Privacy Policy
1. Who we are
This policy describes how MedLog LLC ("we", "us", "MedLog"), a Delaware limited liability company (pending formation), collects and processes personal data when you use MedLog — our website, web app, progressive web app, and related services (collectively the "Service"). For data protection law, we are the data controller.
2. What we collect
2.1 Information you give us
| Category | What it is | Required? |
|---|---|---|
| Identifies your account; receives verification, password reset, and account emails | Yes | |
| Name | Used on doctor summaries you export | No |
| Password | Stored only as a bcrypt hash, never in plain text | Yes |
| Health entries | Symptom notes, severity, tags, timestamps | No (but the app is useless without them) |
| Medications | Name, dose, schedule, reason, notes, status | No |
| Lab values | Test names, values, units, reference ranges, dates | No |
| Uploaded files | Bloodwork PDFs or images you attach | No |
2.2 Information we collect automatically
| Category | What it is | Why |
|---|---|---|
| IP address | The IP your request comes from | Security audit, rate limiting |
| User agent | Your browser type and version | Security audit |
| Timestamps | When you log in, change your password, create or edit entries, export your data | Surfaced to you in Settings → Security log |
| Account state | Failed login count, lockout time | Account security |
We do not use analytics platforms. We do not place tracking pixels. We do not fingerprint your device.
2.3 Special category / sensitive data
Information about your health is "special category" data under GDPR Article 9 and "sensitive personal information" under several US state laws. We treat it with corresponding care: encrypted at rest with AES-256-GCM, keys held separately from the database, processed only to operate the Service for you.
3. How we use it
- Run the Service: store and display your entries, generate summaries, send password resets
- Authenticate you: verify identity at login, manage sessions, prevent abuse
- Secure the Service: rate-limit suspicious activity, lock accounts, log security events
- Communicate with you: email verification at signup, password resets, account notifications, material changes to the Service
- Comply with law: respond to lawful requests, enforce Terms, defend legal claims
4. Legal bases for processing (GDPR / UK GDPR)
| Purpose | Lawful basis |
|---|---|
| Provide the Service to you | Contract — Art. 6(1)(b) |
| Process your health entries (special category) | Explicit consent — Art. 9(2)(a) |
| Authenticate and secure the Service | Legitimate interest — Art. 6(1)(f) |
| Comply with legal obligations | Legal obligation — Art. 6(1)(c) |
You can withdraw consent for health data processing by deleting your account at any time.
5. What we never do
- Sell your data. Not to anyone, not for any reason.
- Show ads against your data. The Service is ad-free.
- Train AI on your content. Your entries are not used to train, fine-tune, or evaluate any machine learning model — ours or anyone else's.
- Run analytics on your content. We don't profile users or build behavioral models.
- Send marketing emails. Only transactional: verify, reset, account notices, material changes.
- Share with insurers, employers, or family members — unless you export and share it yourself, or unless we are legally compelled.
6. Who we share data with
We use a small number of subprocessors to run the Service. Each is bound by a data processing agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| Railway | App hosting and database storage (data encrypted by us before storage) | USA |
| Resend | Sending transactional emails | USA |
Beyond subprocessors, we share data only when: you ask us to (e.g., you email your export to your doctor); the law requires it (we'll notify you where legally permitted); to protect rights against suspected fraud or abuse; or in a business transfer (under terms at least as protective as this policy, with notice to you).
7. Security
- Encryption in transit: HTTPS (TLS) everywhere
- Encryption at rest: AES-256-GCM for entry text, medication details, lab values, and uploaded files; master key stored outside the database
- Password storage: bcrypt hashed (10 rounds); we cannot recover passwords, only reset them
- Sessions: JWT in HttpOnly Secure cookies; 15-minute sliding expiry
- Lockout: 5 failed login attempts locks the account for 5 minutes
- Rate limiting: on authentication endpoints
- Audit log: visible to you in Settings → Security log
- Strict CSP to prevent script injection
- Encrypted backups retained by Railway
8. How long we keep data
| Category | Retention |
|---|---|
| Your account and content | Until you delete them |
| Encrypted backups | Up to 30 days after deletion, then overwritten |
| Audit log records | Up to 2 years; longer where required by law |
| Email verification tokens | 30 minutes |
| Password reset tokens | 30 minutes; single-use |
| Server access logs | Up to 90 days |
9. Your rights
- Access: Export your full account contents anytime from Settings.
- Rectification: Edit entries, medications, and labs directly.
