationRequest, AllergyIntolerance, Immunization, Procedure, DiagnosticReport, DocumentReference, and Encounter. Portal authorization tokens are stored encrypted at rest using Google Cloud KMS. We never see or store your patient-portal password.
  • Audit log — records of when you signed in, which tools you ran, and what records were accessed. Retained as a tamper-evident security record.
  • Billing information — handled by Stripe. We store only Stripe-issued customer/subscription identifiers and your subscription-consent records; we never receive or store your card number.

We do not collect advertising identifiers, and we do not use tracking pixels or third-party advertising cookies.

2. How we use it

We use the data above to (a) provide the features of the service, (b) process payments, (c) send transactional email (renewal reminders, billing notices, invitations), (d) detect abuse and secure the service, (e) respond to your support requests, and (f) comply with legal obligations.

We do not sell your personal information. We do not share your health data for advertising. We do not use your health data to train AI models. We do not process your health data for any purpose you have not consented to.

3. Consent for consumer health data

We collect and process your health records only with your consent, given when you connect a provider portal. Each connection is authorized by you, scoped by your provider's patient-access interface, and can be revoked at any time from the connections page (revocation stops future syncs; you can also delete already-synced data as described in §5).

When a family creator connects records for another adult under provider proxy access, those records are visible only to the creator in the web dashboard and are excluded from the AI integration (§4a) until that person confirms consent themselves. The creator attests their authority (self, parent/guardian of a minor, formal legal representative, or provider proxy) at connection time, and we log the attestation.

We do not share your consumer health data with third parties except the subprocessors in §4 (who act on our instructions) and the AI integration in §4a (which only ever runs at your direction). Because Thylib's core feature is querying your records through an AI assistant you choose to connect, using Thylib requires accepting the AI/LLM Disclosure at sign-up. Your health data is shared with an AI provider only when you connect that provider's assistant and only in response to queries you run. We never share your health data with any other third party, and we will never require consent to any sharing beyond what is needed to provide the service you signed up for.

4. Subprocessors

Subprocessor Role Data category
Google Cloud (BigQuery, GCS, Cloud KMS, Cloud Run) Hosting, storage, encryption Health records; encrypted tokens
Stripe Subscription billing Email, billing identifiers (no card numbers)
Resend Transactional email delivery Your email address, email contents (no health records)
Your healthcare provider (Epic, Oracle Health, etc.) Source of the FHIR records you elect to import Health records you authorize

4a. AI assistant integration (the core of the service)

Thylib's primary use is querying your own records through the third-party AI assistant you connect (Claude, ChatGPT, Gemini, or another MCP client). When you run a query, the records responsive to it are delivered to that AI provider; their privacy and retention policies apply once data leaves us. Records flow only to the provider whose assistant you connected, and only in response to your queries — never in the background. This data flow is described in the AI/LLM Disclosure, presented for your acceptance as its own document at sign-up. You can disconnect an assistant or revoke MCP access at any time. The web dashboard works without a connected assistant, but AI-assisted querying is the core of the service.

5. Retention and deletion

  • Health records: retained while your family has an active free trial or subscription. After your trial expires or your subscription lapses, this data is retained for 30 days (so you can subscribe or reactivate without re-importing), then permanently and irreversibly destroyed — we email you before that happens. You may request immediate destruction at any time by deleting the family or your account; destruction completes within fourteen days (records are deleted from our live systems immediately; residual copies in database backups are purged within fourteen days).
  • Account information: retained for the lifetime of your account; anonymized on deletion.
  • Audit log: retained as an append-only security record; not deleted on account deletion, in order to preserve a tamper-evident history.
  • Billing and consent records: subscription, refund, and subscription-consent records are retained for seven years after each transaction (tax, accounting, and consumer-protection law require us to keep proof of charges and of your consent).

6. Your rights

For all users, regardless of state: you can access, export, correct, and delete your data using the self-service controls below, or by emailing privacy@thylib.com.

  • Access / export: download a complete export of your data from the account page.
  • Delete: delete your account or family from the account page; health-record destruction follows §5.
  • Correct: correct your account profile in Settings. (Health records are synced copies — corrections to the underlying chart must be made with your healthcare provider; we will re-sync them.)
  • Withdraw consent: disconnect any provider connection, or revoke the AI integration, at any time.

California residents have these rights under the CCPA/CPRA and CMIA, including the right to know, delete, correct, and to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of. In addition, under the Confidentiality of Medical Information Act (Civ. Code §56.06), a business offering consumers software to manage their medical information is deemed a "provider of health care" for confidentiality purposes: Thylib maintains your medical information under those CMIA duties and does not disclose it except as this Policy describes and California law permits.

Washington residents (and residents of other states with consumer health data laws, including Nevada): you have the right to confirm whether we collect, share, or sell consumer health data, to withdraw consent, and to have your consumer health data deleted. Washington's My Health My Data Act also requires a standalone policy: see our Consumer Health Data Privacy Policy, linked from our homepage. We do not sell consumer health data and will not do so without the separate, signed authorization those laws require. To exercise these rights, use the self-service controls above or email privacy@thylib.com; if we decline a request, you may appeal by replying to our decision, and we will respond to your appeal as those laws require.

We will not discriminate against you for exercising any privacy right.

7. Security and breach notification

We protect your data with encryption in transit (TLS), encryption at rest, KMS-wrapped storage for portal tokens, audit logging of every read of health records, least-privilege access controls, and US-only data residency on Google Cloud.

As a vendor of personal health records, we are subject to the FTC Health Breach Notification Rule. If a breach of security results in unauthorized acquisition of your unsecured identifiable health data, we will notify you and the FTC (and, where required, state regulators) within the timelines those rules require.

8. Children

Thylib is not directed to children under 13, and we do not knowingly accept sign-ups from anyone under 18. A parent or legal guardian may connect and manage a minor's health records within their family, subject to their legal authority to do so and to their provider's own proxy-access rules.

9. Changes to this Policy

Material changes are presented for your re-acceptance on next sign-in. Non-material changes are announced by email; the version string above identifies the document you accepted.

10. Contact

privacy@thylib.com