Snapval Privacy Policy

Effective Date: May 1, 2026

Snapval is a clinical evaluation platform designed for use by graduate medical education (GME) programs. This Privacy Policy describes what personal information Snapval collects, how it is used, and how it is protected. We are committed to handling your information responsibly and transparently.

1. Who We Are

Snapval is operated by Eric Kort as a sole proprietorship doing business under the Snapval name. References to "we," "us," or "our" in this policy refer to that individual and the Snapval platform.

For privacy-related questions, you may contact us at: privacy@snapval.io

2. Who This Policy Applies To

This policy applies to all users of the Snapval platform, including:

  • Residents and fellows (trainees) enrolled in participating GME programs
  • Faculty and supervising physicians who submit evaluations
  • Program administrators and program directors who manage program data

> Note: Snapval is deployed at the discretion of individual GME programs. The program administrator acts as the party responsible for enrolling users and configuring program-specific data. Snapval does not independently solicit or enroll individual residents.

3. Information We Collect

3.1 Information Provided by Program Administrators

Program administrators may provide the following information when setting up trainee profiles:

  • Full name
  • Institutional email address
  • Program name and institutional affiliation
  • A URL linking to a headshot image hosted on the institution's own directory or systems

> Note: Snapval does not host or store headshot images. We store only the URL provided by the program administrator. The image itself remains on the institution's servers, subject to that institution's own policies.

3.2 Information Collected Automatically

When users interact with the Snapval platform, we may collect:

  • Login and session metadata (timestamps, authentication events)
  • Basic usage data necessary to operate the service (e.g., form submission events)

We do not use tracking pixels, advertising cookies, or third-party analytics services that share data with advertisers.

3.3 Evaluation Content

The core function of Snapval is to capture structured clinical performance evaluations. This content — which may include assessments of a trainee's clinical skills, professionalism, and progress — is submitted by supervising faculty and stored on behalf of the program. This content is considered sensitive and is treated accordingly.

4. How We Use Your Information

We use the information collected solely to:

  • Authenticate users and provide access to the platform
  • Display trainee profiles to evaluators within the same program
  • Store and retrieve evaluation content on behalf of the program
  • Communicate with program administrators regarding platform operation

We do not sell, rent, or share personal information with third parties for marketing purposes. We do not use evaluation content to train machine learning models or for any purpose outside of service delivery.

5. Legal Basis and Regulatory Context

Snapval operates in the context of graduate medical education. Evaluation records for trainees in ACGME-accredited programs are generally considered education records subject to the Family Educational Rights and Privacy Act (FERPA), not protected health information (PHI) under HIPAA, provided that evaluations concern academic and professional performance rather than patient care in a treatment context.

Program administrators are responsible for ensuring that their use of Snapval is consistent with their institution's FERPA obligations, applicable accreditation requirements, and any applicable state privacy laws.

> Note: If your institution requires a Data Processing Agreement (DPA) or Business Associate Agreement (BAA), please contact us to discuss your requirements before deploying Snapval.

6. Data Storage and Security

Snapval is built on Vercel (application hosting) and Supabase (database and authentication). Both providers maintain SOC 2 Type II certification and implement industry-standard security controls. Data is encrypted in transit (TLS) and at rest.

Access to evaluation data within the platform is restricted by row-level security policies, which enforce that users can only access data belonging to their own program. Administrative access to the underlying database is restricted to the platform operator.

We conduct periodic security reviews of the application and address identified vulnerabilities on an ongoing basis. We maintain a responsible disclosure process for security researchers — see Section 9.

7. Data Retention

We retain personal information and evaluation content for as long as a program remains active on the platform, or as otherwise agreed with the program administrator.

Upon termination of a program's use of Snapval, or upon written request from a program administrator, we will delete or return program data within a reasonable timeframe. Individual users may also request deletion of their personal information by contacting us at the address below.

> Note: We process deletion requests manually. We will confirm receipt and complete requests within 30 days. Deletion of evaluation content may be subject to the program administrator's approval, as that data may be considered an institutional record.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict certain processing

To exercise any of these rights, contact us at privacy@snapval.io. We will respond within 30 days.

9. Security Vulnerability Disclosure

If you believe you have discovered a security vulnerability in the Snapval platform, please report it responsibly by emailing privacy@snapval.io with a description of the issue. We ask that you allow us reasonable time to investigate and remediate before any public disclosure. We do not pursue legal action against researchers acting in good faith.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this document. For material changes, we will notify program administrators by email. Continued use of the platform following notice of a change constitutes acceptance of the updated policy.

11. Contact

For questions, concerns, or requests related to this Privacy Policy:

Eric Kort
Operating as Snapval
Email: privacy@snapval.io
Grand Rapids, Michigan, USA