Back to SporeProof

Privacy Policy

Last updated: February 21, 2026

What We Collect

When you use SporeProof, we collect the following information:

  • Email address (for authentication and transactional emails)
  • Facility details (name, address, phone number, facility type)
  • Operator names
  • Sterilization load records (cycle parameters, chemical indicator results, contents)
  • Spore test results and related documentation
  • Maintenance event logs
  • Uploaded documents (test result PDFs and images)

How We Use Your Data

We use your data solely to provide and operate the SporeProof service:

  • Storing and displaying your sterilization compliance records
  • Generating compliance reports (PDF and CSV)
  • Sending transactional emails: magic link authentication, spore test failure alerts, and overdue test reminders

What We Don't Do

  • We do not sell, rent, or share your data with third parties for marketing or advertising
  • We do not use third-party analytics or tracking scripts
  • We do not serve advertisements
  • We do not profile your behavior or build user models

Cookies

SporeProof uses a single HttpOnly cookie (sp_auth) for authentication. This cookie is strictly functional — it keeps you logged in and cannot be read by JavaScript or used for tracking. We do not use analytics cookies, advertising cookies, or any other tracking mechanisms. No cookie consent banner is required.

Third-Party Services

We use the following third-party services to operate SporeProof:

  • Microsoft Azure — cloud hosting, PostgreSQL database, and blob storage for uploaded documents
  • Resend — transactional email delivery (magic links, failure alerts, overdue reminders)

These services process your data only as necessary to provide their respective functions. We do not share your data with any other third parties.

Data Retention

Sterilization records are retained based on your facility's configured retention period (default 3 years, consistent with CDC guidelines). Records within the retention period cannot be deleted to preserve compliance integrity.

If you delete your account, all associated data — including facility records, sterilization logs, spore tests, and uploaded documents — will be permanently deleted upon request.

Security

We take the security of your data seriously:

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Data at rest is encrypted via Azure's built-in encryption
  • Authentication uses passwordless magic links — no passwords are stored
  • API keys are hashed with SHA-256 before storage; raw keys are shown only once at creation
  • All data access is scoped to your facility via per-request tenant isolation

Your Rights

You have the right to:

  • Access your data at any time through the application
  • Export your records via CSV and PDF report downloads
  • Delete your account and all associated data by contacting us

To exercise these rights, email hello@sporeproof.com.

Children's Privacy

SporeProof is not directed at individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify you via email.

Contact

If you have questions about this privacy policy or how we handle your data, contact us at hello@sporeproof.com.