Data Security
How we protect your data.
Last updated July 7, 2026
Priority One Health is operated by Walker Capital Management LLC. This page explains, in plain language, what we actually do to protect your information — and where the limits are. We’d rather under-promise here than overclaim.
A note on HIPAA
Priority One is not a HIPAA-covered entity — we are not a healthcare provider, health plan, or clearinghouse, so HIPAA does not directly govern most of what happens in your dashboard. Where labs or clinicians are involved, those regulated parties carry their own legal obligations. We do not claim “HIPAA compliance” or “HIPAA certification,” because for a consumer app like this one that claim would be misleading. What we do instead: apply safeguards aligned with HIPAA Security Rule principles, and maintain a breach-notification process consistent with the FTC Health Breach Notification Rule, which does apply to consumer health apps like Priority One.
What we do
Encryption in transit
All traffic between your device and Priority One is served over HTTPS/TLS, and our connections to the vendors that power the Service are encrypted in transit.
Encryption at rest
Your account data, wearable history, lab results, and self-logged entries are stored with our managed database provider, which encrypts stored data at rest. We document this as our provider's protection rather than claiming certifications we don't hold ourselves.
Per-account authorization on every request
Every read and write of your data is authorized on our servers against your signed-in account, so requests can only return records that belong to you. We are additionally hardening database-level row security as a second, independent layer of enforcement.
Least-privilege access
Production access is limited to the founder-operator. We don't browse user accounts except to investigate an issue you've raised with us, and we are expanding internal access-event logging so that sensitive access is recorded.
Your uploads aren't stored
When you upload a lab report or body-composition scan, we extract the values for your review and discard the file. The document itself is never saved to our systems.
No ad trackers on signed-in pages
No advertising pixels, session recording, or third-party marketing scripts run inside the signed-in app. Results-ready emails never contain your results, and analytics events never contain your health values.
Verified integrations
Lab and wearable events arrive through cryptographically signed webhooks that are rejected when the signature doesn't verify. Payments are processed by Stripe — full card numbers never touch our systems.
Account hygiene
Passwords are hashed by our authentication provider; we never store cleartext credentials. Password-reset flows are handled by that provider with expiring, single-use links.
Vendors who help us run the Service
We use a deliberately small set of providers, each limited to its function: Supabase (database and authentication), Vercel (hosting), Junction (wearable connections and lab routing), Quest Diagnostics (laboratory analysis, where lab ordering is available), Stripe (payments), Resend (transactional email), Anthropic (AI reading of documents you upload and educational summaries), PostHog (product analytics without health values), Sentry (error monitoring with personal data stripped), Rewardful (referral attribution on public marketing pages only), and Google (optional sign-in). The Privacy Policy describes what each receives.
What you can do
Use a strong, unique password (or sign in with Google and protect that account with two-factor authentication). Don’t share your login. If a device with Priority One installed is lost or stolen, change your password right away and email us — we can help make sure no other session stays active.
Reporting a security concern
If you believe you’ve found a vulnerability, email support@priorityone.health with the subject “Security.” We aim to acknowledge reports within two business days, and we won’t take legal action against good-faith researchers who report through this channel.
See also the Privacy Policy, Terms of Service, and Medical Disclaimer.