Privacy Policy | MedCase AI

Digital Envision LLC ("MedCase AI", "we", "us", "our") operates the MedCase AI platform at medcase.ai. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform.

We are committed to protecting the privacy of our users and the data subjects whose medical records are processed through our platform. This policy applies to all users of MedCase AI, including account holders, team members, and visitors to our website.

1. Who We Are

Company	Digital Envision LLC
Trading as	MedCase AI
Address	Newcastle Upon Tyne, United Kingdom
Contact	hello@medcase.ai
Data Protection Contact	privacy@medcase.ai

2. Data We Collect

2.1 Account Data

When you register for MedCase AI, we collect:

Full name
Email address
Password (stored only as a bcrypt hash — we never store or have access to your plaintext password)
Organisation name (if you create or join an organisation)

2.2 Billing Data

When you subscribe to a paid plan, we collect:

Payment method details (processed and stored by Stripe — we do not store card numbers, CVVs, or full payment details on our servers)
Billing address
Invoice history

Stripe acts as our payment processor and is PCI DSS Level 1 certified.

2.3 Medical Record Data (Processed on Behalf of Our Customers)

When you upload medical records for analysis, the platform processes:

Medical record PDFs — uploaded by the user for compliance analysis
Extracted text — text extracted from the uploaded PDF via direct extraction or OCR
Sanitised text — text with all personally identifiable information (PII) removed
Analysis outputs — compliance findings, medical timeline, AI chat messages and responses

Important: MedCase AI processes medical record data on behalf of our customers (the data controllers). We act as a data processor in relation to medical record data. See our Data Processing Agreement for full details.

2.4 Usage Data

We automatically collect:

Case creation and processing activity (number of cases, processing status)
Feature usage (AI chat messages sent, analyses run)
Error and performance data (via Sentry — for debugging and platform stability)

2.5 Website Data

When you visit our website, we may collect:

Browser type and version
Pages visited
Referring website
IP address (for rate limiting and security purposes)

3. How We Use Your Data

Purpose	Legal Basis (GDPR)	Data Used
Provide the MedCase AI platform	Performance of contract (Art. 6(1)(b))	Account data, medical record data
Process payments and manage subscriptions	Performance of contract (Art. 6(1)(b))	Billing data
Send transactional emails	Performance of contract (Art. 6(1)(b))	Email address, name
Maintain platform security	Legitimate interest (Art. 6(1)(f))	IP addresses, rate limiting data
Monitor and improve platform stability	Legitimate interest (Art. 6(1)(f))	Error and performance data
Respond to support enquiries	Performance of contract (Art. 6(1)(b))	Account data, correspondence
Comply with legal obligations	Legal obligation (Art. 6(1)(c))	As required by law

3.1 Medical Record Processing

Medical records are processed for the specific purpose of clinical negligence compliance analysis, as instructed by the customer (data controller). The lawful basis for processing medical record data is:

Article 6(1)(f) — Legitimate interest: processing medical records for the purpose of legal claims assessment
Article 9(2)(f) — Legal claims: processing special category health data in connection with the establishment, exercise, or defence of legal claims

4. PII Sanitisation

Before any medical record text is sent to external AI services for analysis, all personally identifiable information is removed through a triple-layer sanitisation system:

Microsoft Presidio — Enterprise-grade PII detection engine identifying names, NHS numbers, dates of birth, addresses, phone numbers, email addresses, and other identifiers
spaCy Named Entity Recognition — Independent linguistic analysis catching named entities that the first layer may have missed
Custom regex patterns — 30+ pattern-matching rules specifically tuned for UK medical records, catching NHS numbers, postcodes, GMC numbers, hospital numbers, and other structured identifiers

After sanitisation, no raw patient names, dates of birth, NHS numbers, addresses, or other identifiable information is sent to external AI services. Only anonymised clinical narratives with type-labelled placeholders (e.g., [PERSON], [NHS_NUMBER], [DATE]) are transmitted.

