Privacy Policy
Last updated: July 2026
1. Who We Are
2. Information We Collect
We collect information you provide directly:
- Account data: name, email address, and password (stored securely via Supabase Auth)
- Profile and scenario data: fictional patient profiles and simulation scenarios you create
- Simulation transcripts: conversation logs from AI Patient Simulator practice sessions
- EMR exercise data: charting entries, orders, scores, and completion records from Clinical Skills EMR sessions
- Inventory records: asset, consumable, and space data you enter into the Inventory Manager
- Billing information: payment processing is handled by Stripe; we do not store card details
- Institution data: for institutional accounts, we store seat assignments, member roles, and access configurations set by institution administrators
We also collect limited technical data automatically:
- Usage analytics: page views, referrer, device type, browser, and approximate region — collected via Vercel Web Analytics (see Section 5)
- Session data: authentication session tokens stored in secure httpOnly cookies
3. How We Use Your Information
- To provide, operate, and improve the Service and its three products
- To authenticate your account and maintain your session
- To process subscription payments via Stripe
- To send transactional emails (account invites, receipts, password resets) via Resend
- To enable institution administrators to manage seat access and shared case libraries
- To understand aggregate usage patterns and improve the platform
- To respond to support requests
We do not sell your data to third parties. We do not use your data for advertising.
4. AI Processing
Conversations in the AI Patient Simulator are sent to Anthropic's Claude API to generate AI responses. Anthropic processes this data subject to their own privacy policy.
All profile content in OneSim is fictional and intended for simulation purposes only. Do not enter real patient names, real medical record numbers, or any actual patient data into any OneSim product.
5. Analytics
We use Vercel Web Analytics to understand how the platform is used. Vercel Analytics is privacy-first: it does not use cookies, does not track users across sites, and does not collect personally identifiable information. It records page views, device type, browser, operating system, referrer, and approximate country using a daily-resetting hash that cannot be used to identify individual visitors.
No analytics data is sold or shared with advertisers. We do not use Google Analytics, Meta Pixel, or any other third-party advertising trackers.
6. Voice Data
7. Cookies
We use cookies for the following purposes only:
- Authentication (strictly necessary): Supabase Auth sets a secure, httpOnly session cookie to keep you logged in. This cookie is required for the Service to function and cannot be disabled.
We do not use advertising cookies, third-party tracking cookies, or cross-site analytics cookies. Vercel Analytics does not set cookies.
8. Data Storage and Security
Your data is stored in Supabase (hosted on AWS). We use row-level security policies to ensure users can only access their own data. Institution members can only access institution-scoped content as configured by their administrator. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Stripe handles all payment card data and is PCI-DSS certified. We never store card numbers or CVVs.
9. Institutional Accounts
10. Data Retention
11. Your Rights
Depending on your location, you may have rights to access, correct, export, or delete your personal data. You may also have the right to object to or restrict certain processing.
To exercise any of these rights, email info@myonesim.com. Institution administrators may also manage member accounts through the admin panel. We will respond within 30 days.
