Medrecords AI · Legal Center

The paperwork, written like we mean it.

Six documents govern everything we do with your data and your money. Each opens with a plain-English summary, and the commitments that matter — never training on your records, deletion with certificates, breach clocks in hours — are contractual, not marketing.

All documents effective July 7, 2026 AI Health Studio LLC · Sheridan, Wyoming
DOCUMENT 01 v2.0 · Jul 7, 2026
Terms of Service

The master agreement: who may use the platform, per-page billing with spend caps, Test-a-File evaluation terms, your duty to verify AI output, and the not-a-medical-device line.

cancel anytime verify-before-filing duty aggregate liability cap
DOCUMENT 02 v2.0 · Jul 7, 2026
Privacy Notice

Visitor, customer, and applicant data: what we collect, the full sharing list, a named retention table, US state and GDPR rights — and what individuals do when their records went through our platform.

never sold no ad pixels GPC honored
DOCUMENT 03 v1.0 · Jul 7, 2026
Data Processing Addendum

Processor terms for the records you upload: instructions-only processing, the contractual never-train clause, customer-controlled retention with deletion certificates, subprocessor objection rights, SCCs — plus per-plan data paths in Annex 3.

never-train §4.4 72h incident notice deletion certificates
DOCUMENT 04 Jul 7, 2026
HIPAA & BAA

Where covered entities, business associates, and non-covered legal and casualty teams each stand — and the clause-by-clause map of what our Business Associate Agreement commits us to.

BAA at signup covers Test a File workers' comp explained
DOCUMENT 05 Updated Jul 7, 2026
Subprocessor List

Four vendors can touch Customer Content — AWS, Anthropic, OpenAI, OpenRouter — every one under a BAA with zero-retention, no-training terms. Business-ops vendors listed separately. Subscribe for 30-day advance change notices.

US-only processing 30-day notice changelog
DOCUMENT 06 v1.1 · Jul 8, 2026
Cookie Policy

Every cookie and localStorage key, named with provider, purpose, and lifetime. Analytics and marketing run by default, public site only, never the platform, and marketing is always off on Solutions pages; nothing sensitive in browser storage.

named cookies opt-out anytime no PHI in storage
How the documents fit together
1 · BAA — controls for PHI 2 · DPA — controls for personal data 3 · Order Form — enterprise plans 4 · Terms of Service — everything else

Self-Service and Test-a-File customers get the whole stack automatically: accepting the Terms incorporates the DPA, and the BAA is presented click-through before any upload. Enterprise customers execute countersigned versions with their Order Form. The Privacy Notice and Cookie Policy cover the website and your account regardless of plan.

For procurement & security review

Countersigned BAA / DPA

Need executed copies on your paper or ours? We accept reasonable redlines.

[email protected]
Security package

Controls documentation, SOC 2 evidence summary, pen-test summary — under NDA.

Request via Trust Center →
Subprocessor notices

30-day advance notice of any change to who can process Customer Content.

Subscribe on the list →
Questions about any of this?

Legal: [email protected] · Privacy: [email protected] · Security: [email protected]

AI Health Studio LLC d/b/a Medrecords AI
30 North Gould Street, Sheridan, WY 82801