- Erasure: Delete your account in Settings → Delete account.
- Restriction: Ask us to stop processing in certain ways.
- Portability: Export gives you plain text; JSON available on request.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Effectively done by deleting your account.
- Not be subject to automated decisions: We don't make automated decisions about you. Any "patterns" the Service surfaces are statistical observations of your data shown only to you.
- Lodge a complaint with your data protection authority (section 13).
For rights not exposed as a button in the Service, contact us (section 15). We respond within 30 days. We may verify your identity first. Exercising rights is free unless requests are manifestly unfounded or excessive.
10. International data transfers
We are based in the United States. If you access the Service from outside the US, your data is transferred to and processed in the US.
For users in the EU, UK, and regions with similar transfer rules, we rely on the European Commission's Standard Contractual Clauses (SCCs) with Railway and Resend. You can request a copy of the SCCs.
11. Children
MedLog is not for users under 16 years old. We do not knowingly collect personal data from children. If you believe a child under 16 has provided personal data, contact us and we will delete it.
12. Cookies & tracking
| Name | Purpose | Lifetime |
|---|---|---|
medlog_session | Keeps you logged in (HttpOnly, Secure, SameSite=Lax JWT) | 15 minutes sliding |
That's the only cookie we set. We do not use marketing, advertising, analytics, or third-party tracking. We don't respond to "Do Not Track" because we don't track you to begin with.
13. Regional provisions
California (CCPA/CPRA): Rights to know, delete, correct, and limit use of sensitive personal information. We do not "sell" or "share" personal information as defined under California law. Exercise rights via the Service or contact us.
Other US states (Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Indiana, Kentucky, Maryland, Minnesota, Rhode Island and others): similar rights apply. We don't do targeted advertising or profiling.
HIPAA: MedLog is a consumer-facing personal health record. We are not a HIPAA Covered Entity or Business Associate. We are subject to the FTC Health Breach Notification Rule.
Washington "My Health, My Data" Act and similar consumer-health-data laws: equivalent rights extended regardless of where you live.
UK GDPR and DPA 2018 apply. You have rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent. Complaints to the ICO (ico.org.uk). UK users transferring to the US are protected by the UK Addendum to the EU SCCs.
GDPR applies. Full data subject rights. Health data is special category under Art. 9; we rely on your explicit consent. Complaints to your national DPA (edpb.europa.eu).
EU Representative (Art. 27 GDPR): [EU representative to be appointed before EU launch]
PIPEDA federally; Quebec's Law 25, BC's PIPA, Alberta's PIPA may also apply. Complaints to OPC Canada (priv.gc.ca) or your provincial commissioner.
Privacy Act 1988 and Australian Privacy Principles apply. Complaints to the OAIC (oaic.gov.au).
Privacy Act 2020 applies. Complaints to the Office of the Privacy Commissioner.
Local laws apply: Japan (APPI), Singapore (PDPA), India (DPDP 2023), South Korea (PIPA), Philippines (Data Privacy Act 2012), Hong Kong (PDPO), Thailand (PDPA), Malaysia (PDPA 2010), Indonesia (PDP Law), Vietnam (PDPD).
The Service may not be available if you are in mainland China, Iran, North Korea, Cuba, Syria, or Crimea.
Local laws apply: Brazil (LGPD — complaints to ANPD), Mexico (LFPDPPP — complaints to INAI), Argentina (PDPA 25,326), Chile, Colombia, Peru, Uruguay and others.
Local laws apply: South Africa (POPIA — complaints to the Information Regulator), Nigeria (NDPA 2023), Kenya (DPA 2019), Egypt (Law 151/2020), Ghana (DPA 2012).
Local laws apply: UAE (Federal PDPL), Saudi Arabia (PDPL), Israel (Privacy Protection Law 5741-1981), Turkey (KVKK).
14. Changes to this policy
We may update this Privacy Policy from time to time. For material changes (adding a subprocessor, changing what data we collect, changing how we use it), we'll update the "Last updated" date, email you at least 30 days in advance, and show a notice in the Service. For non-material updates, we'll update the date and post the new version.
15. Contact & complaints
MedLog LLC
Email: Contact form
Postal address: [to be added before launch]
EU representative (GDPR Art. 27): [EU representative to be appointed before EU launch]
For privacy questions, rights requests, or complaints, contact us. We aim to respond within 30 days. If not satisfied, you may lodge a complaint with your local data protection authority (section 13).