Back to SporeProof

Privacy Policy

Last updated: May 16, 2026

What We Collect

When you use SporeProof, we collect the following information:

  • Email address (for authentication and transactional emails)
  • Facility details (name, address, phone number, facility type)
  • Operator names
  • Names and email addresses of staff members invited to your facility (Professional tier)
  • Sterilization load records (cycle parameters, chemical indicator results, contents)
  • Spore test results and related documentation
  • Maintenance event logs
  • Uploaded documents and photos (test result PDFs, load images captured via kiosk camera)
  • Forwarded lab result emails sent to your facility's unique parsing address, if you choose to enable email forwarding
  • Billing contact details and subscription status (handled by our payment processor; we do not see or store card numbers)
  • Audit trail of changes made within your facility (who created or modified each record, with timestamps)
  • Basic operational telemetry: browser type, operating system, and screen size, used to diagnose issues and prioritize device support

How We Use Your Data

We use your data solely to provide and operate the SporeProof service:

  • Storing and displaying your sterilization compliance records
  • Generating compliance reports (PDF and CSV)
  • Sending transactional emails: magic link authentication, spore test failure alerts, and overdue test reminders

What We Don't Do

  • We do not sell, rent, or share your data with third parties for marketing or advertising
  • We do not run third-party analytics or tracking scripts inside the application itself
  • We do not serve advertisements
  • We do not profile your individual behavior or build user models

Our public marketing site at sporeproof.com uses Google Analytics to measure aggregate page traffic. Google Analytics is not loaded inside the application at app.sporeproof.com.

Cookies

SporeProof uses a single HttpOnly cookie (sp_auth) for authentication. This cookie is strictly functional — it keeps you logged in and cannot be read by JavaScript or used for tracking. We do not use analytics cookies, advertising cookies, or any other tracking mechanisms. No cookie consent banner is required.

Third-Party Services

We use the following third-party services to operate SporeProof:

  • Microsoft Azure — cloud hosting, PostgreSQL database, blob storage, and message queues
  • Resend — transactional email delivery (magic links, failure alerts, overdue reminders, staff invitations)
  • SendGrid Inbound Parse — receiving and parsing forwarded lab result emails for facilities that enable email forwarding
  • Stripe — subscription billing and payment processing. Card details are entered directly into Stripe's hosted checkout and never touch our servers
  • Google Analytics — aggregate traffic measurement on the public marketing site at sporeproof.com only (not loaded inside the application)

These services process your data only as necessary to provide their respective functions. We do not share your data with any other third parties.

Inbound Email Forwarding (Optional)

Facilities on eligible tiers may enable email forwarding, which assigns a unique parsing address at @results.sporeproof.com. When you or a lab forwards a result email to that address, we receive the message, sanitize and store its content in blob storage, parse out the relevant fields, and match it to the corresponding spore test.

By forwarding email to this address, you represent that you have the right to forward the contents — including any patient identifiers, lab references, or third-party communication — to SporeProof for processing. You can disable email forwarding at any time from your facility settings.

Public Verification Links (Optional)

You may optionally generate public share links that allow anonymous viewers (such as health inspectors or clients) to verify your facility's compliance status without logging in. When enabled, the share link exposes a read-only summary of compliance data to anyone who has the link.

You are responsible for deciding whether to enable a share link and for revoking it when no longer needed. Share links can be disabled at any time from your facility settings.

Data Retention

Sterilization records are retained based on your facility's configured retention period (default 3 years, consistent with CDC guidelines). Records within the retention period cannot be deleted to preserve compliance integrity.

If you delete your account, all associated data — including facility records, sterilization logs, spore tests, and uploaded documents — will be permanently deleted upon request.

Security

We take the security of your data seriously:

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Data at rest is encrypted via Azure's built-in encryption
  • Authentication uses passwordless magic links — no passwords are stored
  • API keys are hashed with SHA-256 before storage; raw keys are shown only once at creation
  • All data access is scoped to your facility via per-request tenant isolation

Your Rights

You have the right to:

  • Access your data at any time through the application
  • Export your records via CSV and PDF report downloads
  • Delete your account and all associated data by contacting us

To exercise these rights, email hello@sporeproof.com.

Children's Privacy

SporeProof is not directed at individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify you via email.

Contact

If you have questions about this privacy policy or how we handle your data, contact us at hello@sporeproof.com.