Privacy

Privacy Policy

A plain-language account of what data Axiom OrderFlow handles, who processes it, and how the public demos work. We would rather be clear than comprehensive-sounding.

Effective July 10, 2026

Who we are

Axiom OrderFlow is a healthcare operations product from Axiom Neurophysiology (“Axiom,” “we”). It helps neurodiagnostics departments intake EEG orders, review extracted fields, and manage the downstream workflow. This policy explains what data we handle and how.

Data in a customer workspace

When your organization uses Axiom OrderFlow, we process the order documents you upload and the data extracted from them, plus your account and workspace records (names, email addresses, roles, org settings) and an audit trail of actions taken in the app. This data belongs to your organization; we act as a processor of it on your behalf under your agreement with us.

Access is scoped to your organization and enforced at the database with row-level security. We do not sell customer data, and we do not use the contents of your order documents to train AI models.

The deliberate PHI gate

The platform ships locked to de-identified or synthetic data — patient-identifying mode is pinned off by a database constraint. Before a workspace handles real Protected Health Information (PHI), Axiom completes signed Business Associate Agreements with its subprocessors and a security review, and PHI mode is unlocked only through a deliberate, reviewed database change. We do not claim certifications we do not hold.

The public demos

Our website offers a live read-only demo and a “try it with your own order form” extraction demo. Both are clearly labeled for synthetic or blank forms only — please do not upload real patient documents to them.

The live demo signs you into a temporary, disposable viewer account on a synthetic showcase workspace; that account is automatically deleted after a short period. The extraction demo processes the file you provide entirely in memory to show a result and stores no upload record, no file, and no extraction — the file exists only for that single request. We keep basic request metadata (such as an IP-derived rate-limit counter) to prevent abuse.

Subprocessors

We rely on a small set of vendors to run the service. Each is engaged under its own terms, and for PHI workloads under a Business Associate Agreement where applicable:

  • Supabase — managed Postgres database, authentication, and file storage.
  • Vercel — application hosting and serverless compute.
  • Anthropic — AI extraction of fields from uploaded order documents.
  • Resend — transactional and notification email (when enabled).
  • Sentry — error monitoring, configured to strip request bodies, cookies, and headers (when enabled).
  • Upstash — rate-limit counters for the public demo endpoints (when enabled).

Cookies and analytics

We use strictly necessary cookies to keep you signed in and to operate the app. We do not run third-party advertising trackers.

Data retention

Within a customer workspace, stored order PDFs are purged automatically after the retention window your admin configures, for settled orders; the extracted data, tracker rows, and audit history are retained per your agreement. Disposable demo accounts are deleted automatically. On termination, we return or delete customer data as described in your agreement.

Your choices and contact

If you are a member of a customer workspace, your organization's administrator manages your access and can offboard your account. For requests about data your organization controls, contact your administrator. For anything else — including questions about this policy — email info@axiomeeg.com.

We may update this policy as the product changes; the effective date above reflects the current version.

Questions about this document? Email info@axiomeeg.com. See also our Security & Compliance overview.