HomeLegal CenterPrivacy Notice
Legal · Document 02

Privacy Notice

How AI Health Studio LLC d/b/a Medrecords AI collects, uses, and protects personal information — for website visitors, platform users, and job applicants. Medical records our customers process through the platform are governed separately by the DPA and BAA.

Effective: July 8, 2026 Version 2.1 · supersedes Jan 1, 2025
The short version — a summary, not a substitute
  • We collect what a B2B software company needs: contact details you give us, account data, billing data, and standard site analytics. Nothing exotic.
  • We never sell personal information. We run analytics and marketing cookies on this public website by default to understand and reach visitors — never on the platform, always under your control via Cookie settings, and marketing is always off on our Solutions and Test-a-File pages regardless of your settings.
  • The medical records our customers upload are their data, processed under the DPA and BAA. We never train AI models on them — not even "de-identified."
  • If your medical records were reviewed through our platform, the organization handling your matter controls them — Section 12 explains your rights and how we help you reach them.
  • Privacy questions and rights requests: [email protected]. We respond within 30 days, usually much faster.

01Scope — two kinds of data, two sets of rules

This Privacy Notice is issued by AI Health Studio LLC, a Wyoming limited liability company doing business as Medrecords AI ("Medrecords AI," "we," "us," or "our"). It applies where we decide how and why personal information is processed (where we act as a "controller" or "business"): the medrecords.ai website, our marketing, sales, and events, accounts on the Medrecords AI platform at app.medrecords.ai, support and billing, and job applications.

Covered by this Notice
Visitor, prospect, and customer-account data — the information described in Section 2, where we are the controller.
Covered by the DPA & BAA instead
Medical records, DICOM imaging, claims files, and everything else customers upload ("Customer Content"). There we process only on the customer's documented instructions.

Where a customer uploads Customer Content, the customer is the controller (or covered entity/business associate under HIPAA) and we are its processor and, where applicable, business associate. That processing is governed by our Data Processing Addendum and Business Associate Agreement, not this Notice — except that Sections 6 and 12 below explain how individuals can exercise rights in that data.

02Information we collect

2.1 Information you provide.

  • Account & registration: name, work email, organization, role, password (hashed — we never store plaintext), MFA enrollment, and profile settings. If you sign in with Google or Microsoft, we receive your name, email, and profile picture from that provider.
  • Forms on the Site: demo requests (name, work email, organization, role, monthly page volume, optional message), contact and support messages, security-package requests (work email), ROI-calculator email capture, and webinar or newsletter signups.
  • Test a File: your name, organization, line of work, and work email when you request a sample. The file itself is Customer Content handled under our BAA and the evaluation terms in the Terms, Section 6 — it is never used for marketing and never used to train models.
  • Billing: billing contact, address, and transaction history. Card and bank details go directly to our payment processor (Stripe); we never see or store full card numbers.
  • Communications & surveys: whatever you choose to include when you write to us or answer a survey.

2.2 Information collected automatically. Device and log data (IP address, browser type, operating system, timestamps, referring pages), usage data (pages viewed, links clicked, features used in the platform's non-content telemetry), approximate location inferred from IP address (city/region — never precise geolocation), and cookies as described in the Cookie Policy. Platform telemetry is engineered to exclude Customer Content: page counts and token metering, not record text.

2.3 Information from third parties. Sign-on providers (Google, Microsoft), your colleagues (e.g., an administrator creating your user seat), and business-contact information from public professional sources or event organizers, used only for B2B outreach you can opt out of at any time.

03What we don't do

  • We do not sell personal information, and we have not sold it in the preceding 12 months.
  • We do not run marketing or advertising cookies on the authenticated platform, ever, and we do not run them on our Solutions or Test-a-File pages, for any visitor, regardless of settings chosen elsewhere — Global Privacy Control and your cookie settings always override the default everywhere else.
  • We do not use Customer Content to train AI models — ours or anyone's, in any form, including de-identified.
  • We do not ask for medical records anywhere on the Site — the only upload path is the platform and Test a File, both behind the BAA.
  • We do not knowingly collect data from anyone under 18.

