Privacy Notice

Overview

Docrates AI is an invite-only beta that helps users interpret their own clinical documents. We take privacy seriously and design the service to minimize exposure of personal data. Data is encrypted in transit and at rest. We aim to follow HIPAA-aligned security practices for handling health information, but this beta is not a substitute for care or professional advice.

What you upload and what we collect

1. Documents you upload (after-visit notes, radiology reports, and related text).
2. Account data used for login: email address and, if enabled for multi-factor authentication, phone number.
3. Basic technical logs required to operate and secure the service (for example, authentication events and error logs). We do not intentionally log the contents of uploaded documents or generated results.

How PHI is handled before AI processing

Uploaded documents are processed in memory to identify and remove protected health information (PHI) and personally identifiable information (PII) before analysis. We use Google Cloud Sensitive Data Protection (DLP) to perform this redaction step. Redaction reduces exposure risk, but no automated method is perfect; you should review documents and avoid uploading unnecessary identifiers.

How analysis results are stored and protected

Analysis outputs and generated files are encrypted and stored in encrypted cloud storage. Encryption keys are managed separately from stored data. Access is restricted using least-privilege permissions and multi-factor authentication is used for account protection.

Search and indexing (under development)

Docrates may offer a feature that indexes structured analysis outputs to enable search and retrieval for your account (for example, “search my results”). Indexing is intended to use derived analysis outputs after PHI/PII handling, not raw document uploads. Access to indexed data is restricted to authenticated users and controlled by least-privilege permissions.

Chat interactions (under development)

Docrates may offer a chat feature that helps you ask questions about your own generated analysis results. If enabled, chat messages and responses may be stored to provide the feature, support continuity, and troubleshoot issues. Avoid entering unnecessary identifiers or sensitive details in chat. Stored transcripts, if any, are treated as protected data and secured using encryption and access controls.

Additional services

If these features are enabled, Docrates may use Google Cloud services such as Vertex AI Search and Dialogflow as part of the processing pipeline. Docrates uses these services under a Google Cloud BAA and with configurations intended for customer data processing rather than public training.

Deletion requests

If you request deletion of your account, Docrates will delete associated stored data, including stored analysis artifacts and any stored chat transcripts, subject to limited operational and security log retention for auditability and abuse prevention.

Third-party services and data sharing

• Google Identity Platform / Firebase Authentication (account login and MFA)
• Google Cloud Sensitive Data Protection (DLP) (redaction)
• Google Cloud Run (application compute)
• Google Cloud Storage (encrypted storage)
• Google Cloud Logging (operational and security logs)
• Google Secret Manager (key and secret management)

We do not sell your personal information. We share data only with service providers needed to operate Docrates, and only for operating, securing, and improving the service.

Model training

Your uploaded documents and generated outputs are not used to train public foundation models by Docrates. If any vendor processing has its own terms, Docrates uses vendor services in a configuration intended for customer data processing rather than public training.

Retention and deletion

We retain uploaded files and generated outputs only as long as needed to provide the service. You can request deletion of your account and associated stored data by emailing contact@docrates.ai . Limited operational and security logs may be retained for auditability and abuse prevention.

Security controls

We use a combination of access controls, encryption, least-privilege permissions, multi-factor authentication, and monitoring/logging to protect the service. System architecture and vendors may evolve during the beta as the product improves.

Changes to this notice

This Privacy Notice may be updated as the beta evolves. Continued use after updates means you accept the revised notice.

HIPAA-aligned safeguards • Under a GCP BAA