Privacy Policy

• Your password and master encryption key never reach our servers. We could not decrypt your source documents even if we tried.
• We do see the structured clinical data extracted from your documents — lab values, conditions, medications, allergies, immunizations, recommendations, and per-document narrative digests. Plus your demographic profile if you filled it out, your profile photo if you uploaded one, and the audit log. Those rows power trend charts, chart reviews, and search; they’re the most sensitive thing we actually hold.
• We do not sell your data, ever. We do not use Your Content to train AI models. Our AI provider (Anthropic) does not train on data sent through their API.
• We use a small number of sub-processors (listed below). We disclose each one. Anthropic, our AI extraction provider, retains batch inputs and outputs for up to 29 days — see the Security disclosure for detail.
• You can delete your account at any time. A self-service full-export endpoint is on the roadmap; until it ships you can email privacy@open-chart.com and we will package your data within 30 days.

Account identity

• Email address. Used to identify your account and (rarely) to send transactional notices.
• Cryptographic material derived from your password. Specifically: a 16-byte Argon2id salt, the Argon2id parameters (memory, iterations, parallelism), an HMAC-peppered authentication verifier, and your ciphertext-wrapped master key. We cannot derive your password from any of these.
• Recovery code material. Where you opted in: a ciphertext-wrapped copy of your master key and an HMAC of a recovery-derived authentication value. We never see the recovery code itself.
• Demographic profile if you filled out the welcome wizard or Profile page: display name, birth year and month, sex assigned at birth, height, units preference, race / ethnicity (multi-select), country/countries lived in, smoking / alcohol / pregnancy status. All fields except birth year are optional. We use these to help the AI interpret age-adjusted and sex-adjusted reference ranges.
• Profile photo if you uploaded one. Stored as plaintext bytes in our database — this is the one deliberate exception to our BYOK posture. Served only to you and to recipients of share links you create. Max 2 MiB; the client resizes to ~50 KB on upload.

Source documents

• The encrypted blob of every record you upload. Plus the encrypted filename and MIME type, the unencrypted file size, and the wrapped-DEK envelope.
• Plaintext document metadata that the AI extractor pulls out and we use to organize your records: the document’s date, kind (e.g. “lab report”, “MRI brain”), provider name, facility name, and clinical specialty. These power the records list’s filters and the per-record badges.
• A per-user HMAC of each document’s plaintext (using a key derived from your master key). Same file uploaded twice by you produces the same hash and we offer a dedup prompt; the same file uploaded by two different users produces different hashes. The hash is not reversible to the file contents.

Structured clinical data (AI-extracted, plaintext)

• Observations. Each lab value, vital sign, imaging measurement, or other finding the extractor pulls out: code (LOINC / SNOMED / RxNorm / UCUM), display name, value, unit, reference range, abnormal flag, effective date, body site, and the model’s self-reported confidence.
• Conditions, medications, allergies, immunizations, recommendations. One table per FHIR-shaped resource. Each carries a source field distinguishing entries you typed in the welcome wizard from entries the AI extracted, plus dates and status (active / resolved / discontinued / etc.).
• Per-document narrative digest. A small JSON blob per record holding the AI’s 1-3 sentence summary, structured imaging findings, genetic test findings, procedure outcomes, the raw provider impression paragraph copied verbatim, and AI-suggested questions for your doctor.
• Chart reviews and chart insights. When you run a Chart Review, we store the AI’s emitted insights (severity, category, title, body, cited record IDs, suggested actions) plus themed clusters of your recommendations and questions. Status edits you make (acknowledged / resolved / dismissed) are also stored.

Subscription billing

• Plan tier and subscription status. Whether your plan is Free, Standard, or Plus; the subscription period end; whether cancellation is pending at period end; and the opaque Stripe customer ID + Stripe subscription ID. We do not store your card number, billing address, name on card, or receipt history — those live exclusively with Stripe.
• Webhook audit trail. We persist the full Stripe webhook payload of every billing event we receive (subscription create / update / cancel, payment failures) for forensics and dispute defense. The payloads come from Stripe; we do not introspect them beyond the fields we need to set your plan.

User-generated content visible to other users

• Feedback board posts, comments, and votes. If you submit a feature idea, comment on another user’s idea, or upvote/downvote one, your display name (from your demographic profile) is shown next to your post. If you haven’t set a display name we show “anonymous”. We never expose your email address on the feedback board.
• Patient identity shown to share-link recipients. When you generate a share link, the recipient sees the patient’s display name and profile photo (if set) so a clinician can keep track of which patient’s records they’re looking at. If you don’t want this, leave the display name and photo blank.

API access (Plus tier)

• API tokens. When you create an API token we store its label, creation date, last-used timestamp, and a SHA-256 hash of the token value — never the raw token. The token can be used to read your FHIR-shaped structured data from /api/v1/fhir/*.

Collected automatically

• Authentication metadata. Session timestamps, user-agent strings, the HMAC of your IP address. We do not store the raw IP.
• Audit log entries. Each sign-in, upload, download, extraction run, chart review, share creation, share open, account-recovery event, billing transition, and API-token action is logged with timestamps and the same hashed IP indicator.
• Operational logs. Web-server access logs scoped to error states, retained for 30 days, with IPs truncated to a /24 (IPv4) or /48 (IPv6) for diagnostics.

