Privacy Policy

Effective date: January 1, 2026

Reed's Reach Foundation is a 501(c)(3) nonprofit dedicated to supporting families affected by 15q13.3 deletion syndrome. This privacy policy explains how we collect, use, and protect your information when you use the 15q13.3 Patient Registry.

We built this registry for families like yours. We know you are trusting us with sensitive information about your child, and we take that responsibility seriously.

What We Collect

When you use the registry, we may collect:

• Demographics -- name, date of birth, sex, contact information
• Genetic test results -- deletion coordinates, inheritance pattern, lab reports
• Clinical observations -- seizure history, developmental milestones, diagnoses
• Medications -- current and past medications, dosages, responses
• Caregiver-reported outcomes -- quality of life, behavioral observations, developmental progress
• Account information -- email address, authentication credentials

All clinical data is stored in FHIR R4 format, the international standard for health information exchange.

How We Use Your Data

• To maintain your child's health profile within the registry
• To provide personalized guidance through our AI-powered Guide assistant
• To generate de-identified, aggregate insights for the 15q13.3 community
• To support approved research studies (only with your consent, and only in de-identified form)

Lawful Basis for Processing

We process your data based on your explicit consent, which you provide when creating an account and enrolling in the registry. You may withdraw consent at any time by contacting us at privacy@reedsreach.org.

Data Storage and Security

Your data is protected by multiple layers of security:

• Infrastructure: All data is stored in Google Cloud Healthcare API, which is HIPAA-compliant with a Business Associate Agreement (BAA) in place.
• Encryption: All data at rest is encrypted using customer-managed encryption keys (CMEK). Data in transit is encrypted via TLS.
• Authentication: We use Firebase Authentication with mandatory multi-factor authentication (MFA) for all accounts.
• Network security: All services operate within a VPC Service Controls perimeter, preventing data exfiltration.
• Audit trail: Every data change is recorded with provenance information for regulatory compliance.

AI Assistant

The registry includes an AI-powered Guide that helps you navigate intake forms and understand your child's profile. This assistant runs on Vertex AI Model Garden within Google Cloud. Your data stays entirely within our Google Cloud environment and is never sent to external AI services.

Data Sharing

We do not sell your data. We do not share your data with advertisers.

De-identified data may be shared with researchers who have been approved through our Data Access Group (DAG) review process. De-identification follows HIPAA Safe Harbor standards. You will always be informed about active research studies, and you can opt out of data sharing at any time.

Third-Party Processors

We use the following services to operate the registry:

• Google Cloud Platform -- infrastructure, data storage (Healthcare API), and compute services. Covered by BAA and Assured Workloads compliance regime.
• Firebase Authentication -- account management and multi-factor authentication. Part of Google Cloud.
• Vertex AI (Google Cloud) -- powers the Guide AI assistant. Data remains within our Google Cloud project.

We do not use any third-party analytics, advertising, or tracking services.

International Transfers

All data is stored and processed within the United States using Google Cloud Assured Workloads. We do not transfer data internationally.

Data Retention

We retain your data for 7 years in accordance with healthcare compliance requirements. After this period, data is securely deleted. You may request earlier deletion by contacting us, subject to any legal retention obligations.

Your Rights

You have the right to:

• Access your data and receive a copy in a portable format
• Correct inaccurate information
• Request deletion of your data
• Withdraw consent for data processing
• Opt out of research data sharing
• Know what data we have collected about you

To exercise any of these rights, email privacy@reedsreach.org.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may request disclosure of the categories and specific pieces of personal information we have collected by contacting privacy@reedsreach.org.

Cookies

We use a single functional cookie (__session) for Firebase Authentication session management. This cookie is strictly necessary for the registry to function and does not track your activity across other websites.

We do not use analytics cookies, advertising cookies, or any other tracking technologies. Because we only use a cookie that is strictly necessary for the service you requested, no cookie consent banner is required under GDPR.

Children's Privacy

The registry is designed for caregivers to manage health profiles on behalf of children with 15q13.3 deletion syndrome. Caregivers, not children, create accounts and enter data. We do not knowingly collect information directly from children under 13.

Changes to This Policy

We will notify registered users by email before making material changes to this policy. The effective date at the top of the page will be updated.

Contact

For privacy questions or requests, contact our Data Protection Officer:

privacy@reedsreach.org
Reed's Reach Foundation