HLC Case ManagerHLC Case Manager
Cette page n'est actuellement disponible qu'en anglais — une version traduite est en relecture juridique.

Privacy Policy

HLC Case Manager Last updated: 11 May 2026

1. Introduction

HLC Case Manager ("the App") is a case management application for Hospital Liaison Committee (HLC) members who support patients seeking bloodless medical treatment. The App is used exclusively by HLC members within the worldwide community of Jehovah's Witnesses, and the patients whose cases are managed in the App are exclusively members of that community who have voluntarily reached out for support through their local elders.

This privacy policy explains how the App and our public website at hlccasemanager.org collect, use, store, and protect personal information, including sensitive health data and religious-context data.

The App processes two categories of special category data under the EU General Data Protection Regulation (GDPR), UK GDPR, and equivalent legislation worldwide:

  • Health data, including medical history, current medical situation, and patient-specific blood-management preferences; and
  • Data revealing religious beliefs, including the patient's congregation, their spiritual standing, and the elder who referred them — essential context for the HLC's work in supporting bloodless medical treatment within the Jehovah's Witness community.

The legal bases for processing are set out in detail in Section 3 and rely on a combination of (i) the patient's voluntary request for HLC support, (ii) the App's operation within a single, closed religious community, and (iii) explicit consent recorded at the point of case creation. Both categories receive the highest level of protection.

2. Data Controller

Each Hospital Liaison Committee operates as an independent data controller for the patient data managed through the App. The HLC Chairman is responsible for data protection compliance within their committee.

For questions about data processing within a specific HLC, contact the committee chairman through the App.

For questions about the App itself, please use our support contact form.

3. Data We Collect

3.1 User Account Data

When an HLC chairman registers a committee or invites members, we collect and store the following information about each member:

  • Full name, email address, mobile phone number, and avatar (if uploaded). These four fields are encrypted at rest with the HLC's encryption key, so they are not visible to Supabase, to us, or to anyone outside the HLC who does not hold the key.
  • Role within the HLC (Chairman, Secretary, or Member).
  • Language preference.
  • Home address and postcode, used to make it easy for members to be assigned to cases at nearby hospitals.
  • Approximate geographic coordinates derived from the address, used to compute proximity to hospitals for case-assignment purposes. These are not shared with any third party.
  • Hospitals the member is assigned to (so they receive notifications about cases at those hospitals).
  • Availability status — a member can mark themselves as unavailable, optionally with a short reason (e.g. on holiday, away from area). The reason is visible only to other members of the same HLC.
  • Whether you have enabled biometric unlock (Face ID / Touch ID). This is a simple preference flag — the App never sees or stores any biometric data itself; that information stays on your device.
  • Operational timestamps such as when you last opened the App, used to indicate to other members whether you are actively reachable.

Legal basis: Article 6(1)(b) GDPR (performance of the membership arrangement between you and the HLC) and Article 6(1)(f) (the legitimate interest of the HLC in coordinating its members for case management), with consent (Article 6(1)(a)) where required for biometric unlock and other optional features.

3.2 Patient Case Data

When HLC members create and manage patient cases, the following data may be recorded:

  • Patient name and contact details
  • Hospital name and location
  • Medical case notes and updates
  • Assigned HLC contacts (primary and secondary)
  • Case status and timestamps
  • Patient consent records

This data constitutes special category data under GDPR Article 9 — specifically health data and data revealing religious beliefs.

Legal bases. Processing patient case data relies on three complementary legal bases, used in combination:

  • Article 6(1)(b) GDPR — steps taken at the request of the data subject. Each patient case begins with the patient (or, where the patient is unable to act for themselves, a designated person on their behalf) voluntarily reaching out to their local elders to request HLC support. The processing carried out in the App is necessary to provide that requested support.
  • Article 9(2)(d) GDPR — processing by a not-for-profit body with a religious aim. The App is operated exclusively for members of a single, closed religious community. The processing relates solely to those members and is not disclosed outside the community without the data subject's consent — a constraint enforced technically through per-HLC encryption keys held only by community members.
  • Article 9(2)(a) GDPR — explicit consent. At the point of case creation, the HLC member confirms in the App that the patient (or the patient's guardian or designated representative, where applicable) has agreed to the HLC documenting and processing their case for the purposes described in this policy. This confirmation is recorded with a timestamp.

