MedRecords AI may collect or process the following categories of information in the course of providing our services:
- Protected Health Information (PHI). Medical records, billing documents, provider information, and other health-related data that you process through the MedRecords AI platform. All PHI is processed locally on your hardware and is never transmitted to our servers unless you explicitly configure a cloud AI backend.
- Account Data. Username, hashed password (using industry-standard bcrypt hashing), and optional TOTP (Time-Based One-Time Password) secret for two-factor authentication. We never store plaintext passwords.
- Usage Telemetry. Pseudonymized usage metrics including a hashed machine identifier (a SHA-256 hash derived from your system hostname — we do not store the raw hostname), application version, AI model usage statistics (token counts and estimated costs), pipeline run counts, and software update status. This data is transmitted daily for billing, product improvement, and license compliance. All telemetry is sanitized before transmission through automated filters that redact any PHI or credentials. You may disable telemetry through the Settings panel in MedRecords AI.
- Technical Data. IP address (used solely for rate limiting and security purposes), browser type, and operating system version. This data is collected only during active sessions and is not used for tracking or advertising purposes.
MedRecords AI is architected with a privacy-first design. The following describes how your data is processed at each layer of the system:
- On-Premise Processing. All PHI processing happens locally on your own hardware. The MedRecords AI application runs entirely on your machine — medical records are ingested, analyzed, and summarized without ever leaving your computing environment by default.
- No Cloud Uploads by Default. PHI never leaves your machine unless you explicitly configure a cloud AI backend. Out of the box, MedRecords AI performs all AI processing locally using Ollama or processes data entirely offline.
- AWS Bedrock (Optional). When you explicitly configure AWS Bedrock as your AI backend, data is transmitted to Amazon Web Services for AI inference. AWS Bedrock is a HIPAA-eligible service covered under the AWS Business Associate Agreement (BAA). You must maintain your own BAA with AWS to use this feature in a HIPAA-compliant manner.
- Ollama (Local AI). When configured to use Ollama, all AI processing occurs entirely on your local machine. No data is transmitted over the network, and no external services are contacted for AI inference.
- Telemetry. Pseudonymized usage metrics are transmitted daily for billing and product improvement. These metrics contain zero PHI and cannot be used to reconstruct any patient information or case data. You may disable telemetry through the Settings panel; when disabled, no usage data is transmitted.
- Legal Basis for Processing. We process your data as necessary for: (a) the performance of our contract with you (providing the MedRecords AI software and services); (b) our legitimate interests in improving, securing, and billing for the product (pseudonymized telemetry and usage metrics); and (c) compliance with applicable law, including HIPAA. For PHI, our processing is authorized under and governed by the applicable Business Associate Agreement executed with the Covered Entity.
We implement multiple layers of security controls to protect your data at rest and in transit:
- Encryption at Rest. All PHI stored by MedRecords AI is encrypted using Fernet encryption (AES-128-CBC + HMAC-SHA256), providing both confidentiality and integrity verification for every encrypted record.
- Database Security. The SQLite database operates in WAL (Write-Ahead Logging) mode for reliability and is encrypted upon application shutdown, ensuring that PHI is never stored in plaintext on disk when the application is not running.
- Encrypted Backups. Automated encrypted backups are created with configurable retention policies. The system retains the 5 most recent backups and securely deletes older ones to minimize data exposure.
- Browser Data. The web interface uses sessionStorage for session-scoped data that is cleared when the browser tab is closed. Chat conversation history is stored in localStorage for user convenience and persists across sessions; this data remains on your local machine and is never transmitted to our servers. No PHI is stored in localStorage.
- Cookies. MedRecords AI uses a single HTTP-only, SameSite session cookie for authentication. This cookie contains a session identifier only, does not contain PHI, and expires after 8 hours of inactivity. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
- PHI Pre-Scrub. A defense-in-depth PHI pre-scrub filter operates at all LLM API boundaries, ensuring that sensitive information is sanitized before any data is transmitted to external AI services.
- Sanitizing Log Filters. Application logs are filtered through sanitization routines that prevent PHI from appearing in log files, error reports, or diagnostic output.
MedRecords AI integrates with the following third-party services. We are committed to ensuring that PHI is never shared with services that are not covered by appropriate agreements:
- AWS Bedrock. HIPAA-eligible AI inference service provided by Amazon Web Services. Used only when the customer explicitly configures cloud AI as their backend. Requires the customer to maintain their own Business Associate Agreement (BAA) with AWS. Data transmitted to Bedrock is subject to AWS's privacy and security practices.
- Ollama. Open-source local AI runtime that runs entirely on your machine. No data is transmitted externally. Ollama operates as a local process and does not communicate with any remote servers for AI inference.
- Stripe. Payment processing service used exclusively for license purchases and subscription billing. No PHI is shared with Stripe. Only standard commercial transaction data (name, email, payment method, transaction amount) is processed by Stripe in accordance with their privacy policy.
- Anthropic (Claude API). When configured, the Anthropic Claude API may be used for campaign email generation and other non-PHI tasks. PHI is never transmitted directly to Anthropic's servers; all medical record processing routes through local Ollama models or AWS Bedrock. Data submitted to Anthropic is governed by Anthropic's privacy policy and terms of service.
