Privacy Policy

UNMIRI LLC (“UNMIRI,” “we,” “us,” “our”) operates the website at unmiri.com and provides software that converts next-generation sequencing (NGS) reports into structured clinical decision-support summaries. This Privacy Policy describes how we collect, use, disclose, and protect personal information from visitors to our website and prospective customers.

UNMIRI LLC is a Pennsylvania limited liability company headquartered in Langhorne, Pennsylvania. PA Entity #0013556484.

This Policy applies to personal information we collect from visitors to unmiri.com and from prospective customers who contact us. It does not govern Protected Health Information (PHI).

When UNMIRI processes PHI on behalf of a HIPAA-covered entity (including diagnostic laboratories), such processing is governed exclusively by the Business Associate Agreement (BAA) executed between UNMIRI and that customer, together with the HIPAA Privacy Rule and Security Rule. Where this Policy conflicts with an executed BAA with respect to PHI, the BAA controls.

Information you provide directly

• Contact-form submissions: name, work email, company or organization, role, and any free-text context you include (submitted via /contact).
• Scheduled calls:information you share when booking a call via our scheduling tool (Cal.com), governed additionally by that provider's privacy terms.
• Email correspondence with UNMIRI.

Information collected automatically

• Server logs: IP address, user-agent, request path, timestamp, and response status. Used for security, debugging, and abuse prevention.
• Cookies: strictly necessary cookies for site operation and, where you consent, privacy-respecting analytics cookies. No third-party advertising trackers.

Information processed under a BAA (PHI)

Under an executed BAA, UNMIRI receives NGS report data and clinical context from the covered entity and processes it to produce decision-support output. PHI is handled per the BAA and described in the data-flow diagram available under NDA on request. PHI is never collected via this website.

• Respond to inquiries and schedule conversations.
• Provide services to customers under executed MSAs and BAAs.
• Maintain website operation, security, and performance.
• Send transactional messages (e.g., replies to your inquiry). We do not send unsolicited marketing email.
• Comply with legal obligations.
• Detect and prevent fraud, abuse, or unauthorized access.

We do not use personal information collected through the website for automated decision-making that produces legal or similarly significant effects on individuals.

For visitors in jurisdictions that require specific legal bases (e.g., EU/UK under GDPR):

• Legitimate interests — operating the website, responding to inquiries, maintaining security.
• Consent — for analytics cookies where required and for email communications beyond transactional replies.
• Contract performance — where you have entered into an agreement with us.
• Legal obligation — where we must process information to comply with applicable law.

UNMIRI currently serves customers in the United States only. If you access the site from outside the US, your information will be transferred to and processed in the US.

We share personal information with service providers (“subprocessors”) that help us operate the website and services. Each subprocessor is contractually bound to confidentiality and, where PHI is involved, to a Business Associate Agreement. Our current subprocessors:

• Vercel — website hosting and edge delivery. BAA in place for PHI workflows.
• AWS— UNMIRI's architecture is built on AWS for the primary PHI path: RDS Postgres for structured clinical data, encrypted S3 (SSE-KMS, access-logged) for document storage, and Textract for PDF extraction. A separate transient S3 bucket serves as Textract input and auto-deletes via lifecycle rule after extraction. All AWS services operate under a single AWS BAA.
• Anthropic — LLM API, used narrowly for extraction edge cases and long-tail variant fallback on de-identified data only. BAA in place (HIPAA-ready API tier).
• Cal.com— scheduling links from /contact. Governed by Cal.com's own privacy terms.

A canonical subprocessor list is published at /security/subprocessors and updated within 10 business days of any material change. Covered-entity customers receive email notification of changes affecting their PHI.

We do not sell personal information. We do not share personal information with advertisers or data brokers.

We may also disclose information (a) to comply with a valid legal process; (b) to protect the rights, property, or safety of UNMIRI, our customers, or the public; or (c) in connection with a merger, acquisition, or asset sale, where the recipient is bound to equivalent privacy terms.

• Contact-form submissions: retained until the inquiry is resolved, then up to 2 years for recordkeeping.
• Server logs: retained for 90 days, unless a longer period is required for security investigation or legal obligation.
• Email correspondence: retained for the duration of the customer relationship or as required by law.
• PHI (under BAA):retained per the customer's BAA (default: 30 days following delivery of the processed output, unless the lab specifies a shorter retention or longer retention is required for audit).
• Audit logs (for PHI access events): 7 years, aligned with HIPAA Breach Notification Rule requirements.

We use cookies sparingly:

• Strictly necessary cookies for session management and security. Cannot be disabled.
• Analytics cookies (where enabled) for aggregated, privacy-respecting usage metrics. Not used for cross-site tracking or advertising.

We do not use third-party advertising cookies or social-tracking pixels. We honor Global Privacy Control (GPC) and Do Not Track signals where technically feasible.

Depending on your jurisdiction, you may have rights to:

• Access personal information we hold about you.
• Correct inaccurate information.
• Delete personal information, subject to legal exceptions.
• Port your data to another service, where applicable.
• Object to or restrict processing, where applicable.
• Withdraw consent at any time (without affecting prior processing).
• California residents: additional rights under the CCPA/CPRA, including the right to know and the right to opt out of sale (we do not sell).
• EU/UK residents: rights under GDPR Articles 15–22, and the right to lodge a complaint with your supervisory authority.

To exercise these rights, email privacy@unmiri.com with enough information for us to verify your identity. We respond within 30 days (or the period required by applicable law).

UNMIRI uses the same HIPAA-ready infrastructure for the website and service that is documented on the security page. Technical safeguards include:

• TLS 1.3 for data in transit.
• AES-256 encryption at rest.
• Role-based access controls with multi-factor authentication.
• Immutable audit logging for PHI-relevant events.
• Automated dependency scanning and annual penetration testing.

No system is perfectly secure. If you believe you have identified a vulnerability, email security@unmiri.com.

UNMIRI's services are B2B and not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email privacy@unmiri.com and we will delete it.

UNMIRI processes and stores data exclusively in the United States. If you access the website from outside the US, your information will be transferred to and processed in the US, which may have different data-protection laws than your home jurisdiction.

UNMIRI does not currently onboard customers outside the United States.

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes that affect existing customers will be communicated by email with reasonable notice before taking effect. Website visitors should check this page periodically.

Privacy questions, data-subject requests, and related correspondence:

• Privacy inquiries: privacy@unmiri.com
• Security reports: security@unmiri.com
• General: hello@unmiri.com
• Postal: UNMIRI LLC, Langhorne, Pennsylvania, United States. For the full postal address, contact legal@unmiri.com.