Plain-English Summary
TinyHumanMD is a decision-support website. It is not a healthcare provider platform, not an EHR, and not a substitute for institutional privacy governance. You are responsible for lawful data handling in your environment, and your organization remains responsible for compliance, supervision, and implementation controls.
This policy defines boundaries and responsibilities. It does not provide legal advice or create enterprise compliance guarantees.
1. Policy Purpose
This Privacy Policy explains how TinyHumanMD approaches information handling boundaries, legal allocation, and user responsibility. It is designed for healthcare-adjacent use where ambiguity can create significant operational risk.
2. Scope
This policy applies to pages and tools served by TinyHumanMD. It does not apply to external websites, linked references, or third-party systems not controlled by the site operator.
3. Definitions
"Personal Information" and "Sensitive Data" carry their applicable legal meanings in your jurisdiction. "PHI" refers to Protected Health Information where HIPAA applies. "Local Environment" means your own endpoints, browsers, networks, and institution-managed systems.
4. Service Characterization
TinyHumanMD is an informational decision-support interface. It is not an EHR/EMR, not a telehealth service, not a chart repository, and not a treatment platform.
5. No Account-Based Custody Assumption
Core access does not require mandatory account creation. You must not assume this site is performing enterprise custodial record obligations that are normally provided by regulated systems.
6. User Input Responsibility
You are solely responsible for what you enter, interpret, copy, export, and implement. Do not enter information you are not authorized to process.
7. Data Minimization Expectations
Use only information necessary for lawful purposes. Avoid direct identifiers unless explicitly required and permitted by applicable policy and law.
8. Endpoint Security Responsibility
You are responsible for workstation security, browser profile hygiene, session handling, physical access controls, and secure network usage in your environment.
9. Institutional Governance Responsibility
Institutions remain responsible for legal review, compliance sign-off, training, supervision, escalation rules, and audit readiness. TinyHumanMD does not replace internal governance programs.
10. HIPAA and BAA Position
TinyHumanMD is not represented as a covered-entity service, not represented as a Business Associate service, and does not create a Business Associate Agreement through website access.
11. Third-Party Infrastructure and Links
Third-party services and linked resources are governed by their own terms and privacy notices. TinyHumanMD does not control and does not warrant third-party privacy practices.
12. Cross-Border Use
If you access the site across jurisdictions, you are responsible for compliance with local legal requirements, including transfer restrictions, professional obligations, and institutional rules.
13. US State Rights Overlay
Where state privacy laws apply, users may have rights such as access, correction, deletion, portability, and appeal, subject to statutory scope and verification requirements.
14. UK/EU Rights Overlay
Where UK GDPR or GDPR applies, rights may include access, rectification, erasure, restriction, objection, and complaint rights, subject to lawful exceptions and verification standards.
15. Children
This site is intended for trained adults and is not directed to children for independent use.
16. Security Limitations
No internet service guarantees perfect confidentiality, integrity, or availability. Users and institutions must plan for residual cyber, infrastructure, and human-factor risk.
17. Retention and Deletion Boundaries
Institutions are responsible for retention and deletion policies for records created through operational use of outputs. TinyHumanMD does not replace local lifecycle management duties.
18. Audit Expectations
For operational use, maintain local records showing who reviewed outputs, what references were checked, and what final authorization was applied before implementation.
19. Policy Changes
This policy may change at any time. Updates are effective when posted. Institutions should track policy revisions through their own change-management processes.
20. Contact and Requests
Privacy questions and rights requests may be submitted through the official contact channel. Request processing may require identity and authority verification.
21. Interpretation Rules
This policy should be read together with the Terms of Use. Where ambiguity exists, interpretation should preserve non-treatment status and user-side implementation responsibility, unless mandatory law requires otherwise.
22. Final Privacy Statement
TinyHumanMD provides informational support. Legal compliance, privacy controls, supervisory governance, and implementation outcomes remain the responsibility of users and their institutions.
Operational Privacy Guidance Annex (Non-Contractual)
This annex provides practical guidance, not additional contractual guarantees. Organizations should maintain approval pathways for external tools and clearly define allowed and prohibited use cases.
Recommended controls include role-based access governance, mandatory verification for sensitive outputs, escalation procedures for ambiguous results, and periodic competency checks for staff using calculators in operational contexts.
Organizations should document data-entry boundaries, maintain provenance notes for critical values, and require supervisory review in scenarios where context gaps could materially alter outcomes.
For cross-site operations, establish jurisdiction-specific overlays so teams do not apply one region’s assumptions to another region’s legal environment without review.
For quality assurance, perform periodic audits to detect drift in user behavior, shortcuts in validation, or overreliance on convenience workflows in high-consequence settings.
When uncertainty persists, escalation and delay are safer than unvalidated implementation.
Extended Governance Addendum
G-1. Data Classification Governance
Organizations should map every field used with TinyHumanMD into a documented classification scheme that distinguishes public, internal, sensitive, and regulated categories. Classification decisions should be reviewed periodically as laws and operational contexts change.
Control implementation for G-1 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-2. Role-Based Authorization Discipline
Access to operational workflows that reference calculator outputs should be role-scoped. Teams should avoid broad role grants that allow unsupervised use in contexts requiring senior review.
Control implementation for G-2 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-3. Change-Control Review Cycles
When formulas, references, or interpretation rules change, organizations should run structured impact assessments before broad deployment. Impact review should cover legal, clinical, and training consequences.
Control implementation for G-3 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-4. Clinical-Safety Escalation Standards
Policies should define explicit trigger points where outputs cannot be used until senior supervision confirms context and appropriateness. Escalation should be mandatory for unresolved ambiguity.
Control implementation for G-4 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-5. Documentation Provenance Requirements
For high-consequence use, teams should preserve provenance for key inputs and final authorization steps. Provenance records help prevent silent drift and support post-event root-cause analysis.
Control implementation for G-5 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-6. Incident Readiness Expectations
Institutions should predefine incident channels for privacy events involving endpoint exposure, mistaken data entry, or unauthorized sharing. Readiness includes ownership clarity and communication paths.
Control implementation for G-6 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-7. Third-Party Dependency Governance
Any external dependency used alongside TinyHumanMD should be vetted independently for legal and security fit. Dependency approval should be revisited when vendor policies change materially.
Control implementation for G-7 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-8. Training and Competency Maintenance
Operational users should receive initial and recurring training emphasizing limitations, verification duties, and prohibited shortcuts. Competency drift is a known risk in repetitive workflows.
Control implementation for G-8 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-9. Data Lifecycle Enforcement
Retention, archival, and deletion rules should be aligned with organizational policy and legal requirements. TinyHumanMD output use does not remove institutional record-management obligations.
Control implementation for G-9 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.
G-10. Cross-Jurisdiction Operational Controls
Multi-region teams should maintain explicit jurisdiction overlays to prevent one region's assumptions from being applied in incompatible legal environments.
Control implementation for G-10 should be assigned to named owners, tracked in governance documentation, and tested through periodic review. Where legal uncertainty remains, institutions should defer operational use until qualified counsel and clinical leadership confirm an acceptable path.