In a letter to five Democratic senators, Alphabet’s Verily explained how it would protect data collected by its coronavirus screening website and defended its decision to require users sign in with a Google account to gain full access.

The Baseline Covid-19 website made a big splash in mid-March when President Donald Trump announced project at a press briefing that reportedly caught the Google sibling company off-guard. The idea for the site was to screen people for symptoms of the virus and direct them to nearby testing locations if they appeared to be a candidate. So far, the site has rolled out at a smaller scale initially than Trump originally suggested, having launched only in California. Verily is Alphabet’s life sciences company, which is run separately from Google.

The project drew swift criticism and concern after its announcement, especially over the site’s requirement that users have a Google account to access the full suite of tools. In late March, Sens. Bob Menendez, D-N.J., Sherrod Brown, D-Ohio, Cory Booker, D-N.J., Richard Blumenthal, D-Conn. and Kamala Harris, D-Calif., asked Verily CEO Andrew Conrad to answer questions on its commitments to user privacy. The same group of senators earlier questioned both Alphabet CEO Sundar Pichai and Vice President Mike Pence about whether they’d considered the implications of such a project, and asked about Google’s other work in the healthcare space.

Responding to senators in an April 10 letter, Conrad said the company would not use data collected through the Baseline Covid-19 website for commercial purposes or any uses not described in the project. He also said the company would not sell any data collected through the site to third parties and that the project would adhere to the standards of the California Consumer Privacy Act (CCPA) in other states that don’t have “comparable” frameworks. The letter was made public Tuesday night.

But Conrad defended Verily’s decision to make visitors to the site sign in through a Google account, saying the accounts are used to authenticate users. He wrote that coming up with an alternative method would have risked compromising users’ security. 

The company gave no indication it would expand authorization options later on, saying it “does not currently intend to provide a different mechanism for authentication” on the site. Verily said it recently created a screening tool that does not require authentication and is based on guidelines from the Centers for Disease Control and Prevention (CDC). That version of the tool, however, does not give users access to a secure test results portal or updates on changing testing criteria. 

Verily said it has no way to determine whether visitors to the site did not proceed with the screening because they didn’t have a Google account.

Menendez said in a statement he was pleased to get a “firm commitment” from the company on its data protection standards but said he was still “concerned” Verily would not quantify how many people could not participate in the screening because they did not have a Google account.

“If Verily is seriously considering expanding these sites to other states — or nationally — my hope is that they address this question and provide an alternate authentication method to ensure that anyone interested in accessing a testing site can use the program,” Menendez said.

Conrad would not provide a timeline to senators for the broader roll-out of the project, which has so far only launched in parts of California. As of the morning of April 9, Verily said, nearly 15,000 of the 68,000 people who completed the screening were eligible to be tested. More than 7,300 of those people were tested for the virus, according to Verily.

Conrad wrote that Verily was “in final discussions with entities that will operate in other states.”