Equivalent provisions apply under UK GDPR, LGPD (Brazil), the Australian Privacy Principles, PIPEDA (Canada), and other applicable regimes.

3.3 Analytics Data (Optional)

If you choose to opt in, the App collects pseudonymous usage analytics to help us improve the service. This data is collected via PostHog and includes:

  • A pseudonymous user identifier — your Supabase user account ID, a random UUID generated when your account was created. This is not an advertising identifier and is not shared with anyone other than PostHog (our analytics provider, hosted in the EU). The identifier is consistent across your sessions but cannot be linked to your name or contact details without access to our database.
  • Your role, HLC committee name, and country — so we can understand how different roles, committees, and regions use the App. Your name, email, phone number, and any IP-based location data are explicitly removed before any analytics event is sent, and IP-based geolocation is disabled at the PostHog level.
  • Screen views and feature usage — which screens you visit and which features you use.
  • Device information — device manufacturer, operating system version, and app version, used for diagnostics and crash analysis.

Analytics data is never collected without your explicit consent. You are prompted to opt in or decline when you first use the App, and you can change your preference at any time in Settings.

All patient-identifiable information is stripped before any analytics event is sent. Patient names, emails, phone numbers, addresses, medical data, and case notes are never included in analytics.

Under the same opt-in, PostHog also receives automatic error reports: when the App encounters an unexpected error, the error message and stack trace are sent to PostHog so we can diagnose and fix bugs in production. Error reports use the same pseudonymous identifier as analytics and never contain patient data, case content, or message bodies — only the technical context of where in the code the error occurred. If you have not opted in, no error reports are sent. We also upload application symbol files (sourcemaps) to PostHog when we release an update, so that error stack traces can be made readable; sourcemaps are application code metadata and do not contain user data.

Legal basis: Consent (GDPR Art. 6(1)(a)). You may withdraw consent at any time.

3.4 Technical Data

The App collects minimal technical data required for operation:

  • Authentication session tokens (stored securely on-device).
  • Connection status (online/offline).
  • A per-device push notification token, if you have enabled push notifications. This token is issued by your device's operating system (via Apple's or Google's push platform, relayed through Expo) and is stored on our servers so that we can deliver notifications to your device. It is a routing identifier only — it does not reveal your identity to Expo, Apple, or Google.
  • Basic device platform identifier (iOS / Android / web) and last-active timestamp for the device, used to manage sessions.

The App does not collect advertising identifiers, location data, or any data for advertising purposes.

3.5 Website Visitors

Our public website at hlccasemanager.org is separate from the App, but covered by this policy. The website's processing is much more limited:

  • A cookie/storage consent banner is shown on first visit. If you decline, no analytics are loaded.
  • If you accept, the website loads PostHog (EU) to record page views and the URLs you visit. PostHog stores its identifiers in your browser's localStorage. Page-view data is used to understand which information on the website is most useful and to improve it over time.
  • The website registration form and contact form submit data to our servers (Supabase / Resend) regardless of analytics consent — these are functional submissions, not tracking.
  • No advertising, no social-media trackers, no cross-site identifiers are loaded by the website.

Legal basis: Consent (for the analytics; collected via the banner). Functional form submissions rely on the legal bases described in Sections 3.1 and 3.2.

3.6 Medical Professionals Directory

To support its work, each HLC maintains a directory of the medical professionals — primarily doctors and consultants — that its members are in contact with. The directory holds routine professional contact information (title, name, work hospital, specialty, work email, telephone number) along with a record of the HLC's interactions with each professional and their current cooperation status. Most of this information is professional and broadly public; work email and telephone are recorded to enable correspondence in the context of patient care.

