Effective 2026-06-15 · v2026-06-15.1

Thylib Privacy Policy

Version: 2026-06-15.1 Effective: 2026-06-15

This Policy describes what Thylib collects, how we use it, who we share it with, and the rights you have — including the heightened rights that apply to consumer health data under state law.

1. What we collect

  • Account information — your Google account ID, email, display name, and self-declared country of residence.
  • Health records (consumer health data) — when you connect a patient portal that supports SMART on FHIR (e.g. Epic MyChart), we sync the FHIR resources you authorize: Patient, Condition, Observation (labs, vitals), MedicationRequest, AllergyIntolerance, Immunization, Procedure, DiagnosticReport, DocumentReference, and Encounter. Portal authorization tokens are stored encrypted at rest using Google Cloud KMS. We never see or store your patient-portal password.
  • Audit log — records of when you signed in, which tools you ran, and what records were accessed. Retained as a tamper-evident security record.
  • Billing information — handled by Stripe. We store only Stripe-issued customer/subscription identifiers and your subscription-consent records; we never receive or store your card number.

We do not collect advertising identifiers, and we do not use tracking pixels or third-party advertising cookies.

2. How we use it

We use the data above to (a) provide the features of the service, (b) process payments, (c) send transactional email (renewal reminders, billing notices, invitations), (d) detect abuse and secure the service, (e) respond to your support requests, and (f) comply with legal obligations.

We do not sell your personal information. We do not share your health data for advertising. We do not use your health data to train AI models. We do not process your health data for any purpose you have not consented to.

3. Consent for consumer health data

We collect and process your health records only with your consent, given when you connect a provider portal. Each connection is authorized by you, scoped by your provider's patient-access interface, and can be revoked at any time from the connections page (revocation stops future syncs; you can also delete already-synced data as described in §5).

We do not share your consumer health data with third parties except the subprocessors in §4 (who act on our instructions) and the optional AI integration in §4a (which only ever runs at your direction, after separate consent). We will never condition the core service on consent to share health data with anyone else.

4. Subprocessors

Subprocessor Role Data category
Google Cloud (BigQuery, GCS, Cloud KMS, Cloud Run) Hosting, storage, encryption Health records; encrypted tokens
Stripe Subscription billing Email, billing identifiers (no card numbers)
Resend Transactional email delivery Your email address, email contents (no health records)
Your healthcare provider (Epic, Oracle Health, etc.) Source of the FHIR records you elect to import Health records you authorize

4a. Optional AI assistant integration

If you elect to use the optional MCP integration to query your own records through a third-party AI assistant (Claude, ChatGPT, Gemini, or another MCP client), the records responsive to your queries are delivered to that AI provider. Their privacy and retention policies apply once data leaves us. This flow is off by default, requires your separate acceptance of the AI/LLM Disclosure, and can be revoked at any time.

5. Retention and deletion

  • Health records: retained while your family subscription is active. After your subscription lapses, this data is retained for one year (so you can reactivate without re-importing), then permanently and irreversibly destroyed. You may request immediate destruction at any time by deleting the family or your account; destruction completes within seven days.
  • Account information: retained for the lifetime of your account; anonymized on deletion.
  • Audit log: retained as an append-only security record; not deleted on account deletion, in order to preserve a tamper-evident history.
  • Billing and consent records: subscription, refund, and subscription-consent records are retained for seven years after each transaction (tax, accounting, and consumer-protection law require us to keep proof of charges and of your consent).

6. Your rights

For all users, regardless of state: you can access, export, correct, and delete your data using the self-service controls below, or by emailing privacy@thylib.com.

  • Access / export: download a complete export of your data from the account page.
  • Delete: delete your account or family from the account page; health-record destruction follows §5.
  • Correct: correct your account profile in Settings. (Health records are synced copies — corrections to the underlying chart must be made with your healthcare provider; we will re-sync them.)
  • Withdraw consent: disconnect any provider connection, or revoke the AI integration, at any time.

California residents have these rights under the CCPA/CPRA and CMIA, including the right to know, delete, correct, and to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.

Washington residents (and residents of other states with consumer health data laws, including Nevada): you have the right to confirm whether we collect, share, or sell consumer health data, to withdraw consent, and to have your consumer health data deleted. We do not sell consumer health data and will not do so without the separate, signed authorization those laws require. To exercise these rights, use the self-service controls above or email privacy@thylib.com; if we decline a request, you may appeal by replying to our decision, and we will respond to your appeal as those laws require.

We will not discriminate against you for exercising any privacy right.

7. Security and breach notification

We protect your data with encryption in transit (TLS), encryption at rest, KMS-wrapped storage for portal tokens, audit logging of every read of health records, least-privilege access controls, and US-only data residency on Google Cloud.

As a vendor of personal health records, we are subject to the FTC Health Breach Notification Rule. If a breach of security results in unauthorized acquisition of your unsecured identifiable health data, we will notify you and the FTC (and, where required, state regulators) within the timelines those rules require.

8. Children

Thylib is not directed to children under 13, and we do not knowingly accept sign-ups from anyone under 18. A parent or legal guardian may connect and manage a minor's health records within their family, subject to their legal authority to do so and to their provider's own proxy-access rules.

9. Changes to this Policy

Material changes are presented for your re-acceptance on next sign-in. Non-material changes are announced by email; the version string above identifies the document you accepted.

10. Contact

privacy@thylib.com