Privacy Policy
Effective July 3, 2026
Overview
UNCRASH™ is a clinical documentation and quality improvement tool for authorized healthcare professionals. This policy describes what data we collect, how it is stored, and how it is used. We collect only what is necessary to provide the service and support quality improvement research.
UNCRASH™ is currently distributed as a structured pilot program via TestFlight. Use is restricted to authorized clinicians, resuscitation teams, ACLS instructors, simulation programs, and institutional QI partners.
Data We Collect
- Account information — email address and authentication credentials for users who sign in with an account. UNCRASH™ also supports guest (device-only) access — no email or account required. Guest sessions are tied to the device and role selected at onboarding.
- Professional profile — role (e.g. RN, attending physician, ACLS instructor), primary hospital or institution, and clinical unit (e.g. ICU, ED). This information is used to attribute quality improvement data to your institution.
- Code session data — timestamped event logs generated during resuscitation documentation, including CPR cycles, rhythm identifications, medication administration times, shock delivery, airway management, and outcomes. Also includes suspected arrest etiology (e.g. Cardiac, Respiratory, Metabolic), patient age bracket, and code location type (e.g. ICU, ED). This data does not include patient names, medical record numbers, dates of birth, or other direct patient identifiers. Sessions flagged as simulation or training runs (mock code mode) are stored separately and are never mixed with clinical records.
- Post-arrest management data — structured checklist of post-ROSC interventions (e.g. fever prevention, vasopressors, EKG ordered) and EKG interpretation (STEMI / No STEMI), timestamped at the time of action.
- Post-arrest assessment data — structured quality metrics including compression quality rating, team communication assessment, equipment notes, and debrief notes entered after a resuscitation event.
- Desktop transfer codes — temporary session data used to transfer a report to a desktop computer. These codes expire automatically and are purged nightly.
- Device and usage data — basic app diagnostics to maintain service reliability. No advertising identifiers are collected.
Free-Text Fields & PHI
UNCRASH™ does not require entry of patient-identifying information. The app is designed so that all structured data (rhythms, medications, outcomes) is captured through button taps with no free-text entry required.
Free-text fields (addend notes, debrief notes, equipment failure comments) display explicit warnings against entering patient names, MRNs, or room numbers. These fields are processed through an automated scrubber that detects and removes common identifying patterns before storage.
Users assume responsibility for compliance with their institution's privacy policies when using free-text features.
How Data Is Stored
All data is stored on Supabase infrastructure, hosted on AWS in the United States. Data is encrypted in transit (TLS) and at rest. Row-level security policies ensure each user can only access their own records.
Desktop transfer codes are temporary and purged nightly by an automated cleanup process.
You can request deletion of your account and all associated data at any time using the Delete Account option within the app, or by contacting us directly.
How Data Is Used
- To provide real-time resuscitation documentation and code narrative generation.
- To enable desktop transfer of code reports via temporary codes.
- To generate debrief metrics for individual and institutional quality improvement.
- To support aggregate, de-identified benchmarking of resuscitation performance across institutions where permitted.
- To contribute to future quality improvement research and publications. Data used for research purposes is aggregated and de-identified — no individual physician or patient is identifiable in any publication.
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as required to operate the service (Supabase infrastructure).
HIPAA & Compliance Status
Current status: Structured pilot program (TestFlight distribution) — no signed Business Associate Agreement (BAA) in place.
UNCRASH™ is designed to minimize collection of protected health information (PHI) through the following technical safeguards:
- No patient names, MRNs, dates of birth, or direct identifiers are collected or stored.
- Timestamps are de-identified — only hour of day and day of week are stored for shift-pattern analysis, not absolute dates.
- Free-text fields are processed through an automated PHI scrubber before storage.
- Row-level security prevents any user from accessing another user's data.
- Temporary clinical transfer data is automatically deleted nightly.
A Business Associate Agreement with our infrastructure provider is planned prior to broad institutional distribution. During the current pilot phase, users should not use this app as a primary PHI storage system. Users are responsible for ensuring their use complies with their institution's policies and applicable regulations.
Data Retention & Deletion
Code session data is retained until you delete your account or request removal. You may delete your account at any time using the Delete Account option in the app settings. Account deletion requests are processed within 30 days.
You may also request export or deletion of your data by contacting us directly.
Children's Privacy
UNCRASH™ is intended for use by licensed healthcare professionals and is not directed at individuals under 17 years of age.
Changes to This Policy
We may update this policy as the app evolves. Material changes will be communicated via the app or by email. Continued use after changes constitutes acceptance.
Contact
Questions, data requests, or deletion requests:
uncrash.support@gmail.com
UNCRASH™ · For authorized clinical use only