Priority One

Data Security

How we protect your data.

Effective May 28, 2026

A note on HIPAA

Priority One is not a HIPAA-covered entity — we do not operate as a healthcare provider, a health plan, or a healthcare clearinghouse. When you order labs through the Service, Junction is the regulated party for the lab order itself. We do not claim “HIPAA compliance” for Priority One as a whole, because that would be inaccurate. We do apply security practices aligned with HIPAA’s Security Rule principles, which we describe below.

What we do

Encryption in transit

All traffic between your device and Priority One is served over TLS. Internal service-to-service traffic is also encrypted in transit.

Encryption at rest

Account data, wearable history, lab results, and self-logged entries are stored encrypted at rest by our managed database provider.

Row-level security

Our Postgres schema uses row-level security (RLS) so authenticated queries can only return rows owned by the requesting user. The database, not the application layer alone, enforces user isolation.

Least-privilege access

Internal access to production data is restricted to a small number of administrators on a need-to-know basis, and is audited. We do not browse user accounts except where required to investigate a support request you have raised.

Vendor review

We only onboard processors with appropriate security posture, written contracts limiting their use of your data, and documented breach-notification practices.

Account hygiene

Passwords are hashed by our auth provider; we never store cleartext credentials. Email-based account recovery flows are rate-limited and tokens expire quickly.

Vendors who help us run the Service

We rely on a small, deliberately chosen set of third-party processors. Each is bound by contract to use your data only to provide the relevant service.

  • Supabase — managed Postgres, authentication, and file storage.
  • Junction — wearable OAuth, lab order routing, and result delivery.
  • Quest Diagnostics — the lab that performs the underlying analyses.
  • Google Cloud — infrastructure and transactional email.
  • OpenAI — generation of educational summaries (only when you enable the feature). We have configured this provider not to use your data to train its models.

What you can do

Use a strong, unique password. Don’t share your login. If your device is lost or stolen, sign out from all sessions in the Profile page and rotate your password. Email us right away if you suspect unauthorized activity on your account.

Reporting a security concern

If you believe you’ve found a security issue, please email austin@walkercapitalmanagement.com with the subject line “Security” and a description of what you observed. We aim to acknowledge reports within two business days. We won’t take legal action against good-faith researchers who report vulnerabilities through this channel.

See also the Privacy Policy and Terms of Service.