Privacy Policy
Effective date: June 11, 2026. Opendelphi is a research data-collection platform built for HIPAA compliance. This policy explains what data we handle — including protected health information — and how we protect it.
Who We Are and What This Covers
Opendelphi (opendelphi.org) is a consensus-driven research data-collection platform. Principal investigators design studies, expert panels reach consensus on instruments, and contributing institutes collect data from research participants. This policy covers three kinds of people: account holders (investigators, panelists, institute staff), research participants who respond to deployed instruments, and visitors to our website.
Data We Collect
Account data: name, email, organization, and role, used for authentication and access control.
Study content: study goals, instrument drafts, Delphi round responses, panelist ratings and rationales, and consensus records created by account holders.
Research response data: data collected from research participants through deployed instruments. Depending on the study, this may include protected health information (PHI). This data belongs to the study's sponsoring organization and is processed only as the study directs.
Operational data: authentication cookies, session records, and append-only audit logs of access to study data. We do not run third-party advertising trackers and we do not track you across other websites.
Protected Health Information (PHI) and HIPAA
Opendelphi is built for HIPAA compliance. When a covered entity or business associate uses Opendelphi to collect PHI, we make a Business Associate Agreement (BAA) available and require one to be in place before PHI collection begins. Under a BAA, we use and disclose PHI only as permitted by the agreement and as necessary to provide the service, we apply the safeguards described in this policy, and we report security incidents and breaches as the agreement and applicable law require. We are not a covered entity and we do not make treatment, payment, or coverage decisions. We do not claim any third-party certification of compliance; we describe our actual safeguards below so you can evaluate them.
How Research Data Is Protected
Isolation: every research data table is protected by database row-level security scoped on three axes — organization, contributing institute, and Delphi panel — so an institute can only ever read the rows it is entitled to. Isolation is enforced in the database itself, not just in application code.
Audit logging: access to study data is recorded in append-only audit logs. Audit entries cannot be edited or deleted by application users.
Anonymity: Delphi panelist identities are structurally separated from their round responses so that panel feedback remains anonymous to other panelists and to investigators, by design.
Encryption: data is encrypted in transit (TLS) and at rest.
De-identification on export: study data exports are de-identified — direct identifiers are stripped or transformed before data leaves the platform, and exports carry provenance describing the instrument version and consensus round that produced each field.
Where Your Data Lives
Platform data is stored in the United States on Supabase infrastructure in the us-east region. We do not move research data outside the US as part of normal platform operation.
How We Use Data
We use data to operate the platform: authenticating users, enforcing access controls, running Delphi rounds, deploying instruments, storing responses, and producing exports the study sponsor requests. We send essential account and study notifications. We never sell personal data or research responses. We do not use research response data to train AI models. AI features (such as instrument drafting) operate on study design content, not on participant response data.
Research Participants' Rights
If you participated in a study collected through Opendelphi, the study's sponsoring organization is the steward of your data, and your rights flow through the study's consent process. Studies that collect data through Opendelphi use electronic consent (eConsent) flows; the consent you were shown governs what was collected and why. To exercise rights over your study data — access, correction, or withdrawal — contact the research team identified in your consent form. If you cannot reach them, email hello@opendelphi.org and we will route your request to the responsible organization.
Account Holders' Rights
Account holders can access, export, correct, or delete their account data from account settings. If you are covered by GDPR, CCPA, or similar regulations, we honor applicable data-subject rights including access, portability, deletion, and objection to processing, subject to legal retention obligations (for example, audit logs and consent records that must be preserved for research compliance).
Retention
Account data is retained while your account is active and removed within 90 days of account deletion. Study data is retained as the sponsoring organization directs and as research regulations require. Audit logs and consent records are retained for the period required by applicable law and the governing agreements, because deleting them would defeat their purpose.
Changes and Contact
We will post updates to this policy on this page with a revised effective date, and notify account holders of material changes. Questions, requests, or concerns: hello@opendelphi.org.