Data handling
Summary of data in Veridian Motion. See Data model & privacy for detail.What we collect
| Data | Source | Purpose |
|---|---|---|
| Patient record | Manual admin enrollment | Authentication, roster |
| Patient ID + PIN hash | Enrollment | Portal sign-in |
| Body-map selections | Patient portal | Triage context |
| Complaint text | Patient portal | Triage context |
| Questionnaire responses | Patient portal | Triage context |
| Posture photos (up to 4) | Patient portal | PT review |
| AI exercise plan | Server | PT review until approved |
| PT notes | PT | Clinical record; optional patient share |
| Messages | Staff + patient | Append-only internal record |
| Staff accounts + roles | Admin | Dashboard access |
| Audit events | Platform | Hash-chained; no PHI in payload |
What we do not collect in logs
- Clinical narrative in application logs
- Raw photos in audit entries
- AI prompt/response content in standard logs
Where data lives
United States regions via Lovable Cloud / Supabase unless dedicated environment under contract.Retention and deletion
Per agency agreement. Export window at contract end; deletion procedures and certificates on request.PDF export
Staff may export assessment PDF from the dashboard. No automated email export in the current release.What’s next
HIPAA
BAA framing.
Incident response
Incident procedures.
