FacultyOS is a native iOS application for academic medical departments, operated by Estara AI (“we,” “us,” “our,” “the Platform,” “FacultyOS”). It aggregates publicly available academic data and provides department heads with a team intelligence dashboard. Faculty members own and control their own professional records within the Platform.
This Privacy Policy explains what data we collect, why we collect it, how we store and protect it, who we share it with, and what rights you have. It applies to all users of the FacultyOS application: Department Heads and Faculty Members (attending faculty, research fellows, and non-accredited junior attendings). FacultyOS is available in the United States only.
FacultyOS is designed around three legally distinct data systems. Understanding them is essential to understanding this Privacy Policy.
| System | What it contains | Who owns it |
|---|---|---|
| System A — Faculty-Owned | Publications, grants, clinical trials, academic activities, promotion criteria indicators, calendar-matched events. Data the Faculty Member owns and controls. | The Faculty Member. Portable — survives subscription cancellation, department changes, and institutional transitions. |
| System B — Department Record | Department Head advising notes and development assessments about Faculty Members. Not visible to the subject. Includes resident milestone records when Resident Milestones is enabled. | The departmental account. Transfers to successor Department Head. Not owned by the Faculty Member it is about. |
| System C — Platform Operational | Authentication, session data, billing records, audit logs. Data required to operate the service. | The Platform. Used only to provide and improve the service. |
When you create a FacultyOS account or accept an invitation, we collect your full name and display name, professional email address (primary account identifier), phone number (for optional SMS two-factor authentication), and institutional affiliation and department.
Legal basis: Necessary to perform the contract. We cannot provide the service without these fields.
When a Department Head invites a Faculty Member, we automatically query public academic databases — PubMed, OpenAlex, NIH Reporter, and ClinicalTrials.gov — using the Faculty Member's name and institutional affiliation. Results are pre-loaded into a candidate profile. This data consists entirely of publicly available information.
No query against any public academic API runs until the Faculty Member logs in for the first time and explicitly taps “Start discovery.” Discovery is Faculty Member-initiated. The pre-populated data is not shared with the Department Head until after the Faculty Member has confirmed matches at first login.
Legal basis: Legitimate interests — providing the core service; all data is publicly available and no sensitive data is involved.
System A grows through the Faculty Member's confirmations and ongoing background sync: publications, grants, clinical trial associations, calendar-classified academic events, and promotion criteria indicators derived from confirmed data. System A data is owned by the Faculty Member and can be exported or deleted at any time.
Legal basis: Necessary to perform the contract.
Department Heads may enter advising notes and development assessments about Faculty Members on their team. System B data is not visible to the Faculty Member who is the subject of the notes and is owned by the departmental account.
When Resident Milestones is enabled on an account, System B expands to include structured milestone records for ACGME/AOA-enrolled trainees. Resident Milestones is disabled by default and requires the Department Head to execute the FacultyOS Data Use Agreement.
Legal basis: Legitimate interests — academic advising and team management.
Calendar integration is always optional and always Faculty Member-initiated. You connect your Google or Apple calendar through OAuth. The sync runs a keyword-match classifier that identifies events resembling academic activities. It stores only: the detected event type, a keyword-matched event title, and the event date and approximate time.
FacultyOS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, calendar data obtained through the Google Calendar API is:
We collect email address and verification status, phone number and OTP logs (if SMS 2FA is enabled), device session records, and authentication event logs. Used only for security and fraud prevention.
iOS App Store path: Payment processed by Apple, Inc. through StoreKit, with entitlement management via RevenueCat. We receive confirmation of subscription status. We do not receive your payment card number or Apple ID.
Web path (faculty-os.com): Payment processed by Stripe, Inc. We receive your subscription status, Stripe customer ID, and billing event records. We do not receive your full payment card number.
