Chronic TraceChronic Trace

Privacy Policy

Effective: 8 May 2026 · Chronic Trace, Inc., Dover, Delaware, United States

What Chronic Trace is

Chronic Trace, Inc. ("we," "us," "Chronic Trace") operates a wellness screening platform that captures short involuntary-signal recordings from a standard smartphone, tablet, or laptop camera and microphone, and produces screening indicators intended to support — never replace — clinical judgment.

The platform is not a medical device. It is not cleared, approved, or authorized by the United States Food and Drug Administration to diagnose, cure, treat, mitigate, or prevent any disease or condition. A 510(k) submission is planned for the third quarter of 2027. Until then, all output is provided strictly as a wellness indicator.

Information we collect

Operator account information

For people who sign in to use Chronic Trace (athletic trainers, team doctors, coaches, medics, clinicians, researchers): name, role, optional organization or unit, and either an email address (for password sign-in) or a system- generated synthesized email address (for invite-code sign-in). Operators may set an optional 4-digit recovery PIN, which is stored only as a PBKDF2-SHA256 hash with a per-user salt.

Subject information

For each person being assessed (a "subject"): an opaque CT-XXXXXXXX identifier (the "CT tag") is generated automatically and is the primary key for all downstream records. Optionally, the operator may also record: display name (omitted entirely when the subject is marked anonymous), sex (male / female), date of birth, height, weight, subject category, and structured impairment tags (such as prosthetic-leg, missing-eye, wheelchair). Consent records are stored separately, including the type (self / guardian / military / occupational), the granter's name, the scope granted, and any revocation timestamp.

Capture data

During each 30-second capture, the platform processes camera input on-device to extract numerical involuntary-signal metrics (oculomotor, postural, autonomic, facial microexpression). A short visual reaction-time test is also captured (tap-on-stimulus latency and variability) — no audio or microphone access is required. These metrics — not the raw video — are persisted to the database. For post-incident captures, the operator may additionally upload a trimmed video clip of the impact event for trainer review; these clips are stored in a private bucket scoped to the uploading operator, with cross-operator read access available only to administrator accounts.

Audit information

We record an append-only event log of who created, viewed, exported, or modified each record, the type of action, and a SHA-256 hash of a session-stable browser fingerprint. We do not store raw IP addresses.

How we use information

We use the information described above to:

  • provide the screening platform to operators and the people they assess;
  • compute screening indicators (such as the Cognitive Likelihood Index, dispersion-based intra-individual variability, and trend analyses) and present them to operators;
  • support the regulatory pathway toward FDA 510(k) clearance, including aggregating de-identified population data keyed by CT tag;
  • investigate platform misuse, security incidents, and data integrity concerns;
  • respond to legal obligations.

We do not sell personal information. We do not use captured data to train third-party advertising models. AI-assisted scoring and clinical narrative generation uses Anthropic's Claude API under a contractual no-retention configuration; only the minimum information required to produce each score or narrative is sent (de-identified pose landmarks, numerical metrics, video keyframes for eye-test event annotation, and the subject's display name or CT tag — never raw identifying images of the subject).

Sharing

Operator records are scoped to the operator who created them; one operator's subjects are not visible to another operator. Administrator accounts may view aggregated data across every operator for the purposes of regulatory aggregation and platform integrity monitoring. We share data with third parties only:

  • with our processors (Supabase for database and authentication, Vercel for hosting, Google for AI narrative generation) under written data-processing agreements;
  • where required by law, court order, or a lawful regulatory request;
  • in the event of a corporate transaction (merger, acquisition, asset sale), under terms that preserve these privacy commitments.

Retention

Capture records (baselines, assessments, raw metrics, asymmetry summaries) are retained indefinitely so that longitudinal trend analysis remains valid for each subject, unless deletion is requested. Audit events are append-only and retained for the life of the deployment. Incident video clips are retained for the same period as the result row they are attached to.

Your rights

Subjects and operators may request access to, correction of, export of, or deletion of their personal information. Operators with an active session may export and delete their own account directly from the Settings page. Subjects whose data is held by an operator should direct requests to that operator in the first instance. Where local law applies (including the EU General Data Protection Regulation, the California Consumer Privacy Act, and similar regimes), the rights granted under that law are honored.

Children

The platform is sometimes used to capture involuntary-signal screening information for minors (for example, a paediatric concussion screening, or a civilian child exposed to a head injury). When a subject is a minor, consent must be granted by a parent or legal guardian. We comply with the U.S. Children's Online Privacy Protection Act for any minor subject under 13 where applicable.

Security

Data in transit is encrypted using TLS. Data at rest in the Supabase managed-Postgres backend is encrypted using Supabase's standard at-rest encryption. Capture rows are protected by a per-subject SHA-256 hash chain that makes silent modification of historical records detectable. Operator PINs are hashed with PBKDF2-SHA256 (100,000 iterations, 16-byte per-user salt) and verified in constant time. Failed PIN attempts are rate-limited per-account.

International deployment

Chronic Trace is a U.S. company incorporated in Delaware and headquartered in Dover, Delaware. The platform is classified EAR99 under U.S. Export Administration Regulations. We have conducted prototype evaluations internationally, including with partners outside the United States. Where information collected through the platform crosses national borders, we rely on the operator's legal authority to capture and transfer it.

Changes

We may update this policy as the platform evolves. Material changes will be announced in-app and through the operator's registered email address (where one is on file). The effective date at the top of this page reflects the most recent revision.

Contact

Questions about this policy, requests to exercise privacy rights, or regulatory inquiries: justinbordner@chronictrace.com.