Skip to main content
SecondLook

Legal

Privacy Policy

Effective June 24, 2026

1. Plain-language summary

SecondLook is a beta research preview operated by Woggner Strategies, LLC (dba HoggHealth). We collect the symptom narrative and demographic information you enter, your IP address, browser type, and the AI-generated analysis output. We store it on Vercel and Upstash, send portions to OpenAI and Anthropic so their language models can produce the analysis, and use the records to debug, improve, and evaluate the Service. We do not sell your data and we do not run advertising. We are not a HIPAA-covered entity, have not undergone SOC 2 or HITRUST audit, and you should not use SecondLook for protected health information you would not be comfortable sharing through a non-regulated beta product. Read on for the details.

2. Who we are

Woggner Strategies, LLC, a California limited liability company doing business as HoggHealth (referred to in this policy as “HoggHealth,” “SecondLook,” “we,” or “us”), is the data controller for personal information collected through the SecondLook web application.

3. What we collect

When you use SecondLook we collect:

  • Information you provide: your symptom narrative and medical history (the “chief complaint” free-text field), demographics (age, biological sex), patient-supplied hypothesis (if any), structured lab values you upload, your answers to clarifying questions in the refinement flow, and any feedback you submit through the in-product survey.
  • Technical information collected automatically: your IP address, browser user-agent, and timestamps of your requests.
  • AI-generated output: the differential diagnosis ranking, evaluator scoring, recommended tests, and other analysis the Service produces in response to your input.
  • Pipeline metadata: stage durations, token usage, model identifiers, and summary diagnostic logs used to monitor and improve the Service.

We do not require an account during the beta and do not collect your name, email address, phone number, or address unless you contact us directly.

4. How we use it

We use the information we collect to:

  • Run the SecondLook AI diagnostic pipeline and return the analysis to you;
  • Debug pipeline failures and individual analysis runs;
  • Evaluate the Service against benchmark cases, measure accuracy, and improve the prompts, knowledge base, and selection logic over time;
  • Respond to your messages and feedback;
  • Detect and prevent abuse, fraud, and security incidents; and
  • Comply with our legal obligations.

5. Where the data lives — our infrastructure stack

We use the following third-party providers to operate the Service. Each link goes to that provider’s own privacy policy.

  • Vercel — application hosting, server-side function execution, and analytics (Vercel Analytics + Speed Insights, no marketing cookies). Vercel handles inbound requests and runs our code. Vercel privacy policy.
  • Upstash Redis — the database where saved analysis records, feedback responses, and the rare-disease knowledge base are persisted. Upstash privacy policy.
  • OpenAI — large language models used in the analysis pipeline (triage, specialist agents, o3 critique). Your symptom narrative and the generated context are sent to OpenAI to produce reasoning output. We use the OpenAI API, which (under OpenAI’s current default terms) is not used to train OpenAI’s models. OpenAI privacy policy.
  • Anthropic — Claude models used in the evaluator, synthesizer, finalizer, narrative-merger stages of the analysis flow and in the synthetic patient generator and grading flows for our testing framework. The Anthropic API (under Anthropic’s current default terms) is not used to train Anthropic’s models. Anthropic privacy policy.
  • UMLS (U.S. National Library of Medicine) — used to validate medical terminology in the symptom-mapping step. We send the parsed medical term only, not the full narrative. NLM privacy notice.
  • @sparticuz/chromium (release tarball) — the headless Chromium binary used for server-side PDF rendering is downloaded at function cold start from the public GitHub release of the Sparticuz/chromium project. No user data is sent to GitHub in this fetch.

We do not use any third-party advertising network, marketing tracker, behavioral analytics tool, or data broker.

6. How long we keep it

  • Analysis records (patient case + analysis output + IP): 90 days, then automatically deleted from Upstash Redis.
  • Feedback survey responses: 365 days, then automatically deleted from Upstash Redis.
  • Operational logs (Vercel function logs): retained per Vercel’s default retention (currently 30 days on the relevant plan tier).
  • Backups and aggregate statistics: aggregate, de-identified metrics (e.g., “average pipeline duration this week”) may be retained longer for trend analysis. We do not retain identifiable backups.

7. Sharing

We share information with the third-party providers listed in Section 5 strictly to operate the Service. We do not sell, rent, or trade your personal information. We do not share it for advertising or marketing purposes. We may disclose information when required by law, in response to a valid legal process, or to protect the rights, safety, or property of HoggHealth or others.

If we are ever involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to a successor entity, subject to the terms of this policy.

8. Security and compliance posture

We follow practices aligned with the protections required by the HIPAA Privacy and Security Rules — including transport encryption (TLS), encryption at rest in Upstash, role-restricted access to administrative tooling, server-side rate limiting, and minimization of data sent to third-party LLM providers. SecondLook is not a HIPAA-covered entity, does not enter into Business Associate Agreements with users, and has not undergone SOC 2, HITRUST, or similar third-party security audit. You should not submit information through SecondLook that you would not be comfortable sharing through a non-regulated beta product.

No system is perfectly secure. We cannot guarantee that data will not be subject to unauthorized access despite our practices, and you use the Service at your own risk.

9. Your choices

You can:

  • Use the Service without an account. We do not require account creation.
  • Request access or deletion of the analysis records associated with your submissions by emailing privacy@SecondLookDx.com. Because we do not require accounts, you will need to provide enough information (e.g., the approximate date and time of the analysis, the IP address you used) for us to identify the record. During the beta this is a manual process; we will aim to respond within 30 days.
  • Refuse the feedback survey — the in-product survey is dismissible via the X in the corner.
  • Stop using the Service. You can leave at any time. Records you already submitted will remain in our infrastructure for the retention windows described above.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, delete, and correct personal information and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA. To exercise any CCPA right, contact us at the email above.

10. Cookies and analytics

We use Vercel Analytics and Vercel Speed Insights to measure aggregate usage patterns and page performance. These tools use cookies and local storage to attribute events to a session. We do not use third-party marketing cookies, advertising pixels, or cross-site tracking. We do not honor “Do Not Track” signals because there is no industry-standard interpretation of them.

We use your browser’s local storage and sessionStorage to keep the multi-step form responsive and to remember in-progress analyses. That data lives in your browser only; clearing site data removes it.

11. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from children. If you believe a child has submitted information to us, contact privacy@SecondLookDx.com and we will delete it.

12. International users

The Service is hosted in the United States. If you access the Service from outside the United States, you understand that information you submit will be transferred to and stored in the United States. We do not represent that the Service is suitable or available for use in other jurisdictions.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will update the “Effective” date at the top of the page when we do. Material changes will be highlighted on the homepage or otherwise made reasonably visible.

14. Contact

Privacy inquiries and rights requests:

privacy@SecondLookDx.com

General questions: support@SecondLookDx.com

Woggner Strategies, LLC (dba HoggHealth)
California, United States

← Terms of UseHome →