Legal

Privacy Policy

How Longipath collects, uses, stores, and shares your personal and health information — including data synced from connected wearables and conversations with our in-app AI assistant.

Effective: April 20, 2026Last updated: April 20, 2026

Working draft — pending legal review

This document is a good-faith description of our current practices, not finalized legal advice. Longipath will have this policy reviewed by qualified counsel before launching to the public. If you are reviewing this for a partnership or integration, please treat the terms as indicative.

On this page

Who we are
Information we collect
How we use information
Wearable integrations (Oura)
AI assistant & Azure OpenAI
How we share information
Third-party processors
Retention & deletion
Security
Your rights
Children
Changes to this policy
Contact

1. Who we are

Longipath is a longevity and preventive-health program operated by Longipath (“Longipath,” “we,” “us”). The Longipath member portal at vitalpath-app.bjruss.workers.dev lets enrolled members view biomarker results, connect compatible wearables, communicate with their care team, and access educational material curated for their program.

This policy applies to the Longipath marketing site and the Longipath member portal. It does not govern the standalone clinical records held by Longipath's licensed clinicians, which are subject to provincial health-records legislation (in British Columbia, the Personal Information Protection Act and the E-Health Act).

2. Information we collect

Information you provide directly

Account details: name, email, date of birth, emergency contact (optional).
Health intake: medical history, current medications, lifestyle questionnaire responses, and goals that you choose to share with your care team.
Messages and notes: any content you send through the in-app messaging feature or save to your personal notes.

Information we receive from clinical partners

Laboratory results: biomarker panels ordered through your care team, including reference ranges and interpretive context.
Genetic test results: when your physician orders a clinical genetics panel (pharmacogenomics, hereditary cancer, familial hypercholesterolemia) or you have consented to APOE testing after pre-test counseling.
Care plan updates: recommendations, medication changes, and follow-up tasks recorded by your clinician.

Information we receive from connected devices

Oura Ring data (if you connect your ring) — see Section 4 below.
Other wearables as we add them. Each integration is opt-in and individually listed on the Wearables page.

Information we collect automatically

Authentication and session data: login timestamps, session tokens, device fingerprint for security.
Usage telemetry: which pages you visit within the portal, aggregate timing, and error reports. We do not use third-party advertising or analytics trackers.

3. How we use information

We use your information to:

Deliver the Longipath program — surface your labs, trends, care plan, and communications.
Allow your care team to review your data and personalize recommendations.
Operate optional features such as wearable syncing and the in-app AI assistant (see next sections).
Secure the service — detect abuse, prevent fraud, investigate incidents.
Comply with legal obligations and respond to lawful requests.

We do not sell your personal information, and we do not use your health data for advertising.

4. Wearable integrations (Oura Ring)

When you click Connect Oura on the Wearables page, you are redirected to Oura's own consent screen to authorize Longipath. Oura issues us an OAuth access token scoped to the categories you approve (typically sleep, readiness, heart rate, activity, workouts, sessions, and tags).

What we sync

Daily sleep, readiness, and activity scores and their contributor breakdowns.
Per-night sleep sessions (duration, stages, average heart rate, HRV).
Your Oura user identifier (so we can match incoming data to your account).

How we sync

Longipath polls the Oura API every five minutes and retrieves the last two days of data for the categories above. We cache the results in our database so the Wearables page loads quickly and to support trend analysis. We do not relay your Oura data to any third party other than the processors listed in Section 7.

How to disconnect

The Disconnect button on the Wearables page removes your Oura connection and deletes all cached Oura data from our database. To fully revoke Longipath's access on the Oura side, also visit cloud.ouraring.com → Account → Data Sharing and remove the Longipath application. (Oura does not currently expose a programmatic revoke endpoint to third-party apps.)

Oura's own handling of your ring data is governed by Oura's privacy policy, not ours. Longipath only sees the data Oura chooses to expose through its API after you consent.

5. AI assistant & Azure OpenAI

The member portal includes a biomarker-contextual AI assistant. When you send a message, we forward it — along with a structured summary of the biomarker you are asking about (name, value, unit, reference range, basic status like “in range” or “elevated”) — to a private Microsoft Azure OpenAI deployment operated under our Azure subscription. We do not send your name, date of birth, contact details, care-team names, or free-text notes to Azure OpenAI.

Microsoft's Azure OpenAI service, under its standard terms, does not use customer inputs or outputs to train foundation models and retains prompt/response data only transiently for abuse monitoring. Longipath has not enabled any features that would change this (such as fine-tuning on member data).

AI responses are educational and are not a substitute for medical advice. Treat them the way you would treat an internet search result — a starting point for a conversation with your care team.

We share personal information only in these circumstances:

With your care team: the licensed clinicians delivering your Longipath program.
With service providers (processors): companies that host, process, or secure data on our behalf under written contract (see next section).
With you: any recipient you explicitly direct us to share with (for example, exporting a report to your family physician).
For legal reasons: to comply with valid legal process, protect our rights, or prevent imminent harm.
In a business transfer: if Longipath is acquired or merges, member data may transfer to the successor entity, subject to an equivalent privacy commitment.

7. Third-party processors

The following vendors process your data on our behalf. Each is bound by a data-processing agreement limiting use to providing services to Longipath.

Processor	Purpose	Data regions
Cloudflare	Application hosting, edge compute, session storage (D1, KV, R2)	Global edge; primary DB region configurable
Microsoft Azure	AI assistant inference (Azure OpenAI), long-term storage for clinical records	Canada Central / Canada East
Oura Health	Source of wearable data (only with your OAuth consent)	EU / US
Email provider	Transactional email delivery (account, appointment reminders)	US

We update this list as integrations change. For the current authoritative list, contact us (Section 13).

8. Retention & deletion

Wearable data: cached as long as your connection is active. Deleted when you disconnect or close your account.
AI assistant transcripts: retained in your portal for your review until you delete them or close your account. Azure's transient abuse-monitoring window applies on the inference side.
Clinical records: retained as required by applicable health-records legislation (in British Columbia, typically 16 years after last contact for an adult, or to age 26 for a minor).
Account and usage logs: retained up to 24 months after account closure, then deleted or anonymized.

You can request deletion at any time (Section 10). Some records may be retained where law requires it; we will tell you if that applies.

9. Security

We protect your data with TLS in transit, encryption at rest on managed Cloudflare and Azure storage, role-based access for our team, and audit logging on sensitive operations. No internet service can be perfectly secure, so we also commit to notifying affected members promptly (and regulators, where required) if a qualifying breach occurs.

10. Your rights

Depending on where you live, you may have rights to:

Access a copy of the personal information we hold about you.
Correct information that is inaccurate or incomplete.
Delete your account and associated data, subject to legal retention obligations.
Withdraw consent for optional processing (such as wearable syncing or AI chat) without affecting the rest of your program.
Port your data to another provider in a machine-readable format.
Complain to a supervisory authority — for BC residents, the Office of the Information and Privacy Commissioner (oipc.bc.ca).

To exercise any of these rights, contact us using the details below.

11. Children

Longipath is intended for members who are at least 18 years old. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to this policy

We will post revisions on this page and update the “Last updated” date. For material changes affecting how we use health data, we will also notify you inside the portal before the change takes effect.

13. Contact

For privacy questions, requests, or complaints:

Privacy Officer, Longipath
Email: privacy@longipath.ca

We aim to respond to access or deletion requests within 30 days.