Where a medical professional has formally agreed to be listed as a cooperative doctor, this consent is recorded against their entry. The directory may also note whether the professional is themselves a member of the Jehovah's Witness community, where this is the case.

Legal bases: Article 6(1)(f) GDPR (the HLC's legitimate interest in maintaining a directory of cooperating medical professionals for patient-care correspondence), with Article 6(1)(a) explicit consent recorded for cooperative-doctor confirmations, and Article 9(2)(d) covering the religious-context field where it applies. Medical professionals retain the data subject rights described in Section 8 and may at any time request that their entry be removed or restricted.

4. How We Use Your Data

We use personal data exclusively for the following purposes:

  • Case management: Enabling HLC members to document, track, and coordinate patient support cases
  • Authentication: Verifying user identity and controlling access
  • Notifications: Alerting members to case assignments, updates, and reminders
  • Audit trail: Maintaining a record of case activity for accountability and compliance

We do not use personal data for marketing, advertising, profiling, or any purpose other than HLC case management.

5. Data Sharing

Patient and case data is shared only with:

  • Members of the same HLC — All committee members can view cases and updates within their committee
  • Supabase (infrastructure provider) — Our database and authentication provider, hosted in the European Union. Patient data is encrypted client-side with a unique per-HLC encryption key before it reaches Supabase's servers, meaning Supabase only has access to encrypted data. Data is additionally encrypted in transit (TLS 1.3) and at rest
  • Resend (email service provider) — Transactional emails such as invitations and password resets are sent via Resend. The website contact form and any email sent to the App's support addresses are also routed through Resend. Resend only sees the content of the specific email being sent or received; it has no access to the App's database or to patient case data, and is contractually bound to process this data only on our instructions.
  • Expo (push notification relay) — When the App needs to send a push notification (for example, to alert a member to a new unallocated case), the notification's title and body pass through Expo's push relay before reaching your device's operating-system push platform (Apple's on iOS, Google's on Android). This is unavoidable for any mobile app that supports push notifications. The notification payload can include limited identifying context (such as the name of a referring elder for registration-form alerts), but never the patient's name, contact details, or medical information. Expo also delivers over-the-air application updates to your device, but no user or patient data is transmitted as part of those updates — only application code and assets.

We do not sell, rent, or share personal data with third parties for commercial purposes. We do not share data with advertisers or data brokers.

If you opt in to analytics, pseudonymous usage data (with all patient information removed) is sent to PostHog (hosted in the EU). This data cannot be used to identify individual patients.

6. Data Storage and Security

6.1 Storage

Data is stored in a PostgreSQL database hosted by Supabase in the European Union, with row-level security (RLS) enforced. Each HLC's data is logically isolated. Patient data is encrypted on the device using a unique encryption key per HLC before being sent to the server. These keys are generated and stored solely on committee members' devices and are never transmitted to or stored on our servers. This means that neither Supabase nor the App developer can access unencrypted patient data.

6.2 Security Measures

  • Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS
  • Encryption at rest: Database contents are encrypted at rest
  • Authentication: Secure session management with tokens stored in the device's secure keychain (iOS Keychain / Android Keystore) on native platforms
  • Biometric access: The App supports Face ID and Touch ID for rapid, secure access
  • Role-based access control: Users can only access data within their HLC, with permissions determined by their role
  • Audit logging: All significant actions are logged for accountability

6.3 Offline Access

The App stores case data on the device in a local SQLite database so that members can access cases when offline and so that the App remains responsive on poor mobile connections. Every sensitive field — patient names, contact details, medical history, case notes — is encrypted before it is written to that local database, using AES-256-GCM with an encryption key unique to each Hospital Liaison Committee. Encryption keys are generated and stored on committee members' devices in the operating system's secure keychain (iOS Keychain / Android Keystore) and are never transmitted to our servers. The device's own at-rest encryption (Data Protection on iOS, Android disk encryption) provides an additional layer of protection. When a member's account is removed from an HLC, or when the App is uninstalled, the local database is deleted from the device.