- Sub-processors. The only sub-processor authorized to process PHI on our behalf is Amazon Web Services (AWS Bedrock), and only when explicitly configured by you. We will notify customers of any material changes to our sub-processor list at least 30 days in advance.
- No Other Third-Party PHI Sharing. No other third-party services receive, process, or have access to your PHI. We do not sell, rent, or share PHI with advertisers, data brokers, or any other third parties.
As a MedRecords AI customer, you have the following rights with respect to data processed and stored through the platform. When Productivity AI, LLC processes PHI on your behalf — for example, when AWS Bedrock is configured as your AI backend or when technical support involves access to PHI — we act as a Business Associate under HIPAA and execute a Business Associate Agreement (BAA) with you. When you use fully local processing (e.g., Ollama) and no PHI is transmitted to or accessible by us, Productivity AI, LLC operates as a software licensor and is not a Business Associate. In all cases, these rights are provided under your license agreement and applicable law:
- Right to Access. You have the right to access all PHI processed and stored by MedRecords AI on your system. Because all data resides on your own hardware, you maintain direct control over and access to all PHI at all times.
- Right to Request Corrections. You have the right to request corrections to any PHI that you believe is inaccurate or incomplete. You may edit, update, or correct any records directly within the MedRecords AI application.
- Right to Request Deletion. You have the right to request deletion of PHI. MedRecords AI supports secure deletion with data overwrite — when files are deleted, they are overwritten with random data before removal from the filesystem, providing defense-in-depth against software-level recovery tools.
- Right to Data Portability. You have the right to export your data. MedRecords AI provides backup export functionality that allows you to extract all case data, summaries, and records in portable formats.
- Right to Breach Notification. In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay, consistent with the requirements of 45 CFR 164.410 and the timeframe specified in the applicable Business Associate Agreement. We will cooperate fully with breach investigation, mitigation, and notification efforts.
- Right to File a Complaint. You have the right to file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.
MedRecords AI provides comprehensive, user-configurable data retention controls:
- Configurable Retention Periods. You may configure retention periods for medical records and summaries according to your organization's policies and applicable legal requirements. Retention settings are fully within your control.
- Automated Retention Enforcement. The system enforces retention policies automatically through both daily and hourly retention cycles, ensuring that expired data is promptly and reliably removed.
- Secure Deletion. When PHI files reach their retention expiration or are manually deleted, they are overwritten with random data before removal from the filesystem, providing defense-in-depth against software-level recovery. Due to modern storage hardware characteristics (SSD wear leveling, filesystem journaling), this may not prevent all hardware-level forensic recovery. We recommend enabling full-disk encryption (e.g., BitLocker on Windows) on all systems processing PHI.
- Backup Pruning. Encrypted backups are automatically pruned to retain only the 5 most recent backups. Older backups are securely deleted to minimize the volume of stored PHI and reduce exposure risk.
Depending on your state of residence, you may have additional privacy rights:
- Virginia Consumer Data Protection Act (VCDPA). If you are a Virginia resident, you may have the right to: (i) confirm whether we process your personal data; (ii) access your personal data; (iii) correct inaccuracies; (iv) delete your personal data; (v) obtain a portable copy; and (vi) opt out of targeted advertising, sale of personal data, or profiling. We do not sell personal data or engage in targeted advertising. To exercise your rights, contact us at dan.direnfeld@aiproductivity.dev. If we deny your request, you may appeal by contacting us within 30 days. If the appeal is denied, you may contact the Virginia Attorney General.
- California Consumer Privacy Act (CCPA/CPRA). If you are a California resident, you have the right to: (i) know what personal information we collect, use, and disclose; (ii) request deletion of your personal information; (iii) opt out of the sale or sharing of personal information; and (iv) non-discrimination for exercising your rights. We do not sell or share personal information as defined by the CCPA. To exercise your rights, contact us at dan.direnfeld@aiproductivity.dev.
MedRecords AI is a professional software tool designed for use by personal injury law firms and legal professionals. It is not directed at children under the age of 13.
We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete such information. If you believe that a child under 13 has provided us with personal information, please contact us at dan.direnfeld@aiproductivity.dev.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors:
- Material Changes. For material changes that significantly affect how we collect, use, or share your information, we will provide at least 30 days advance notice via email to the address associated with your account and through an in-app notification within MedRecords AI.
- Non-Material Changes. For non-material changes (such as clarifications, formatting updates, or minor wording adjustments), the updated policy will be posted on this page with a revised effective date.
- Continued Use. Your continued use of MedRecords AI after the notice period for a material change constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may discontinue use of the Software and request deletion of your data.
If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:
We will respond to all privacy-related inquiries within 30 days of receipt. For matters involving PHI or potential breaches, we will respond without unreasonable delay consistent with the applicable Business Associate Agreement and 45 CFR Part 164.
Copyright © 2026 Productivity AI, LLC. All rights reserved.
MedRecords AI is a trademark of Productivity AI, LLC.