Privacy Policy for STI Test Result Handling

Introduction

We respect your privacy and are committed to protecting your sensitive information. This policy explains how we handle your STI test results when you submit them for participation in our events.

Information Collected

We request proof of recent STI test results (within the last 3 months) to confirm your eligibility. We only require:

  • Your full name and date of birth

  • The date and results for the required STI tests (see Use of Test Results)

We do not require any additional medical or personal information beyond what is necessary for event participation.

How Information is Collected

You will upload your test results through a secure form. Files will be stored in a restricted Google Drive folder.

Who Can Access Your Records

Access to your STI test results is strictly limited:

  • Administrator: The organization’s owner, who manages the Google Drive account, may have access for managing the storage system.

  • Reviewer: Up to 3 designated individuals responsible for reviewing test results for compliance purposes.

  • Technical Support (if needed): An engineer may access the system to troubleshoot issues. This access is logged and controlled.

  • Development Team (if you opted in): For users who opt in, a developer may access their uploaded test results as part of developing and improving the code that helps process test results. This access is logged and controlled.

All individuals with access to your data follow strict confidentiality protocols.

Confidentiality and Non-Disclosure

All staff members, including volunteers or any third-party technical personnel, are required to sign a strict confidentiality agreement before gaining access to any of your STI test data. Unauthorized access, sharing, or use of this information may result in immediate termination of their role and may lead to legal consequences.

How Long We Keep Your Records

We strive to delete your records as soon as they are no longer needed:

  • Retention Period: Your STI test results will be deleted after processing, and no later than 14 days after submission.

  • Google Recovery Period: Files may remain in Google’s recovery system for up to 25 days. Only a Google administrator can restore them, and we ensure they remain inaccessible unless absolutely necessary.

  • Exception: If you opt-in to allow us to use your results for system development, they may not be deleted immediately. You may request deletion at any time by emailing team@topfloorclub.com, and your results will be removed from our systems within 72 hours.

Use of Test Results

Your test results are used only to verify your eligibility for events and, for users who opt in, to help us develop and improve our automated processing system:

  • Manual Review: If the automated system cannot read your test result, it may be reviewed manually by the Administrator or a designated Reviewer.

  • System Development and Testing: For those who opt in, your data may be used to develop and test our systems.

For participation in our events, we verify that your tests were conducted within the specified time frame and that the results are negative, or, in the case of someone with HIV on antiretroviral therapy (ART) , that they have an undetectable viral load, which means they are not infectious.

Security Measures

We take the security of your information seriously and implement multiple controls to safeguard it:

  • Encryption. Your data is encrypted both during transfer and at rest, ensuring that it is protected from unauthorized access at all times.

  • Multi Factor Authentication (MFA). Every account that can access your records is required to use multi factor authentication (MFA). This means that in addition to a password, a second layer of verification is necessary to log in, enhancing account security.

  • Access Logs and Reviews. Access to the folder containing your STI test results is logged. Every time someone views or modifies a file, it is recorded in the access logs.

  • Periodic Review: These logs are systematically reviewed every 30 days by the organization’s Administrator to ensure there has been no unauthorized access. Any anomalies or unauthorized actions are investigated.

Sharing and Third-Party Access

  • No External Sharing: We do not share your STI test results with any third-party organizations or other members. The only exception would be:

    • If a third-party provider is engaged to assist with manual or automated reviews, in which case strict confidentiality agreements would be in place.

    • With The Play (a play party in LA), if you want to leverage your Top Floor membership to skip their application process and attend their parties. In this case, we share only the date of the most recent STI tests that you uploaded that met our criteria for participation.

    • With OpenAI (see below).

How We Sanitize Your STI Documents for OpenAI

Before any lab report leaves our control, we run it through a dedicated redaction pipeline inside Google Cloud:

  • We extract text from PDFs and images, then use Google Cloud’s Data Loss Prevention (DLP) service to replace every personal identifier—names, dates of birth, addresses, phone numbers, specimen/control/account numbers, physician identifiers, etc.—with generic placeholders like [PERSON_NAME] or [LAB_SPECIMEN_ID].

  • Even the original file names are stripped; the only thing that leaves our environment is a block of sanitized text labeled “Sanitized document #1,” “#2,” and so on. If a file doesn’t contain usable text after sanitization, the process halts and the submission is flagged for manual review.

  • Raw uploads never touch OpenAI. We keep them confined to our Google Cloud project, and OpenAI sees only the redacted text we described above—there’s no way to reconstruct an individual’s identity from the prompt they receive.

  • We log each sanitization step so we can audit the process and confirm that redaction succeeded before completing the rest of the verification workflow.

In short, AI helps us read your lab report, but only after every piece of identifiable information has been removed.

Data Breaches

If there is a data breach, we will:

  • Notify you within 72 hours of discovery.

  • Immediately secure the system and investigate to prevent further breaches.

  • Take steps to ensure the breach is not repeated.

Your Rights

You have the right to:

  • Request the immediate deletion of your records at any time before the 14-day retention period ends.

  • Ask us how your data is stored and used, and we will respond promptly.

Policy Updates

This policy may change as we improve our systems. You will be notified of any significant updates, and the most current version will always be available on our website.

Contact Us

For any questions or concerns about this policy, please reach out to team@topfloorclub.com