04How we use information

Purpose
Legal basis
Provide, operate, and support the Site and platform; authenticate users; process payments
Contract performance
Respond to demo requests, inquiries, and security-package requests; route you to the right plan
Legitimate interests / pre-contract steps
Secure the Services: fraud and abuse prevention, access logging, incident investigation
Legitimate interests / legal obligation
Understand aggregate Site and feature usage to improve the Services (analytics)
Consent (analytics cookies) / legitimate interests
Send product updates and marketing to business contacts, with unsubscribe in every message
Consent / legitimate interests (B2B)
Comply with law, tax, and accounting obligations; establish and defend legal claims
Legal obligation / legitimate interests

We do not use personal information for automated decisions that produce legal or similarly significant effects about you, and we do not use it to train AI models.

05How we share information

  • Service providers acting on our instructions under contract: cloud hosting (Amazon Web Services), payment processing (Stripe), business email and collaboration (Google Workspace), and site analytics (Google Analytics), controllable any time via Cookie settings. Providers that touch Customer Content are separately listed — with roles and safeguards — on the Subprocessor List.
  • Professional advisors — lawyers, accountants, auditors, and insurers, under confidentiality.
  • Legal and safety: to comply with law or valid legal process, or to protect the rights, safety, or property of Medrecords AI, our customers, or others. For demands touching Customer Content, the notification commitments in the DPA (Section 6.3) apply.
  • Corporate transactions: in a merger, acquisition, financing, or sale of assets, information may transfer to the successor — which must assume our BAA, DPA, and never-train commitments in full.
  • With your consent or at your direction.

That's the complete list. No data brokers, no ad networks, no "partners" receiving your details for their own marketing.

06Records we process for customers

Customer Content routinely contains deeply sensitive information about people who are not our customers: patients, claimants, examinees, insureds, and litigants, and their providers. For that data we are a processor / service provider / business associate: we process it only to deliver the Services on the customer's documented instructions, protect it with the safeguards in the DPA and BAA, disclose it to no one except the subprocessors those documents authorize, and delete it on the schedule the customer controls.

We cannot independently answer requests to access, correct, or delete information inside a customer's case files — those files may be evidence in active litigation or claims, and altering them is not ours to decide. Section 12 explains what we do instead.

07Retention

Data
Kept for
Customer Content (records, imaging, outputs)
Customer-controlled — see DPA §5
Test-a-File evaluation files & outputs
30 days after sample delivery
Account data
Life of account + 30 days
PHI access & security audit logs
6 years (45 CFR 164.316)
Server & application logs (non-audit)
90 days
Site analytics
26 months
Demo, contact & marketing records
2 years after last interaction
Billing & tax records
7 years (tax law)

Longer retention applies only where law, litigation hold, or a customer's written instruction requires it. Deletion includes backups, on the cycle described in the DPA.

08Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is role-scoped and case-scoped, protected by MFA, and logged — every PHI access event is auditable. Controls are documented SOC 2 audit-ready, and our full security posture, including how to request the security package under NDA, is published at the Trust Center. No transmission or storage method is perfectly secure; if we learn of a breach affecting your data, we will notify you as the DPA, the BAA, and applicable law require.

09Your rights & choices

  • Access, correction, deletion, portability: email [email protected] from the address on file (or provide equivalent verification). We respond within 30 days and will explain any legal basis for declining (e.g., records we must keep for tax or audit purposes).
  • Marketing: every marketing email has an unsubscribe link; opting out never affects service or security notices.
  • Cookies: manage preferences via the cookie banner, the Cookie Policy, or your browser. We honor Global Privacy Control (GPC) signals.
  • Account data: administrators can update account details in-product; closing an account triggers the retention schedule above.

We will never discriminate against you for exercising a privacy right. Authorized agents may submit requests with proof of authority.

10US state privacy rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights to know/access, correct, delete, and obtain a portable copy of personal information, and to opt out of sale, sharing/targeted advertising, and certain profiling. We do not sell or share personal information and do not profile in a way that produces legal or similarly significant effects, so there is nothing to opt out of — but the request channel exists regardless: [email protected].