7. Data Retention and Deletion

7.1 Patient Case Data

When a case is closed, the App immediately removes all patient-identifying information from the case record on the server. This includes the patient's name, date of birth, address, contact details, congregation, religious standing, emergency contacts, medical history, free-text case notes, and all timeline updates.

A small, non-identifying summary of the case is kept for the long term so that future patients can benefit from each Hospital Liaison Committee's experience. The retained summary records:

  • the hospital where the case was managed,
  • the clinicians the HLC liaised with (linked to the HLC's contacts directory),
  • the type(s) of medical condition treated (selected from a standard catalogue, stored encrypted per HLC),
  • the case outcome,
  • the dates the case was open, and
  • the HLC members who supported the case.

The HLC uses this summary to identify which hospitals and clinicians have successfully supported particular conditions, so that future patients can be directed and supported as effectively as possible.

Lawful basis for retention: Legitimate interests (GDPR Article 6(1)(f), and equivalents in other jurisdictions). The HLC has a legitimate interest in learning from past cases to improve outcomes for future patients. This interest is balanced against the rights of the data subject by removing all directly identifying information at the moment of closure.

Right to erasure: Patients (or their representatives) may request that the entire case record, including the retained summary, be deleted. Such requests should be addressed to the HLC chairman responsible for the case.

7.2 Audit Logs

The App maintains a server-side audit log of significant administrative actions (for example, when a case is closed or anonymised, when a member's role changes, or when data is exported). Each entry records:

  • the action that took place,
  • the identifier of the user who performed it,
  • the identifier of the resource the action applied to (e.g. a case UUID, with no patient name attached),
  • a timestamp, and
  • limited technical context such as the originating IP address and device type, used for security incident investigation.

Audit logs do not contain patient names, medical content, or the text of case updates. Audit-log entries are retained for as long as is necessary to investigate security incidents and meet regulatory obligations, and they remain subject to the same access controls and per-HLC isolation as the rest of the system.

7.3 User Account Data

User account data is retained for as long as the member remains active in an HLC. When a member is removed from a committee, their account data is deleted.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request that we limit processing of your data
  • Portability: Request your data in a machine-readable format
  • Object: Object to the processing of your personal data
  • Withdraw consent: Withdraw consent for processing at any time (for patient data)

For Patients

If you are a patient whose case is managed through the App, you may exercise your rights by contacting the HLC chairman responsible for your case, or by contacting us at the details provided in Section 2.

For HLC Members

HLC members may exercise their rights by contacting their committee chairman or by contacting us at the details provided in Section 2.

Response Time

We will respond to all data rights requests within 30 days. For complex requests, this may be extended by a further 60 days with notice.

9. International Data Transfers

The App's primary database (Supabase) and our analytics provider (PostHog) are both hosted in the European Union, and the majority of personal data processing takes place within the EU.

A small number of supporting services are based in the United States:

  • Resend (email delivery) processes the content of outbound transactional emails (such as invitations and password resets) and the content of any inbound email sent to our support addresses. EU sub-processors are used where available.
  • Expo (push notification relay and over-the-air application updates) handles per-device push tokens, notification titles and bodies, and the delivery of application code to your device.

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom in the course of using these services, we rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), supplemented by technical and organisational measures including encryption in transit (TLS 1.3) and, for patient-identifiable data, field-level encryption at rest with keys held only by HLC members.

Patient case data managed within the App itself remains encrypted with per-HLC keys throughout transit and storage; only HLC members in possession of those keys can decrypt it.

10. Children's Privacy

The App itself is for use by adults — only HLC members (who are adults) have user accounts. We do not knowingly create accounts for individuals under the age of 18.

