Privacy Policy

Effective date: March 1, 2026

1. Who We Are

MedEd Connect (“Platform”, “we”, “us”) is operated by the Guam Memorial Hospital Authority (GMHA) Department of Medical Education. We provide a clinical training management platform connecting medical students, physician assistant and nurse practitioner students, and residents with Pacific Basin hospital training programs.

Data controller contact: education@gmha.org
GMH Department of Medical Education, 850 Gov. Carlos G. Camacho Rd, Tamuning, Guam 96913

2. Data We Collect

Account & Profile Data

Name, email address, phone number, professional title, specialty, home institution, program type, biography. Collected at registration and updated by you in Settings.

Application & Rotation Records

Rotation applications, supporting documents you upload (CV, transcripts, vaccination records, licenses), approved rotation details, start/end dates, assigned preceptor. These are educational records as defined under FERPA.

Duty Hour Logs

Date, hours worked, and activity type per log entry. Collected per ACGME duty hour tracking requirements. Aggregated data is used to flag potential ACGME violations (>80 hours/week).

Evaluation Data

Competency scores, written feedback, and overall ratings submitted by preceptors and self-assessments by trainees. Treated as confidential educational records.

Partnership Inquiry Data

Name, email, organization, role, and message submitted via the website contact form. Used solely to respond to partnership inquiries.

Usage Data

Aggregated AI assistant usage (token counts, feature used, timestamp). No message content is stored. Used for platform monitoring and capacity planning.

3. FERPA — Student Educational Records

MedEd Connect processes education records as defined by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. Under FERPA, eligible students have the right to:

Inspect and review their education records held by the Platform.
Request amendment of records they believe are inaccurate or misleading.
Consent to disclosures of personally identifiable information, except where FERPA authorizes disclosure without consent (e.g., to school officials with legitimate educational interest).
File a complaint with the U.S. Department of Education concerning failures to comply with FERPA requirements.

We disclose education records only to:

The trainee who is the subject of the record.
Institution coordinators and administrators at the trainee's rotation site with a legitimate educational interest.
Accreditation bodies (e.g., ACGME) where required for program accreditation.
Legal authorities when required by applicable law.

To exercise FERPA rights or request a copy of your records, contact education@gmha.org. We will respond within 45 days.

4. HIPAA — Protected Health Information

MedEd Connect is a clinical education management platform. We do not collect, store, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164.

The Platform records trainee educational and duty hour data — not patient records, diagnoses, treatment information, or patient identifiers. Users must not enter patient PHI into any Platform field (notes, goals, messages, etc.). If a trainee incidentally encounters patient information during a rotation, that information is governed by the training institution's HIPAA policies and Business Associate Agreements with its covered-entity partners — not by this Platform.

GMHA, as the operator of this Platform, maintains appropriate technical and administrative safeguards consistent with HIPAA standards as they apply to its operations as a covered entity.

5. ACGME Compliance

For programs subject to Accreditation Council for Graduate Medical Education (ACGME) standards, this Platform assists with:

Duty Hour Logging — collected per Common Program Requirements Section VI.F. Data is retained for at least 3 years per accreditation requirements.
Evaluation Confidentiality — preceptor-to-trainee evaluations are accessible only to the trainee, their program coordinator, and program director. Trainee-to-program evaluations are accessible only to the program director and coordinator in aggregate or anonymized form.
Accreditation Reporting — aggregate (non-individually-identified) data may be shared with ACGME as required for program accreditation review.

6. International Data — GDPR, Australian Privacy Act, New Zealand Privacy Act

If you are located in the European Economic Area, United Kingdom, Australia, New Zealand, or another jurisdiction with data protection laws, you have additional rights and we have corresponding obligations:

Legal basis for processing: performance of a contract (rotation management), legitimate interests (platform security and compliance), legal obligations (ACGME/FERPA).
Data transfers: Your data is stored in Supabase infrastructure (AWS ap-northeast-1 region, Tokyo). Cross-border transfers from EEA/UK are covered under Standard Contractual Clauses with our sub-processors.
Right to access, correction, erasure, portability, and restriction — contact us at education@gmha.org.
Data Processing Agreement (DPA): Institutions requiring a DPA under GDPR Art. 28 or equivalent frameworks may request one from education@gmha.org. We will execute institution-level DPAs for EEA, UK, Australian, and New Zealand partner institutions.

7. AI Features

The Platform's AI assistant (powered by Anthropic Claude) queries the live Platform database to answer administrative questions and generate training-related documents. Specifically:

AI responses are generated using data you or your institution have already entered into the Platform.
Message content is not stored in the Platform database. Only aggregate usage metrics (token counts, feature name, timestamp) are recorded.
Queries are transmitted to Anthropic's API over TLS. Anthropic's data handling is governed by their Privacy Policy.
AI access is restricted to authorized administrative roles (Medical Director, Program Coordinators, Executive roles).
Do not enter patient PHI into the AI assistant.

8. Data Retention

Data type	Retention period
Account & profile data	Duration of account + 3 years after deletion request
Rotation applications & documents	7 years (medical education record standard)
Duty hour logs	Minimum 3 years (ACGME requirement)
Evaluations	7 years
Partnership inquiries (leads)	2 years
AI usage logs	1 year

9. Security

We implement technical and organizational measures including:

Row-Level Security (RLS) on all database tables — users can only access records they are authorized to see.
TLS encryption for all data in transit.
Encryption at rest for database and file storage.
Role-based access control — administrative features restricted to authorized roles.
Service-role credentials are server-only and never exposed to the browser.

10. Sub-processors

Sub-processor	Purpose	Location
Supabase (AWS)	Database, auth, file storage	Tokyo (ap-northeast-1)
Anthropic	AI assistant (director/admin only)	USA
Resend	Transactional email delivery	USA
Vercel	Web hosting & edge delivery	Global CDN

11. Cookies

We use session cookies issued by Supabase Auth to maintain your login state. No third-party advertising, analytics, or tracking cookies are set. You can disable cookies in your browser, but the Platform will not function without session cookies.

12. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal data. To exercise any right, email education@gmha.org with subject “Data Rights Request”. We respond within 30 days (45 days for FERPA requests).

13. Changes to This Policy

We may update this policy. Material changes will be notified by email to registered users at least 14 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance.

14. Contact

GMH Department of Medical Education
850 Gov. Carlos G. Camacho Rd, Tamuning, Guam 96913
education@gmha.org