California (CCPA/CPRA) disclosures. In the preceding 12 months we collected these categories: identifiers (name, email, IP); customer-records information (billing contact); commercial information (transactions); internet activity (site/feature usage); approximate geolocation (from IP); professional information (organization, role); and sensitive personal information limited to account log-in credentials (used only to authenticate you — never to infer characteristics). Sources, purposes, and recipients are as described in Sections 2, 4, and 5. We do not use or disclose sensitive personal information beyond what CCPA §7027(m) permits. California's Shine-the-Light and Delete Act rights are likewise honored via the same contact.

Appeals (VA, CO, CT, and similar): if we decline a request, reply to our decision email within 30 days and a different reviewer will decide your appeal within 45 days; if it is denied, we will give you a way to contact your state attorney general.

11EEA, UK & international visitors

The Services are hosted in the United States and designed for US medical-legal work. If you use them from outside the US, your information is transferred to and processed in the US. For personal data subject to the GDPR or UK GDPR, our legal bases are those in Section 4; transfers rest on Standard Contractual Clauses (and the UK Addendum) or another lawful mechanism, and the DPA's transfer terms apply to Customer Content.

EEA/UK individuals may also object to or restrict processing, withdraw consent at any time, and lodge a complaint with their supervisory authority (or the UK ICO). Contact us first if you like — most issues resolve in one email.

12If your medical records were processed through our platform

You may have found this page because a law firm, insurer, third-party administrator, or medical evaluator handling your matter used Medrecords AI to review your records. We are that organization's technology vendor. We do not decide what happens to your records, and we cannot release, correct, or delete them on our own — they are part of your legal or claims file, controlled by the organization handling it.

  • To exercise rights in your records (access, amendment, an accounting of disclosures), contact the organization handling your matter, or your healthcare provider or health plan for HIPAA rights in the source records.
  • If you contact us instead at [email protected], we will acknowledge you, forward your request to the responsible customer within five (5) business days where we can identify them, and support their response as the DPA and BAA require. We will not respond on the merits ourselves unless the customer instructs us to or the law requires.
  • HIPAA complaints: you may complain to the U.S. Department of Health and Human Services, Office for Civil Rights (hhs.gov/ocr). No one will retaliate against you for filing a complaint.

13Job applicants

If you apply to work with us, we collect what you submit (résumé, contact details, work history, links) plus interview notes and references you authorize, and use it only to evaluate your application, communicate with you, and meet legal obligations. We keep applicant data for two (2) years after the decision (or longer with your consent to be considered for future roles), then delete it. Applicants have the same rights and contact channel as Section 9. We never ask applicants for medical information, and we do not make automated hiring decisions.

14Cookies & similar technologies

We use a deliberately small set: essential cookies for sign-in and security, a preference cookie for your choices, analytics, and marketing cookies on this public website — the latter two run by default and can be turned off any time, and marketing is always off on our Solutions and Test-a-File pages regardless. Every cookie and localStorage key we set is named, with provider, purpose, and lifetime, in the Cookie Policy. None of this runs on the authenticated platform; GPC and browser opt-outs are honored.

15Children

The Site and Services are professional tools not directed to anyone under 18, and we do not knowingly collect personal information from minors as users or visitors. (Records processed about minors — for example, in a pediatric injury case — are Customer Content protected under the DPA and BAA at the customer's direction.) If you believe a minor has provided us personal information, contact [email protected] and we will delete it.

16Changes & contact

We may update this Notice as our practices or the law change. Material changes get at least 30 days' notice by email or in-product message before taking effect; the current version always lives at this page with its effective date. This Version 2.1 supersedes the Privacy Policy dated January 1, 2025.

Privacy contact
[email protected]
Attn: Privacy Officer
Responses within 30 days
Mail
AI Health Studio LLC d/b/a Medrecords AI
30 North Gould Street
Sheridan, Wyoming 82801, USA