AI growth operating system
The goal is not to add AI sparkle. It is to make ordering, follow-up, partner acquisition, compliance, and product iteration compound faster than a normal lab storefront.
Priority tools
7
Sprints
5
Guardrails
4
The stack
Each tool has a lane, an activation point, and hard guardrails so growth does not outrun trust.
AI concierge
A lab-ordering guide that explains panels, prep, and results in plain English without diagnosing.
Panel recommendation, fasting education, result-prep education, and clinician-escalation prompts.
No diagnosis
No treatment plans
No medication advice
Product analytics
Shows where people drop in quiz, ZIP, checkout, account creation, and result viewing.
Capture non-PHI funnel events through the server-side growth event endpoint.
No result data
No intake fields
No raw ZIP on health-intent events
Lifecycle automation
Turns one order into a relationship with onboarding, order updates, result reminders, and retest flows.
Abandoned checkout, requisition ready, results ready, 12-week retest, and annual panel reminders.
No lab values in email subject
No sensitive panel names in marketing
Clear unsubscribe/preferences
SMS/support
SMS/WhatsApp updates for order instructions, appointment reminders, and concierge support.
Requisition ready, fasting reminder, location instructions, result-ready notification.
No biomarkers in SMS
No diagnosis language
Portal link for sensitive details
Lab acquisition
Builds the lab-partner machine: find CLIA labs, enrich contacts, score fit, and draft outreach.
Create weekly lead lists for regional labs, mobile phlebotomy, and partner BD contacts.
No fake partnership claims
No patient examples
No scraping behind logins
Lab acquisition
Keeps the lab network database fresh by monitoring clinic pages, price pages, and coverage pages.
Weekly crawl for new regional lab locations, cash-pay menus, and contact forms.
Do not automate orders
Do not copy competitor text
Flag stale price data
Compliance/trust
Creates a living trust program for HIPAA, SOC 2, vendor review, access control, and evidence.
Vendor inventory, policies, employee training, access reviews, and audit evidence.
No 'HIPAA certified' claim
Document scope honestly
Review tracking pixels on health pages
Compliance/trust
A later infrastructure option if PHI scope outgrows the current Vercel/Supabase/Railway setup.
Dedicated PHI services, audit-heavy result storage, and stricter enterprise partner requirements.
BAA is not compliance by itself
Application auth still matters
Least-privilege service design
Compliance/trust
Catches checkout, provider, webhook, and result-flow failures before customers lose trust.
Error monitoring, uptime alerts, release tracking, and failed provider-call triage.
No request body capture
No result payload capture
No secrets in breadcrumbs
Premium UI
Keeps the product visually close to Superpower/Function/Hims: premium, calm, fast, and decisive.
Landing, checkout, dashboard, result trends, program pages, and mobile polish.
No dark-pattern urgency
No unsubstantiated outcomes
No diagnosis/treatment UI copy
Build order
Now
Know where buyers slow down before spending on ads or affiliates.
Server-side event endpoint accepts sanitized funnel events
Catalog, ZIP, checkout, and result events have definitions
Now
Make panel choice feel guided while keeping medical claims conservative.
Rules-based recommendations work without API keys
Live model mode is gated behind BAA acknowledgement
Next
Turn a one-time order into a repeat health relationship.
Abandoned checkout and result-ready journeys are mapped
SMS/email templates avoid lab values and sensitive details
Next
Compound coverage by finding, scoring, and contacting labs every week.
CMS CLIA and regional lab sources feed a reviewed lead queue
Outreach drafts never imply existing partnerships
Before scaling PHI
Make the company credible for partners, customers, and future clinical tracks.
Vendor inventory and BAA needs are tracked
Audit-log requirements are documented
Operating rules
This is healthcare-adjacent growth. The company gets stronger if the privacy posture is boring, strict, and documented from the beginning.
Keep selling labsAI can explain what a panel includes and when to discuss results with a clinician; it must not diagnose, treat, prescribe, or tell users to ignore a clinician.
Analytics, outreach, design, and AI tools receive the smallest possible payload. Sensitive details stay in the secure app unless a vendor is approved for that use.
Partner outreach, clinical copy, abnormal-result messaging, and live AI prompt changes need human review before release.
Use funnel data, partner response rates, support tickets, and order completion before committing to expensive enterprise deals.
Environment checklist
| Tool | Lane | Env vars | Before PHI |
|---|---|---|---|
| OpenAI API concierge | AI concierge | OPENAI_API_KEY, OPENAI_MODEL, AI_CONCIERGE_MODE, OPENAI_HEALTHCARE_BAA_ACK | Executed BAA, Zero-retention eligible setup, Prompt logs disabled |
| PostHog | Product analytics | POSTHOG_PROJECT_API_KEY, POSTHOG_HOST | Analytics tracking inventory, PHI minimization policy, Authenticated-page tracking review |
| Customer.io or Resend lifecycle | Lifecycle automation | CUSTOMERIO_SITE_ID, CUSTOMERIO_API_KEY, RESEND_API_KEY | Consent language, Messaging preference center, BAA/vendor review if PHI enters messages |
| Twilio messaging | SMS/support | TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_MESSAGING_SERVICE_SID | A2P 10DLC setup, Consent capture, BAA/compliance review |
| Clay + Apollo | Lab acquisition | CLAY_API_KEY, APOLLO_API_KEY | No patient data in outbound tools, Human review of generated outreach, Opt-out honoring |
| Firecrawl/Apify research jobs | Lab acquisition | FIRECRAWL_API_KEY, APIFY_TOKEN | Robots/terms review, Source attribution, Manual verification before publishing |
| Vanta or Drata | Compliance/trust | No app env yet | Risk assessment, Vendor inventory, Incident policy |
| Aptible or healthcare cloud posture | Compliance/trust | No app env yet | Hosting BAA, Encryption posture, Backup/disaster recovery |
| Sentry | Compliance/trust | SENTRY_DSN | PII scrubbing, Allowed-context list, Alert routing |
| v0 + Cursor + Figma/Pageflows | Premium UI | No app env yet | Do not paste real patient data into design tools, Use synthetic screenshots only |
Current implementation
The app now has a concierge endpoint, a sanitized growth-event endpoint, and this roadmap as structured data. The next unlock is connecting real accounts and credentials.