Privacy & Data Protection
Last updated: 2026-05-28 (v2) · Drafted to align with India's Digital Personal Data Protection Act 2023 (DPDP Act) and the IT Act 2000 (sensitive personal data rules).
In one sentence
We don't store any of your medical content — not your document, not the extracted text, not the AI's analysis. The only things on our server are what's needed to run your account and prevent abuse. Everything else (family vault, reports, notes, photos, vaccinations, passport) lives in your browser on your device.
1. Who we are (Data Fiduciary)
MedFast.AI is operated by Harkirat Singh Lamba, India. We are the Data Fiduciary for the personal data described in this policy. Contact: hslamba95@gmail.com.
2. Grievance Officer
Under the DPDP Act, you have the right to raise grievances about how your personal data is handled. Our Grievance Officer is:
Harkirat Singh Lamba
Grievance Officer, MedFast.AI
We aim to acknowledge grievances within 48 hours and resolve them within 30 days. If you are unsatisfied, you may approach the Data Protection Board of India.
3. What personal data we collect
From our database, only:
- Account information: your name, email, optional phone number (with country code), a securely hashed password (bcrypt, 10 rounds), age confirmation, and your marketing consent flag.
- Per-analysis usage row: timestamp, your account ID, language used, document type label (e.g. “Blood Test Report”), text length, tokens consumed, AI provider/model used, and whether the call succeeded or errored. No medical content is stored.
- Salted hashed IP address — for rate-limiting and abuse prevention only. We cannot reverse it to your real IP.
- Acknowledgement records — when you accepted this privacy notice and the in-app safety notice (timestamp + version).
- Admin actions about you — e.g. approval status changes — for audit trail.
We never store: your medical documents, extracted text, AI explanations, your family-vault members, your notes, your photos, your passport data, your medications list, your trends, or your vaccinations. These all live in your browser on your device.
4. How analysis works (and what leaves your device)
For typed PDFs (most lab reports and discharge summaries): the text is extracted in your browser using PDF.js. Only the extracted text is sent to our server, then forwarded to the AI provider for analysis. Your PDF file itself never leaves your device.
For photos and scanned images (including handwritten doctor's notes): we compress the image in your browser and send it to the AI for visual reading. This is the only way to handle handwriting reliably. The image is used for the single analysis request and is not retained — neither by us nor by the AI provider, per their data-handling policy.
The AI's response is sent back to your browser and shown to you. Nothing — not the text, not the image, not the AI response — is written to disk on our side.
5. Purpose of processing
We process personal data only for these explicit purposes:
- To operate your account (login, session management).
- To run the AI analysis you requested (the document text / image is sent to the AI provider, then discarded).
- To enforce rate limits and prevent abuse (IP hashing, daily caps).
- To send service emails (signup notification, account-status updates, security incidents) — these are necessary for the service and do not require separate consent.
- To send optional product updates — only if you ticked the marketing-consent box at signup. You can withdraw this at any time by emailing us.
6. Cross-border data transfers
The AI provider (Google Gemini or Anthropic Claude via OpenRouter, depending on routing) and our hosting (Vercel) are based outside India. The extracted text / image is transmitted to these providers for the duration of one analysis request and is not retained by them, per their published data-handling policies.
The DPDP Act permits cross-border transfers unless the Central Government restricts a specific destination. As of the policy date, no such restriction applies to the destinations we use.
7. Data retention
Account data: kept while your account is active. Deleted within 7 days of account deletion, except for legally mandated records (e.g. tax or compliance logs).
Per-analysis usage rows: retained for 12 months then auto-deleted. Aggregated, anonymised counts may be kept indefinitely for product analytics.
Salted IP hashes: retained for 30 days for rate-limit enforcement.
Audit logs of admin actions: retained for 2 years for compliance review.
8. Your rights under the DPDP Act
You have the right to:
- Access the data we hold about you. Use the “Download my data” button on your account page to get a JSON file of everything on our server. (Your in-browser data — reports, family vault, notes etc. — is exported separately from each feature's page.)
- Correct any inaccuracy in your account information. Edit it from the account page or email us.
- Erase your data. Use “Delete my account” on the account page.
- Withdraw consent for marketing emails at any time by emailing us. Service emails (security, account status) cannot be opted out of while you have an account.
- Nominate another individual to exercise your rights in case of death or incapacity (write to the Grievance Officer).
- Raise a grievance with our Grievance Officer (above) and, if unresolved, with the Data Protection Board of India.
9. Children & minors
You must be 18 or older to create an account. We ask for age confirmation at signup.
Family members under 18: as the account holder, you may add your minor children to the Family Vault. The medical data for those children (reports, notes, vaccinations, passport, etc.) is stored only in your browser on your device — we never receive it on our server. You are responsible, as the parent or lawful guardian, for the lawful processing of your minor's data on your device.
Under the DPDP Act, we will not track minors, target them with advertisements, or take any action specifically directed at minors' data on our server (we don't have any to begin with).
10. Security measures
- Passwords are hashed with bcrypt (10 rounds, OWASP baseline).
- Sessions are issued as signed JWTs (HS256) stored in httpOnly, SameSite=Strict cookies.
- HTTPS-only with HSTS for all connections.
- Content Security Policy headers to prevent injection & clickjacking.
- Defence-in-depth prompt-injection filtering on AI inputs.
- IPs are salted & SHA-256 hashed before storage.
- Family-vault, notes, passport, medication, vaccination, and lifestyle data are stored client-side only (localStorage + IndexedDB) — by design, never transmitted.
11. Personal data breach notification
If we discover a personal data breach that affects you, we will notify both you and the Data Protection Board of India within 72 hours of becoming aware of it, as required under the DPDP Act.
12. What we'll never do
- Sell or rent your information to anyone.
- Use your medical content to train AI models.
- Show you ads for medications, doctors, or hospitals.
- Send marketing emails without your explicit opt-in.
- Combine your data with data from third-party trackers — we don't use trackers.
13. Third-party processors
We rely on the following sub-processors. Each has its own privacy policy and security posture:
- Vercel (USA) — web hosting & serverless functions.
- Neon (USA/EU) — Postgres database for account + usage analytics.
- Resend (USA) — transactional email delivery.
- Google Gemini API (USA, primary AI) and/or OpenRouter → Anthropic Claude (USA, fallback AI) — for the AI analysis itself. We do not pass your account information to these providers — only the extracted document text / image needed for one analysis.
14. Changes to this policy
We will update this policy when we change how we handle data. If the change is material, we will require you to re-acknowledge it via the in-app safety notice. The version date at the top of this page indicates the current version.
15. Contact us
For any privacy question or to exercise any right under this policy, email hslamba95@gmail.com. Acknowledgement within 48 hours; resolution within 30 days where possible.