Privacy Policy

UNMIRI LLC (“UNMIRI,” “we,” “us,” “our”) operates the website at unmiri.com and provides a precision oncology infrastructure platform across four product surfaces: a cross-vendor NGS interpretation API, a genomics-aware clinical decision support API, an oncology literature surveillance platform, and a free cross-vendor unification tool for clinicians. This Privacy Policy describes how we collect, use, disclose, and protect personal information from visitors to our website and prospective customers.

UNMIRI LLC is a Pennsylvania limited liability company headquartered in Langhorne, Pennsylvania. PA Entity #0013556484.

This Policy applies to personal information we collect from visitors to unmiri.com and from prospective customers who contact us. It does not govern Protected Health Information (PHI).

When UNMIRI processes PHI on behalf of a HIPAA-covered entity or business associate (including healthcare software vendors, diagnostic laboratories, health systems, and other oncology-software organizations integrating UNMIRI's APIs), such processing is governed exclusively by the Business Associate Agreement (BAA) executed between UNMIRI and that customer, together with the HIPAA Privacy Rule and Security Rule. Where this Policy conflicts with an executed BAA with respect to PHI, the BAA controls.

Information you provide directly

• Contact-form submissions: name, work email, company or organization, role, and any free-text context you include (submitted via /contact).
• Scheduled calls:information you share when booking a call via our scheduling tool (Cal.com), governed additionally by that provider's privacy terms.
• Email correspondence with UNMIRI.

Information collected automatically

• Server logs: IP address, user-agent, request path, timestamp, and response status. Used for security, debugging, and abuse prevention.
• Cookies: strictly necessary cookies for site operation and, where you consent, privacy-respecting analytics cookies. No third-party advertising trackers.

Information processed under a BAA (PHI)

Under an executed BAA, UNMIRI receives data from the covered entity or business associate (NGS reports for the API products, aggregated clinical context where applicable) and processes it to produce structured output. PHI is handled per the BAA and described in the data-flow diagram available under NDA on request. PHI is never collected via this website. The free pathologist tool and the literature intelligence platform do not handle PHI by default; institutional deployments that require PHI scope follow the API-product onboarding path with an executed BAA.

• Respond to inquiries and schedule conversations.
• Provide services to customers under executed MSAs and BAAs.
• Maintain website operation, security, and performance.
• Send transactional messages (e.g., replies to your inquiry). We do not send unsolicited marketing email.
• Comply with legal obligations.
• Detect and prevent fraud, abuse, or unauthorized access.

We do not use personal information collected through the website for automated decision-making that produces legal or similarly significant effects on individuals.

For visitors in jurisdictions that require specific legal bases (e.g., EU/UK under GDPR):

• Legitimate interests — operating the website, responding to inquiries, maintaining security.
• Consent — for analytics cookies where required and for email communications beyond transactional replies.
• Contract performance — where you have entered into an agreement with us.
• Legal obligation — where we must process information to comply with applicable law.

UNMIRI currently serves customers in the United States only. If you access the site from outside the US, your information will be transferred to and processed in the US.

We share personal information with service providers (“subprocessors”) that help us operate the website and services. Each subprocessor is contractually bound to confidentiality. Where PHI is involved, processing additionally requires an executed Business Associate Agreement; UNMIRI will not route PHI to any subprocessor before the upstream BAA is in place. Current subprocessor status:

• Marketing site hosting (Vercel)— public website hosting and edge delivery for unmiri.com. Marketing only. By architecture, the marketing site takes no file uploads, has no authenticated routes, and never connects to RDS or any data store containing PHI. Vercel is deliberately out of BAA scope; no HIPAA add-on is purchased or required. If marketing requirements ever change to include PHI handling, the route moves to app.unmiri.com (AWS) instead of expanding Vercel's scope.
• Amazon Web Services (entire PHI path) — AWS Business Associate Addendum active, account-scoped to a single dedicated AWS production account in us-east-1. The full PHI path runs here: RDS Postgres for structured clinical data and audit logs, S3 with SSE-KMS for encrypted document storage, AWS KMS for customer-managed keys, AWS Textract for PDF extraction, AWS Lambda + API Gateway + Step Functions for compute, AWS Cognito for authentication, AWS Amplify Hosting for the authenticated app surface (app.unmiri.com; the app surface holds no database driver and reaches RDS only through the VPC-attached api.unmiri.com), and AWS CloudWatch Logs for the audit trail. US-only data residency by design.
• Microsoft Corporation (LLM inference)— Microsoft Online Services HIPAA BAA active. Azure OpenAI Service handles the Tier-4 vision LLM (extraction edge cases on PDF pages that fail Tier-1/2/3 deterministic parsing) and an LLM-judge step. Final clinical surfaces are rendered from deterministic templates, not LLM prose. Azure OpenAI network access is firewall-locked to UNMIRI's AWS NAT egress IP as of 2026-05-12. Inputs are de-identified variant context only; no PHI identifiers in prompts.
• Resend — transactional email delivery for contact-form replies and routine correspondence, and storage of the blog newsletter subscriber list (email address only). No PHI.
• Cal.com— scheduling links from /contact. Governed by Cal.com's own privacy terms. No PHI.