What we explicitly do not collect

• Your password.
• Your master encryption key. Your recovery code. Any URL-fragment grant secret you use for sharing.
• The plaintext bytes of your source documents on our servers after the extraction request returns. The plaintext exists in a single in-process buffer for the duration of one HTTP request and is zeroed before the request handler exits. Important caveat: after we discard the plaintext on our side, our AI provider (Anthropic) retains the batch input and output for up to 29 days on their infrastructure. See the Security disclosure for detail.
• Your card number, billing address, or any payment-method data. Stripe handles those on Stripe-hosted pages; we never see them.
• Cookies for advertising, analytics tracking, or session replay. We use only one cookie — your session cookie.
• Browser fingerprinting signals beyond the user-agent string already noted above.

• To provide the Service. Authenticate you, serve your encrypted records, render your trend charts, and process share links.
• To run AI extraction on records you upload. We send the decrypted plaintext to our sub-processor (Anthropic), receive structured observations back, and persist only those structured observations.
• To secure the Service. Detect abuse, investigate incidents, rate-limit endpoints, surface suspicious activity in your audit log.
• To communicate with you. Transactional messages about your account (e.g., a security alert, a change to these terms). We do not send marketing email without a separate opt-in.
• To comply with legal obligations. Respond to lawful subpoenas, court orders, and regulatory requests — with the limitations described in the Security disclosure.

We do not use Your Content to train AI models. We do not sell Your Content to third parties. We do not share Your Content with advertisers, data brokers, or analytics providers.

We use the following sub-processors, each of which receives only the data necessary for the function it performs:

We will update this table when we change sub-processors and will give material notice of changes that expand the categories of data shared.

• Share links you create. When you generate a share link, anyone who possesses the link can request (and decrypt locally) the corresponding record until the link expires, is fully used, or is revoked. The recipient also sees your display name and profile photo if you set them, so a clinician can keep track of whose records they’re looking at. We do not control what recipients do with decrypted content.
• Feedback board. Posts, comments, and votes you make on the in-app feedback board are visible to other authenticated open-chart users. Your display name (not your email) appears next to your contributions. If you haven’t set a display name, posts show as “anonymous”.
• Legal process. We comply with lawful subpoenas, court orders, and regulatory demands. Where permitted, we will notify you in advance and give you an opportunity to challenge the request. The Security disclosure describes what we could produce.
• Corporate transactions. If we are acquired, merged, or sold, your account and Your Content may transfer to the successor entity. We will give you notice and an opportunity to delete your account before any such transfer.
• Protect rights and safety. We may share limited information where reasonably necessary to enforce our Terms, prevent fraud, or protect the safety of users or the public.

• Account and content. Retained until you delete your account, or until you delete the specific record. Deletion is immediate from our primary database and propagates to our object storage within 24 hours.
• Audit log entries. Retained for at least 12 months after the event for your reference, or longer if required by law.
• Database backups. Once we enable automated database backups, those will be retained for up to 30 days before being rotated. The data in those backups remains in the same form (encrypted blobs stay encrypted, plaintext structured rows stay plaintext) it was in when stored. We will update this section when backups go live.
• Anthropic batch data. Anthropic retains batch-API inputs and outputs for up to 29 days on their infrastructure. We do not control this retention; it is disclosed in the sub-processor table above and in the Security disclosure.
• Stripe billing data. Card numbers, billing addresses, receipts, and payment history are retained by Stripe per Stripe’s own retention policy. Their privacy notice applies.
• Operational logs. Retained for 30 days and then deleted.

Depending on where you live, you may have rights to access, correct, delete, export, or restrict our processing of your personal information. These include rights under the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act (as amended by the CPRA), and similar laws. You can exercise these rights by:

• Downloading individual records you uploaded from the records list (one click per record), and viewing every extracted observation, condition, medication, etc. on the record-detail page and the trends view. The Plus tier also exposes a read-only FHIR-shaped API at /api/v1/fhir/* that lets you pull your structured data programmatically.
• Using the in-app account-deletion control to terminate your account and erase your data. (A unified “export everything as one archive” endpoint is on the roadmap; until it ships, email privacy@open-chart.com and we will package your data within 30 days.)
• Emailing privacy@open-chart.com with any other request. We will respond within 30 days.

We will not discriminate against you for exercising any of these rights.

We process data on servers located in the United States. Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission (and equivalent UK IDTA) with our sub-processors.

The Service is intended for adults. We do not knowingly collect personal information directly from children under 16. If you believe a child has provided personal information to us, contact us at privacy@open-chart.com and we will delete it. Parents and guardians may upload a minor child’s records to their own account where legally authorized to do so.

See our Security disclosure for the architectural detail. In short: source documents are encrypted with keys we do not hold; passwords and recovery codes are never transmitted to us; the one place plaintext briefly touches our servers is documented and bounded to a single HTTP request.

No system is perfectly secure. If we discover an incident affecting your account, we will notify you within seven days of confirming the scope and provide a post-mortem describing what happened and what we’ve changed.

We may update this policy from time to time. Material changes will be communicated to you by email or in-app notice with reasonable advance notice where practicable. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.

Questions, requests, or complaints? Email privacy@open-chart.com. For security-specific issues, please use security@open-chart.com.