← Back to TrialPath Agent API

TrialPath Agent API Privacy Policy

Last updated: May 14, 2026

This policy covers the TrialPath agent API and MCP server (collectively, "the Service") operated by Parkinson's Pathways at https://parkinsonspathways.com/api/agent/v1/* and https://parkinsonspathways.com/mcp. It does not cover the human-facing Parkinson's Pathways website, which has its own policy.

1. Data we collect

• Account data. When you request an API key at POST /api/agent/v1/keys/request, we collect the email address you submit and a Cloudflare Turnstile token used to verify you are a real person. We store the email, a SHA-256 hash of the issued key, the key prefix, and the timestamp.
• Usage data. For every call to /api/agent/v1/* and /mcp, we record: timestamp, route, HTTP method, response status, response time, your API key id (when present), the originating IP address, the user-agent string, and the billing mode (free tier, prepaid credit, or x402 paid). We do NOT log request bodies, response bodies, raw API keys, or x402 payment payloads.
• Payment data. When you settle a call or top-up over x402, we record the on-chain transaction hash, the USDC amount, and the network (Base or Base Sepolia). We do not collect or store payer wallet private keys, credit-card numbers, or off-chain personal payment details.
• Subscription data. If you register a webhook or SSE subscription at POST /api/agent/v1/subscriptions, we store the delivery URL (if any), the filter set, and the HMAC signing secret hash, plus per-delivery audit rows (status, timestamp, attempt count).
• Patient-match inputs (match_patient / POST /api/agent/v1/match). The match_patient tool accepts a structured profile (required condition and age; optional sex, stage, biomarkers, priorTreatments, comorbidities, meds, acceptsPlacebo, healthyVolunteer, phasePreference, studyType, sponsorPreference, drugClasses, interventionKinds, performanceStatus, requireTerms, excludeTerms, and location/postcode/travel radius). These inputs are processed in-memory for the duration of the request and are NEVER written to the database, NEVER written to application logs (the global JSON-response logger explicitly skips /api/agent/*), and NEVER associated with a stored profile. We retain only the standard usage row for the call (timestamp, route, status, response time, billing mode), with no profile fields.

2. How we use your data

• To authenticate API calls and attribute usage to your key.
• To enforce free-tier daily quotas, per-IP and per-key rate limits, and abuse defenses.
• To compute prepaid-credit balances and to settle on-chain payments.
• To deliver webhook subscriptions to the URLs you register.
• To debug operational issues and to detect abuse (e.g. credential stuffing, payment replay).
• To send transactional notices about your key (e.g. quota changes, security incidents). We do NOT use your email for marketing.

3. Storage

All data is stored in PostgreSQL on infrastructure operated by Replit (United States). API keys are stored only as SHA-256 hashes; we cannot recover the raw key after issuance. HMAC subscription secrets are stored in plaintext for delivery signing.

4. Third-party sharing

We share the minimum data required to operate the Service:

• Cloudflare (Turnstile bot challenge): your IP address and the Turnstile token are sent to challenges.cloudflare.com for verification when you request a key. See the Cloudflare Privacy Policy.
• Coinbase Developer Platform / x402 facilitator: your wallet address and signed payment payload are sent to the configured x402 facilitator to verify and settle USDC payments on Base. See the Coinbase Privacy Notice.
• Webhook destinations you configure: when you register a webhook subscription, we POST matching change payloads to the URL you provide. You control that endpoint and its data handling.
• Replit (hosting and database): infrastructure provider. See the Replit Privacy Policy.

We do NOT sell your data, share it with advertisers, or use it to train models. We do NOT share match_patient inputs, query parameters, or any user-identifiable call data with trial sponsors, contract research organisations (CROs), trial sites, or recruitment vendors.

5. Data retention

• Usage rows: retained for 365 days for billing audit and abuse review, then deleted.
• API key hashes and emails: retained while the key is active. Revoked keys are retained for 90 days after revocation, then the email is anonymised and the row archived.
• Prepaid credit ledger and on-chain tx hashes: retained indefinitely for accounting and replay-protection.
• Webhook delivery audit rows: retained for 90 days, then deleted.

6. Your rights

You can request key revocation, deletion of your account email, and a copy of the usage rows tied to your key by emailing spencer@parkinsonspathways.com. We respond within 30 days. Per-call on-chain settlement records and prepaid-credit ledger entries cannot be deleted (they are required for accounting and replay protection), but we can disassociate them from your email.

7. Security

We treat raw API keys as secrets: they are returned exactly once and stored only as SHA-256 hashes. The agent surface is fully isolated from the main database pool (separate agentDb), and our global JSON-response logger explicitly skips /api/agent/* so raw keys and x402 payloads cannot leak into application logs. Webhook delivery URLs are subject to SSRF protection (private IP ranges blocked, redirects blocked).

8. HIPAA and Protected Health Information

Parkinson's Pathways is NOT a HIPAA-covered entity and is NOT a HIPAA business associate. The Service is not designed to receive, store, or transmit Protected Health Information (PHI) as defined under 45 CFR 160.103, and we do not enter into Business Associate Agreements (BAAs) with callers of this API.

Callers must NOT submit PHI through any endpoint, including match_patient / POST /api/agent/v1/match. Patient profile inputs to match_patient must be de-identified before submission: do not include names, government identifiers, medical record numbers, full dates of birth, full-resolution geographic identifiers smaller than the first three digits of a postal code, contact information, or any other direct identifier listed in 45 CFR 164.514(b)(2). The fields the API accepts (condition, age, sex, stage, biomarkers, comorbidities, meds, postcode prefix and travel radius, etc.) are intended to be used in a de-identified form. If you need a HIPAA-compliant trial-matching service, this is not it.

9. Children

The Service is a developer/agent API and is not directed at children under 16. We do not knowingly collect data from children.

10. Changes

Material changes to this policy are announced at /agents and via email to active key owners at least 14 days before they take effect. The "Last updated" date at the top of this page is authoritative.

11. Contact

Questions, deletion requests, or security reports: spencer@parkinsonspathways.com.