A canonical subprocessor list (with current BAA status per subprocessor) is published on the subprocessors page and updated within 10 business days of any material change. Covered-entity customers receive email notification of changes affecting their PHI.

We do not sell personal information. We do not share personal information with advertisers or data brokers. We do not use customer PHI to train machine-learning models.

We may also disclose information (a) to comply with a valid legal process; (b) to protect the rights, property, or safety of UNMIRI, our customers, or the public; or (c) in connection with a merger, acquisition, or asset sale, where the recipient is bound to equivalent privacy terms.

• Contact-form submissions: retained until the inquiry is resolved, then up to 2 years for recordkeeping.
• Server logs: retained for 90 days, unless a longer period is required for security investigation or legal obligation.
• Email correspondence: retained for the duration of the customer relationship or as required by law.
• PHI (under BAA):retained per the customer's BAA. The architectural target is zero post-response retention: PHI is processed in memory and is not persisted by UNMIRI after the API response is returned to the customer. Where a customer's BAA specifies a different retention window (for example, audit-trail or replay requirements), the BAA controls.
• Audit logs (for PHI access events): 7 years, aligned with HIPAA Breach Notification Rule requirements.

We use cookies sparingly:

• Strictly necessary cookies for session management and security. Cannot be disabled.
• Analytics cookies (where enabled) for aggregated, privacy-respecting usage metrics. Not used for cross-site tracking or advertising.

We do not use third-party advertising cookies or social-tracking pixels. We honor Global Privacy Control (GPC) and Do Not Track signals where technically feasible.

Depending on your jurisdiction, you may have rights to:

• Access personal information we hold about you.
• Correct inaccurate information.
• Delete personal information, subject to legal exceptions.
• Port your data to another service, where applicable.
• Object to or restrict processing, where applicable.
• Withdraw consent at any time (without affecting prior processing).
• California residents: additional rights under the CCPA/CPRA, including the right to know and the right to opt out of sale (we do not sell).
• EU/UK residents: rights under GDPR Articles 15–22, and the right to lodge a complaint with your supervisory authority.

To exercise these rights, email privacy@unmiri.com with enough information for us to verify your identity. We respond within 30 days (or the period required by applicable law).

UNMIRI uses the same HIPAA-ready infrastructure for the website and service that is documented on the security page. Technical safeguards include:

• TLS 1.3 for data in transit.
• AES-256 encryption at rest.
• Role-based access controls with multi-factor authentication.
• Immutable audit logging for PHI-relevant events.
• Automated dependency scanning, with third-party penetration testing planned before production PHI access.

No system is perfectly secure. If you believe you have identified a vulnerability, email security@unmiri.com.

UNMIRI's services are B2B and not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email privacy@unmiri.com and we will delete it.

UNMIRI processes and stores data exclusively in the United States. If you access the website from outside the US, your information will be transferred to and processed in the US, which may have different data-protection laws than your home jurisdiction.

UNMIRI does not currently onboard customers outside the United States.

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes that affect existing customers will be communicated by email with reasonable notice before taking effect. Website visitors should check this page periodically.

Privacy questions, data-subject requests, and related correspondence:

• Privacy inquiries: privacy@unmiri.com
• Security reports: security@unmiri.com
• General: hello@unmiri.com
• Postal: UNMIRI LLC, Langhorne, Pennsylvania, United States. For the full postal address, contact legal@unmiri.com.