5. Data Storage and Security

5.1 Encryption at Rest

All sensitive data stored in our database is encrypted using AES-256-GCM (Galois/Counter Mode):

256-bit encryption keys
Unique 12-byte random nonce per record
128-bit authentication tag for tamper detection
Base64 encoding for storage

5.2 Encryption in Transit

All data transmitted between your browser and our servers is encrypted via TLS (HTTPS). We enforce HTTPS via HSTS headers and never accept unencrypted HTTP connections.

5.3 Password Security

User passwords are hashed using bcrypt with automatic salt generation. We never store plaintext passwords. Password verification uses constant-time comparison to prevent timing attacks.

5.4 Infrastructure Security

Hosting: Hetzner (data centres in Germany and Finland, ISO 27001 certified)
Database: PostgreSQL with encrypted connections
Rate limiting: Enforced on authentication, case uploads, and chat endpoints
CSRF protection: Signed tokens on all state-changing requests
Security headers: Comprehensive headers including Content Security Policy, X-Frame-Options, Strict-Transport-Security, and cache prevention
Two-factor authentication: Required for admin accounts (6-digit email code, 10-minute expiry)

5.5 Uploaded Files

Users can choose whether the original PDF file is retained after text extraction
If file retention is disabled, the uploaded PDF is deleted after text extraction completes
If file retention is enabled, the file is stored securely and deleted according to the case's retention schedule

6. Data Sharing and Sub-Processors

We share personal data with the following third-party sub-processors, solely for the purposes of providing the MedCase AI platform:

Sub-Processor	Purpose	Data Shared	Location
Hetzner	Infrastructure hosting	All platform data (encrypted at rest)	Germany / Finland (EU)
OpenRouter / Anthropic	AI analysis (Claude Sonnet 4)	Sanitised (PII-free) medical record text only	United States
OpenAI	Vector embeddings	Sanitised (PII-free) text chunks only	United States
Stripe	Payment processing	Billing data, payment method details	United States
Resend	Transactional email delivery	Email addresses, names, email content	United States
Sentry	Error monitoring	Error data, stack traces, anonymised usage context	United States

Important: OpenRouter/Anthropic and OpenAI only receive PII-sanitised text. No patient-identifiable information is transmitted to AI service providers.

7. Data Retention

Data Type	Retention Period
Account data	Retained while your account is active. Deleted upon account deletion request.
Medical record data	Default: 7 years from case creation (configurable per case). Users can request earlier deletion.
Billing data	Retained for 7 years after the end of the financial year in which the transaction occurred (UK legal requirement).
Usage data	Retained for 2 years for analytics and billing reconciliation.
Error/performance data	Retained for 90 days (Sentry default).
Website visitor data	Retained for 30 days.

8. Your Rights

Under the UK GDPR, you have the following rights:

Right	Description
Access	Request a copy of the personal data we hold about you
Rectification	Request correction of inaccurate personal data
Erasure	Request deletion of your personal data ("right to be forgotten")
Restriction	Request restriction of processing in certain circumstances
Data portability	Receive your data in a structured, machine-readable format
Object	Object to processing based on legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@medcase.ai. We will respond within 30 days.

8.1 Data Subject Rights for Medical Records

If you are a data subject whose medical records have been processed through MedCase AI, please contact the organisation (our customer) that uploaded your records. They are the data controller and are responsible for responding to your rights requests. We will assist the data controller in fulfilling these requests in accordance with our Data Processing Agreement.

9. Case Data Deletion

When a case is deleted (either by user request or at the end of the retention period), the following is permanently and irreversibly removed:

All extracted medical record text
All text chunks and vector embeddings
All compliance analysis results
All findings
All AI chat messages and responses
The uploaded PDF file (if stored)
All associated usage records

Deletion is logged with a timestamp and reason for audit purposes.

10. Cookies

MedCase AI uses only essential cookies required for the platform to function:

Cookie	Purpose	Duration
Authentication token	Maintains your logged-in session	24 hours
CSRF token	Prevents cross-site request forgery attacks	Session

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

11. Children

MedCase AI is a professional platform designed for legal and medical professionals. It is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from anyone under 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Contact

For privacy-related enquiries or to exercise your data protection rights:

Email: privacy@medcase.ai
General enquiries: hello@medcase.ai
Address: Digital Envision LLC, Newcastle Upon Tyne, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.