Privacy

• Your recordings, transcripts, and summaries are yours. We don't sell them, share them with advertisers, or use them to train AI models — yours or anyone else's.
• Audio recordings and medication photos are encrypted on your device before they leave it. The key is held on your device. We cannot read those files on our servers.
• You can export everything in your account at any time. You can delete your account at any time; we hold soft-deleted data for 30 days so you can change your mind, then it's permanently removed.
• We're early-access and finalizing this policy with counsel. The substance below reflects how the product actually handles your data today.

PatientPilot is a tool for individuals and caregivers to record their own (or a family member's) medical visits and keep track of conditions, medications, and questions. This policy covers what we collect from you when you use the product — through the web app, mobile-installed PWA, and any related features.

PatientPilot is not a clinic, hospital, or health plan. We are not a HIPAA-covered entity. You provide your health information to us directly, as a consumer of a health-adjacent product. Many of the same protections apply — see "How we protect your data" — and where US state law (such as Washington's My Health My Data Act) gives you specific rights, we honor those.

Things you give us directly

• Account info: email address, display name, the identity provider you used to sign in (Google or Apple, if any), and your language and reading-level preferences.
• Optional profile info: birth year, sex, country, state, and postal code if you want PatientPilot to help match you to clinical trials. None of this is required to use the product.
• Health information you enter: conditions, medications, providers in your care team, appointments, questions, and notes.
• Recordings and what we generate from them: audio of visits you choose to record, transcripts, AI-generated summaries, and any corrections you make to those summaries.
• Insurance and prescription navigation data: denial letters you upload, drafts we help you write, and prescription pricing searches.
• Community posts and replies: the text you post, the community alias you choose, and how others respond.
• Subscription and billing details: tier, payment status, and (when paid tiers go live) the limited information your payment processor returns to us. We do not store full card numbers.

Things the product collects automatically

• Sign-in and session activity: when you sign in, from where (a one-way hash of your IP, not the IP itself), and the device you used.
• Operational metadata for AI features: which feature you used, which prompt version ran, how many tokens it took, and whether it errored. We do not log the contents of your transcripts, summaries, or prompts.
• Error reports: if something crashes, we log technical details (stack traces, browser, route) with personal and medical content stripped out before it leaves your browser.
• Self-hosted product analytics: aggregate counts of feature usage so we know what's working. Hosted on our own servers; we do not send this to third-party analytics companies.

• To run the product you signed up for.
• To generate summaries, extract medications and follow-ups, and match you to clinical trials when you ask us to.
• To send you the small number of operational emails you need (sign-in links, security notifications). We do not send marketing email by default.
• To detect abuse, fraud, and safety issues — for example, signals of imminent risk in community posts.
• To improve the product. This means looking at aggregate metrics (how many people used a feature, how often summaries get corrected) — not reading individual recordings or summaries.
• To meet legal obligations, when we have them.

We only share with vendors that help us run the product, and only the minimum each one needs. We do not sell your data, and we do not share it with advertisers or data brokers.

• Supabase hosts our database, authentication, and file storage. They sign a Business Associate Agreement (BAA) with us. Your encrypted audio blobs sit in their storage; the keys to decrypt them do not.
• Anthropic runs the Claude AI model that generates your summaries. When you generate a summary, we send the relevant transcript text to their API and receive the summary back. We use the most protective tier they offer for healthcare data, with content set not to be retained or used to train their models. We are working to formalize their enterprise-tier business agreement before exiting early access.
• Deepgram may transcribe audio in cases where your device cannot. They are HIPAA-eligible and sign a BAA. As of this policy version, this fallback is not yet enabled.
• Sentry receives error reports (with personal and medical content stripped). They sign a BAA.
• Vercel hosts the application. Encrypted audio passes through them as ciphertext only. We are working to formalize their healthcare-grade contract before exiting early access.
• Upstash handles rate limiting. They receive only one-way hashes of user identifiers and counters — no medical content, no email addresses, no plaintext IDs.
• Google and Apple handle the optional "Continue with Google/Apple" sign-in. They see only what's required to authenticate you. They do not receive your medical data.
• Public APIs (ClinicalTrials.gov, RxNorm, the NPI Registry) receive only the search terms you ask us to look up (drug names, condition names, provider names) — not your identity or your records.