This section applies only to Department Heads who have enabled Resident Milestones by executing the FacultyOS Data Use Agreement, and to the ACGME/AOA-enrolled trainees on those accounts. Resident milestone records are FERPA-covered education records. The Department Head may inspect, correct, and export these records at any time through the in-app FERPA rights menu. Deletion requests are processed within 30 days via the ferpa_deletion_requests flow.
| Data category | Retention period |
|---|---|
| System A — Active account | Retained for as long as you hold an account. Faculty Members retain read access at no charge after subscription cancellation. |
| System A — Deletion requested | Deleted from active storage within 30 days. Purged from backup media within 90 days. |
| System B — Active subscription | Retained for the duration of the Department Head subscription. |
| System B — Subscription cancelled | Exported to the Department Head within 45 days. Deleted within 45 days. Purged from backups within 90 days. |
| Calendar OAuth tokens | Retained until you revoke access. Deleted within 24 hours of revocation. |
| Authentication / session logs | 12 months, then deleted. |
| Billing records | 7 years as required for tax and financial record-keeping. |
| Unaccepted invitation profile | Deleted 90 days after invitation if not accepted. |
| Subprocessor | Purpose | Location |
|---|---|---|
| Google LLC | Google Sign-In authentication and Google Calendar API (read-only, calendar event classification). | USA |
| Supabase, Inc. | Hosts all Platform data in managed PostgreSQL infrastructure. | USA |
| Resend | Transactional email. Receives email address and display name only. | USA |
| Apple, Inc. | App Store distribution and in-app purchase billing. | USA |
| Stripe, Inc. | Web subscription payment processing. | USA |
| RevenueCat, Inc. | In-app subscription entitlement management. | USA |
We may disclose your data if required to do so by law or valid legal process, or where we reasonably believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted at the storage layer. Calendar OAuth tokens are encrypted at the application layer using Supabase Vault (pgsodium) in addition to storage-layer encryption. Row-level security policies are enforced at the database layer — no query can return data the authenticated user is not authorised to see.
System B advising notes are not accessible to the Faculty Member subject through any API endpoint, regardless of authentication state. This is enforced at the database layer, not only in application logic.
OTP rate limiting: maximum 3 requests per phone number per hour; maximum 10 requests per IP address per hour.
FacultyOS is a native iOS application. It does not use browser cookies. It does not embed advertising trackers, pixels, or third-party analytics SDKs that collect your data for advertising purposes. We may use Apple's built-in analytics (App Store Connect Analytics), which provides aggregated, non-identifiable usage statistics that are not linked to individual users.
| Right | What this means for FacultyOS |
|---|---|
| Access | Request a copy of all data we hold about you within 30 days. System A data is available for self-service export at any time. |
| Correction | Correct any System A data through your account at any time. System B data about you is controlled by your Department Head. |
| Deletion | Request deletion of your account and all System A data. Completed within 30 days. System B data about you is controlled by your Department Head. |
| Portability | Export your System A data in JSON or CSV format at any time through the app. |
| Withdraw calendar consent | Disconnect your calendar at any time. This immediately revokes our OAuth token and stops all calendar sync. |
| Object to processing | Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests. |
To exercise any of these rights, contact us at privacy@faculty-os.com with “Privacy Rights Request” in the subject line. We will respond within 30 days.
If you are a California resident, the CCPA and CPRA give you additional rights. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Categories of personal information we collect: identifiers (name, email, phone); professional information (publications, grants, affiliation); internet activity (session logs); inferences (promotion criteria indicators).
To exercise California rights, contact privacy@faculty-os.com with “California Privacy Request” in the subject line. We will respond within 45 days.
FacultyOS is designed for use by academic medical professionals who are at least 18 years of age. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a minor, we will promptly delete it. If you believe we may have inadvertently collected information from a minor, please contact us at privacy@faculty-os.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by email to registered account holders at least 14 days before they take effect. The current version will always be available at faculty-os.com/privacy.
Privacy questions and rights requests:
Email: privacy@faculty-os.com
Subject line for rights requests: “Privacy Rights Request — [Your Name]”
Subject line for data breach reports: “Security Report”
General support:
Email: support@faculty-os.com
Operator: Estara AI · faculty-os.com