Patients whose cases are managed in the App may be minors. In the Jehovah's Witness community, paediatric cases (children needing medical support, including bloodless treatment) are a real and important category of HLC work. Where the patient is a minor:

  • The case is managed by adult HLC members with the same protections that apply to adult patient cases — including the data minimisation, encryption, access controls, and retention rules described elsewhere in this policy.
  • The explicit consent described in Section 3.2 is provided by the minor's parent or legal guardian and is captured at the point of case creation.
  • Where appropriate and feasible, the minor is also informed about the case and offered the opportunity to assent, in line with the standards of care that apply in the relevant jurisdiction.
  • Requests to exercise data subject rights (access, rectification, erasure) on the minor's behalf must be made by the parent or legal guardian to the HLC chairman responsible for the case.

11. Third-Party Services

The App uses the following third-party services:

Service Purpose Data Processed
Supabase Database, authentication All app data (encrypted)
PostHog (EU) Pseudonymous usage analytics and error reporting in the App (both opt-in only); page-view analytics on our public website (opt-in via cookie banner) Screen views, feature usage, device info, error messages and stack traces in the App. Page URLs and browser metadata on the website. No patient data in either case.
Resend (US, with EU sub-processors) Transactional email (invitations, password resets, contact-form notifications) and inbound email forwarding for @hlccasemanager.org addresses Recipient and sender addresses, subject lines, message bodies. For outbound: only the content of the specific notification (no patient data unless explicitly included). For inbound: the content of any email sent to the App's support addresses.
Expo (Expo, Inc., US) Application infrastructure — relays push notifications to your device's operating-system push platform (Apple's on iOS, Google's on Android), and delivers over-the-air application updates (JavaScript bundle + assets) For push: per-device push tokens, notification titles and bodies (which may include limited identifying context such as the name of a referring elder for registration-form alerts, but never the patient's name, contact details, or medical information). For updates: device platform, app version, and an Expo-issued install identifier; no user or patient data.

We do not integrate any advertising networks, social media SDKs, or tracking tools.

12. Tracking and Advertising

The App does not:

  • Track users across other apps or websites
  • Use advertising identifiers (IDFA or equivalent)
  • Contain any advertising
  • Share data with ad networks or data brokers

Our public website uses a single first-party storage entry (cookie_consent) to remember your analytics-consent choice, and — only if you have accepted — loads PostHog's analytics scripts as described in Section 3.5. The App itself does not use cookies of any kind.

The optional analytics feature (Section 3.3) uses a pseudonymous user identifier scoped to the App only. It is not used for cross-app or cross-site tracking.

13. Data Breach Notification

In the event of a data breach involving personal data:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
  • We will notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
  • We will document all breaches in an internal breach register

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection authority:

  • EU: Your national Data Protection Authority
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
  • Canada: Office of the Privacy Commissioner — priv.gc.ca

We will acknowledge all complaints within 30 days and aim to resolve them promptly.

15. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify users through the App. The "Last updated" date at the top of this policy indicates when it was last revised.

16. Regional Provisions

European Economic Area and United Kingdom

The legal bases for processing are set out in Sections 3.1 and 3.2. You have all rights listed in Section 8. Because the App processes special category data (health and religious-belief data) on a meaningful scale, a Data Protection Impact Assessment (DPIA) under Article 35 GDPR is being maintained for this processing activity. It is reviewed when the App's data processing changes materially and is available to supervisory authorities on request.

Australia

Health information is treated as sensitive information under the Privacy Act 1988 and applicable state health records legislation. The Australian Privacy Principles (APPs) are adhered to in full.

Brazil

Processing complies with the Lei Geral de Proteção de Dados (LGPD). Health data is treated as sensitive personal data requiring explicit consent under Articles 7 and 11.

United States

While HLCs are not covered entities under HIPAA, the App implements HIPAA-equivalent security measures for health information. The App complies with applicable state privacy laws including the California Consumer Privacy Act (CCPA/CPRA) and equivalent state legislation.

Canada

Processing complies with PIPEDA and applicable provincial health information legislation.

17. Contact

For any questions, concerns, or data rights requests regarding this privacy policy, please use our support contact form.