Privacy Policy
Last updated: July 3, 2026
PRISM is an internal, invite-only operations platform built for the Akshintala Lab at Johns Hopkins University. It helps the lab run its day-to-day work — tasks, grants, expenses, meetings, inventory, and literature — with an AI copilot on top. This policy explains what data PRISM handles, why, and how it is protected.
1. Who this applies to
PRISM is not a public product. Access is granted by invitation and approved by a lab administrator. This policy covers the lab members and collaborators who are given accounts, and the operational data they enter while using the platform.
2. What we collect
PRISM collects only what the lab needs to operate:
- Account information — the name, preferred name, email address, institution, role or training level, start and end dates, and optional profile photo you provide when you request access, plus the credentials used to sign in.
- Lab operational data — the content you and your colleagues enter into the platform: tasks and roadmaps, grant and conference deadlines, bills and receipts, supply and inventory records, meeting notes and minutes, literature searches, and study operations such as recruitment counts and drug-expiry tracking.
- Technical and audit data — sign-in events, an append-only audit log of actions taken in the platform, and the session cookies required to keep you authenticated. This is used to secure the platform and to let administrators review activity.
3. How we use it
Data in PRISM is used to run the Akshintala Lab’s research, training, and operations — for example, to track deadlines and budgets, coordinate the team, draft communications for your review, answer literature questions, and monitor study logistics. It is used to operate, maintain, and improve the platform for the lab. It is not used for advertising, and it is never sold.
4. No identifiable patient data
This is the most important line in this policy, so it is stated plainly:
Identifiable patient data (PHI) is not stored in PRISM. The lab’s regulated study records live in REDCap, which remains the system of record for any protected health information. PRISM works on non-identifiable operational data — counts, metadata, deadlines, budgets, inventory, and status — not on identifiable patient records.
Where the AI copilot uses third-party language-model providers, those providers only ever process this non-identifiable operational data. Identifiable or otherwise sensitive information is not sent to a third-party model.
Because PRISM is an operational tool and not a clinical record, you should never enter identifiable patient information into it. Keep that data in REDCap and the systems approved for it.
5. AI features and model providers
PRISM’s copilot uses third-party large-language-model providers to draft text, answer questions, extract data from receipts, and summarize meetings. Only the non-identifiable operational data described above is sent to these providers, and it is sent solely to produce the requested output. Outbound actions the copilot proposes — such as sending an email or writing to a record — are shown to a human for approval before they take effect.
6. How data is shared
PRISM does not sell your data and does not share it for advertising. Data is shared only in these limited ways:
- Service providers — infrastructure and processing partners that make the platform run, including Supabase (database, authentication, and file storage) and the language-model providers that power the AI features. Each processes data only to provide its service and under its own terms.
- Within the lab — operational data is visible to authorized lab members according to their role, so the team can coordinate its work.
- When required by law — or to protect the security, rights, and safety of the platform and its users.
7. Security
PRISM is built for a clinical-research lab and applies layered safeguards:
- Authenticated access with support for multi-factor sign-in, and role-based permissions with workspace isolation.
- Row-level security in the database so users only reach the data they are authorized to see.
- Encryption of data in transit.
- Confirmation-gated writes — outbound actions and data changes are proposed and approved by a human — and an append-only audit log.
No system can be guaranteed perfectly secure. You are responsible for keeping your account credentials confidential and for reporting any suspected unauthorized access.
8. Data retention
Operational data is kept for as long as it is useful to the lab’s work, or as long as required by the lab’s record-keeping, grant, and institutional obligations. Account information is retained while your account is active. When an account is deactivated, associated data may be retained where it forms part of the lab’s operational or compliance record, and otherwise removed on request where feasible.
9. Your choices
You can review and update your account details from within the platform. To request access to, correction of, or deletion of the data associated with your account, contact the lab administrator. Because PRISM operates within an academic research lab, some records may need to be retained to meet institutional or study obligations.
10. Changes to this policy
This document is a baseline draft pending review by Johns Hopkins and legal counsel. It may change as the platform evolves and as that review is completed. When it does, the “last updated” date above will change. Continued use of PRISM after an update means you accept the revised policy.
11. Contact
Questions about this policy or about how your data is handled should go to the Akshintala Lab administrator at Johns Hopkins. See also the Terms of Service.