Last updated: May 14, 2026 · Pilot release
Summary. Face video never leaves the patient's device. Only numeric session metrics are uploaded. Patients are identified by an enrollment code the clinician assigns — no name, no email, no date of birth. Data is hosted in Ireland (EU) under GDPR. Patient accounts and sessions can be deleted by the clinician at any time.
All face tracking happens in the patient's browser using on-device machine learning (MediaPipe Face Landmarker). The camera stream is processed locally and never uploaded to any server. No video, image, or audio is recorded, transmitted, or stored by Nasal.
After each session, the patient's device uploads a numeric summary. No video, image, or audio is ever part of this — only the measurements below:
| Field | Example | Purpose |
|---|---|---|
| Enrollment code | NSL-X4K2-B7PQ | Links session to the clinician's patient |
| Duration & events | 20 min, 12 events | Core clinical metrics |
| Per-block / per-session metrics | open %, sealed %, event count, longest streaks | Within-session and cross-session analysis |
| jawOpen timeline | 1 sample/second | Signal-level review in dashboard |
| Prompt-event records | response latency, hold-after-closure, gentle/firm | Compliance and consolidation analysis |
| Framing telemetry | too-close, face-missing, head-turn counts & durations | Camera-setup quality and attention signals — derived from the on-device face tracker, never the image itself |
| Modality & phase | video, discipline | Which activity type, which protocol phase |
| Session flags | test-fade, ended-early | Protocol-state markers for clinical interpretation |
| App version | 1.1.0 | Bug tracking and protocol versioning |
All of the above are numbers and short labels derived on the device from the face tracker — not the camera image. No video, image, audio, IP address, device fingerprint, cookie, or advertising identifier is collected.
When enrolling a patient, the clinician may optionally enter:
The clinician is responsible for maintaining the mapping from enrollment code to real patient identity in their own clinical records. Nasal stores no name, address, phone, email, photo, or full date of birth for patients.
To sign into the dashboard, clinicians provide an email address and a password. Passwords are hashed via Supabase Auth (bcrypt). The email is used solely for sign-in and account recovery; no marketing emails are sent.
The Nasal website has contact forms for prospective parents and prospective practitioners who want to learn more before any account exists. Submitting one of these forms stores the email address provided and any free-text message, together with optional details the sender chooses to include (for a practitioner: name, clinic, specialty). These inquiry messages are held so the Nasal team can respond.
A parent's free-text message may mention a child's circumstances. Inquiry messages are stored in the same EU-hosted database as all other data (Section 5), are visible only to the Nasal team, and are never used for advertising or shared with third parties. They can be archived and then permanently deleted (Section 6); an inquiry that has been converted into a real enrollment or clinician account is retained as part of that account's intake record. If you have sent an inquiry and want it erased, contact us (Section 13).
Backend data is stored in a Supabase-managed PostgreSQL database in Dublin, Ireland (AWS eu-west-1), within the European Economic Area. This hosting location applies to all clinicians and patients during the pilot, regardless of their country of residence.
Sessions are retained during active clinical use. Clinicians may deactivate a patient at any time — the enrollment code stops working immediately — or request full deletion of a patient's sessions. Clinicians may close their own account and delete all associated patient records.
Erasure is a built-in capability of the platform, not a manual favor. Records that no longer have an ongoing lawful basis for retention can be permanently deleted: clinician accounts that were never operational (rejected or suspended without ever having enrolled a patient), and inquiry messages that have been archived or marked as spam. Deletion is irreversible and is recorded in an internal audit log (see Section 9) — the log notes that an erasure occurred, by whom and when, but does not retain the deleted personal data itself. Records that are part of a real patient's care trail are protected from deletion by design.
Processing is carried out on the basis of the clinician's legitimate interest in treating their patient, with the patient (or patient's guardian) having given explicit consent to the clinician as part of their treatment intake. The clinician is the data controller; Nasal is the data processor.
Nasal does not sell, rent, or share patient data with any third party. Data is visible only to the clinician who enrolled the patient. No advertising, analytics, or behavioral tracking services are integrated.
All traffic uses TLS (HTTPS). Database access is enforced by row-level security: a clinician can only read or modify data belonging to patients they enrolled. Patient-app requests use a public anonymous key that can only invoke a fixed set of specific stored procedures — for example, enrollment-code verification, protocol retrieval, and session upload — and has no direct read or write access to any table.
Administrative actions — approving, rejecting, or suspending a clinician, and any permanent deletion of a record — are recorded in an internal audit log. Each entry notes which administrator performed the action, when, and the reason given. The audit log exists so that powerful actions, especially erasure, are never silent; it records that an action occurred without retaining the deleted personal data itself.
Nasal is a wellness prototype, not a medical device. It is intended as a supervised biofeedback and training aid used under the direction of a qualified clinician (orthodontist, myofunctional therapist, speech-language pathologist, or equivalent). It does not diagnose, treat, cure, or prevent any disease. No regulatory approval (CE-MDR, FDA, UKCA) has been sought or granted at this time.
Nasal is frequently used by children under 18 under the supervision of a parent and a clinician. No direct-to-child marketing occurs. Consent for a minor's data processing is the responsibility of the parent or guardian, collected by the clinician as part of the treatment agreement. If a child's account is identified without proper guardian consent, it will be deleted on notice.
Patients (or their guardians) have the right, via their clinician, to:
For privacy questions, data subject requests, or regulatory inquiries: contact the clinician who enrolled you, who will route the request. Nasal, as the data processor, will cooperate fully with data controllers (clinicians) on any valid request.