Privacy, in plain terms — not buried in legalese.
How this site handles personal data: cookieless analytics, what happens to anything you submit, the processors that operate the platform, how long data is kept, and the rights you can exercise.
How Valentra Labs handles your data
This notice explains how the Valentra Labs website handles personal data: the analytics we run, what happens to anything you submit through a form, the processors that operate the platform, how long data is kept, and the rights you can exercise. It is written to be read, not to be hidden behind legalese. Valentra Labs is a healthcare-focused vendor; the site itself is designed to process no Protected Health Information (PHI).
Cookies and analytics
Analytics on this site run through Plausible, which is cookieless: it measures aggregate traffic without setting tracking cookies and without building cross-site visitor profiles. The site sets no third-party tracking cookies, and no third-party trackers run on the forms where you might type free text.
The only cookies the site sets are first-party state cookies (for example, a visit-state and a role-context cookie) used to remember where you are in a flow. They carry no personally identifying information and are not shared with third parties. Because analytics are cookieless, there is no analytics cookie to consent to.
Form data handling
Forms on this site are for business contact, not for clinical data. Every form that accepts free text carries the same instruction: “Do not include patient information.”
To enforce that boundary, free-text fields are scrubbed server-side for likely PHI before any submission is written to durable storage. The scrub targets common patient-identifier patterns — Social Security numbers (SSN), medical record numbers (MRN), a date of birth paired with a name, and a phone number paired with a date of birth. Submissions are used only to respond to your inquiry; we do not sell contact data or add you to unrelated lists.
Named processors
The platform is operated with a small set of named subprocessors. A Business Associate Agreement (BAA) is available — and executed before any PHI-adjacent data flows — for the processors that store or transmit potentially PHI-adjacent submissions. Where a processor in the request path is not yet BAA-covered (Vercel on its Pro tier), the server-side PHI scrub performed before any durable write is the compensating control. Each links to its own privacy policy.
- Postmark Enterprise — BAA available on request. Transactional email (may carry confirmation copy). Privacy policy
- Supabase — BAA available on request. Durable queue (stores free-text fields that may carry PHI scrubber-misses). Privacy policy
- Slack Enterprise Grid — BAA available on request. Ops alerting (channels may receive PHI-adjacent free text). Privacy policy
- Sanity — BAA available on request. CMS (may carry PHI-adjacent operator copy). Privacy policy
- Vercel — No BAA. No BAA on Pro tier — accepted Wave-1 risk. The form handler runs on a BAA-covered runtime if forms ever carry PHI; server-side PHI scrub BEFORE queue write is the Wave-1 compensating control. Privacy policy
- Beehiiv — No BAA. No BAA — the newsletter is opt-in marketing, not PHI. Privacy policy
- Plausible — No BAA. No BAA — cookieless analytics, no PII processed. Privacy policy
Data retention
Form submissions enter a durable queue so that a transient failure never drops a legitimate inquiry. Delivery is retried with exponential backoff up to five attempts; anything that still cannot be delivered is moved to a dead-letter store for manual replay behind authenticated access, rather than being silently lost. Operational backups are retained on a short rolling window (on the order of a week) with point-in-time recovery. These windows are conservative operational defaults and may be tightened; they are reviewed before launch.
Your rights
You can request access to the personal data we hold about you, ask us to correct it, or ask us to delete it. To exercise any of these, email privacy@valentralabs.com and we will respond. Because the site is built to avoid collecting PHI, most requests concern ordinary business-contact details.
Contact
Questions about this notice or about how Valentra Labs handles personal data can be sent to privacy@valentralabs.com.