Privacy Notice

Who is responsible for your data

Q BRIDGE AI (“QBridge”, “we”) operates the QBridge platform — six healthcare solutions (UCTB, UHB, PPCS, UHCB, MyStant, UQMB) and the bridge home at qbridgelabs.ai. For your platform account data (email, name, sign-in and activity records), QBridge is the data controller (responsable under Mexico’s LFPDPPP). Contact: vamsy@qbridge.ai.

For data inside an organization’s workspace — trial documents, facility KPIs, patient records, employee credentials, member check-ins, quality events — the organization that registered that workspace is the controller, and QBridge acts as its processor (encargado). If you are a patient, employee, or member whose data an organization manages in QBridge, please direct your rights requests to that organization; we give them the tools to honor them.

What we process, and why

• Account data — email and name from your sign-in provider; to authenticate you and operate your memberships. Legal basis: contract.
• Workspace content — the healthcare records your organization manages in each solution; processed only on the organization’s instructions. Legal basis: the controller’s.
• Audit records — every action is recorded in an append-only, tamper-evident chain (who, what, when). Legal basis: legal obligation and legitimate interest in integrity; in regulated contexts (21 CFR Part 11, ICH GCP) these records are mandatory.
• AI processing — Claude (Anthropic) generates suggestions only; a human always decides. Inputs are not used to train models via the API. Every inference is labelled and logged with the model identifier. See AI Ethics.

Your rights (ARCO and GDPR)

You may exercise Access, Rectification, Cancellation (erasure), and Opposition — and the corresponding GDPR rights — directly in the product: open any solution’s Settings → Privacy & Your Data, where you can download everything we hold about you as a file and file an erasure request that is recorded tamper-evidently in every organization you belong to. You can also write to vamsy@qbridge.ai. We respond within 20 business days (LFPDPPP) or one month (GDPR).

A regulated-records caveat, stated honestly: signed clinical-trial documents, e-signatures, and audit chains carry legal retention duties (e.g., ICH GCP trial-master-file retention). Where the law requires retention, erasure is applied to everything else and the retained records are restricted, not used for any other purpose.

Where your data lives, and who helps us

• Supabase (database and authentication; AWS us-east-1)
• Render (application servers)
• Vercel (web hosting)
• Anthropic (Claude API for governed AI assists)

Each processes data only as needed to run the platform, under their respective data-protection terms.

How we protect it

Tenant isolation enforced in the database itself (forced row-level security), TLS in transit, encryption at rest (trial documents additionally encrypted with AES-256-GCM), least-privilege database roles, and an append-only SHA-256 audit hash chain whose integrity anyone in your organization can verify from the Activity page.

Retention

Account data is kept while your account exists and removed after an honored erasure request. Workspace content follows the controlling organization’s instructions and applicable law. Audit chains and regulated records are retained for their legally mandated periods. The full schedule is in our retention policy, available on request.

If something goes wrong

If a security breach affects your personal data, we will notify the affected controllers and data subjects without undue delay — within 72 hours of confirmation where GDPR applies — and the competent authorities (including INAI for Mexico) as required.

Changes

We will post updates to this notice here with a new version number, and flag material changes in the product before they take effect.