We may disclose information if we are legally required to (court order, valid subpoena, etc.). When the law allows it, we will tell you first. We push back on overbroad requests.

• We don't sell your data. Ever.
• We don't use your recordings, transcripts, or summaries to train AI models — ours or anyone else's.
• We don't embed advertising trackers, marketing pixels, or dark patterns.
• We don't share with third-party analytics companies. Our product analytics are self-hosted.
• We don't mine your data for marketing inferences or sell audience segments.

• Audio recordings and medication photos are encrypted on your device using XChaCha20-Poly1305 before they upload. The key that decrypts them is wrapped with a master key held in your browser, derived from a recovery phrase you set up. Without your phrase or PIN, neither we nor anyone with access to our storage can decrypt those files.
• Transcripts and summaries are encrypted at rest by our database provider, but we — and our AI vendor when you generate a summary — can read them. We made this tradeoff so the product can extract medications, find what the doctor said, and answer questions across your visits.
• Everything is encrypted in transit using TLS.
• Access is least-privilege. Engineers can't read your medical content as part of normal operations. We audit-log access to user records.
• We don't store passwords. Sign-in is by email magic link or by Google/Apple OAuth.

No system is perfectly secure. If we have a breach affecting your data, we will tell you, what happened, and what to do — within the timelines required by applicable law.

Your data is hosted in the United States. If you use PatientPilot from outside the US, your data will travel to and be stored in the US. By using PatientPilot you understand and agree to that transfer.

• Account data and your records: as long as your account is open. When you delete your account, we soft-delete your data so you can recover it for 30 days, then permanently erase it.
• Encrypted audio files: permanently deleted alongside their appointment records on the same 30-day cycle.
• Audit logs: kept for up to 730 days (about two years) for security and fraud review, then erased automatically.
• Operational AI metadata (model, token counts — never content): kept for up to 13 months for cost analysis, then erased.
• Anonymous community posts remain visible after account deletion unless you delete the post first or ask us to. We do not retain a link from the deleted account back to the post.

Wherever you live, you can:

• See what we have. Export everything in your account from your settings page, in a structured JSON format.
• Correct it. Edit any record directly. AI summaries can be edited, and your edits replace the AI version.
• Delete it. Delete individual records, or your entire account.
• Take it elsewhere. The export is yours to use with another tool.
• Get help. If a feature isn't doing what you need it to, email us at hello@patientpilot.care.

If you live in California, Colorado, Connecticut, Virginia, Utah, or another US state with a privacy law: you have the rights granted by that law, including (where applicable) the right to know, the right to delete, the right to correct, the right to portability, the right to opt out of certain uses, and the right not to be retaliated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising — there is nothing to opt out of in that respect.

If you live in Washington, Nevada, or Connecticut: you have additional rights under those states' consumer health-data laws, including the right to a list of third parties with whom we have shared your consumer health data. The list is in "Who we share it with" above; we will refresh it whenever it changes.

If you live in the EU, UK, or another GDPR-equivalent jurisdiction: you have the rights granted by your local law, including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing your data is the contract you have with us when you sign up, plus your consent for sensitive categories of data (like health data) where consent is the lawful basis we rely on.

To exercise any of these rights, email hello@patientpilot.care. We respond within 30 days for most requests; complex requests may take up to 90 days, in which case we'll tell you why.

PatientPilot is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal information directly from children.

Many of our users are caregivers — parents managing a child's seizure log, an adult child managing an aging parent's appointments. When you use PatientPilot to manage someone else's health information, you're telling us you have the right to do that. Their health information is treated with the same protections as your own.

Recording laws vary by state and country. In some places, all parties to a conversation must consent to being recorded; in others, only one. You are responsible for knowing the law where you are and getting consent from your providers when it's required. PatientPilot helps you record; it doesn't change your obligation to do so legally.

When we make material changes, we'll tell you (by email and in the product) and update the "Last updated" date above. If a change reduces your protections, we will give you advance notice and the option to delete your account before the change takes effect.

Questions, concerns, or requests: hello@patientpilot.care.

This is an early-access product. We're working with counsel on the final version of this policy. Substance reflects how the product actually handles your data today.