Privacy Notice
How AI Health Studio LLC d/b/a Medrecords AI collects, uses, and protects personal information — for website visitors, platform users, and job applicants. Medical records our customers process through the platform are governed separately by the DPA and BAA.
- We collect what a B2B software company needs: contact details you give us, account data, billing data, and standard site analytics. Nothing exotic.
- We never sell personal information. We run analytics and marketing cookies on this public website by default to understand and reach visitors — never on the platform, always under your control via Cookie settings, and marketing is always off on our Solutions and Test-a-File pages regardless of your settings.
- The medical records our customers upload are their data, processed under the DPA and BAA. We never train AI models on them — not even "de-identified."
- If your medical records were reviewed through our platform, the organization handling your matter controls them — Section 12 explains your rights and how we help you reach them.
- Privacy questions and rights requests: [email protected]. We respond within 30 days, usually much faster.
01Scope — two kinds of data, two sets of rules
This Privacy Notice is issued by AI Health Studio LLC, a Wyoming limited liability company doing business as Medrecords AI ("Medrecords AI," "we," "us," or "our"). It applies where we decide how and why personal information is processed (where we act as a "controller" or "business"): the medrecords.ai website, our marketing, sales, and events, accounts on the Medrecords AI platform at app.medrecords.ai, support and billing, and job applications.
Where a customer uploads Customer Content, the customer is the controller (or covered entity/business associate under HIPAA) and we are its processor and, where applicable, business associate. That processing is governed by our Data Processing Addendum and Business Associate Agreement, not this Notice — except that Sections 6 and 12 below explain how individuals can exercise rights in that data.
02Information we collect
2.1 Information you provide.
- Account & registration: name, work email, organization, role, password (hashed — we never store plaintext), MFA enrollment, and profile settings. If you sign in with Google or Microsoft, we receive your name, email, and profile picture from that provider.
- Forms on the Site: demo requests (name, work email, organization, role, monthly page volume, optional message), contact and support messages, security-package requests (work email), ROI-calculator email capture, and webinar or newsletter signups.
- Test a File: your name, organization, line of work, and work email when you request a sample. The file itself is Customer Content handled under our BAA and the evaluation terms in the Terms, Section 6 — it is never used for marketing and never used to train models.
- Billing: billing contact, address, and transaction history. Card and bank details go directly to our payment processor (Stripe); we never see or store full card numbers.
- Communications & surveys: whatever you choose to include when you write to us or answer a survey.
2.2 Information collected automatically. Device and log data (IP address, browser type, operating system, timestamps, referring pages), usage data (pages viewed, links clicked, features used in the platform's non-content telemetry), approximate location inferred from IP address (city/region — never precise geolocation), and cookies as described in the Cookie Policy. Platform telemetry is engineered to exclude Customer Content: page counts and token metering, not record text.
2.3 Information from third parties. Sign-on providers (Google, Microsoft), your colleagues (e.g., an administrator creating your user seat), and business-contact information from public professional sources or event organizers, used only for B2B outreach you can opt out of at any time.
03What we don't do
- We do not sell personal information, and we have not sold it in the preceding 12 months.
- We do not run marketing or advertising cookies on the authenticated platform, ever, and we do not run them on our Solutions or Test-a-File pages, for any visitor, regardless of settings chosen elsewhere — Global Privacy Control and your cookie settings always override the default everywhere else.
- We do not use Customer Content to train AI models — ours or anyone's, in any form, including de-identified.
- We do not ask for medical records anywhere on the Site — the only upload path is the platform and Test a File, both behind the BAA.
- We do not knowingly collect data from anyone under 18.
04How we use information
We do not use personal information for automated decisions that produce legal or similarly significant effects about you, and we do not use it to train AI models.
05How we share information
- Service providers acting on our instructions under contract: cloud hosting (Amazon Web Services), payment processing (Stripe), business email and collaboration (Google Workspace), and site analytics (Google Analytics), controllable any time via Cookie settings. Providers that touch Customer Content are separately listed — with roles and safeguards — on the Subprocessor List.
- Professional advisors — lawyers, accountants, auditors, and insurers, under confidentiality.
- Legal and safety: to comply with law or valid legal process, or to protect the rights, safety, or property of Medrecords AI, our customers, or others. For demands touching Customer Content, the notification commitments in the DPA (Section 6.3) apply.
- Corporate transactions: in a merger, acquisition, financing, or sale of assets, information may transfer to the successor — which must assume our BAA, DPA, and never-train commitments in full.
- With your consent or at your direction.
That's the complete list. No data brokers, no ad networks, no "partners" receiving your details for their own marketing.
06Records we process for customers
Customer Content routinely contains deeply sensitive information about people who are not our customers: patients, claimants, examinees, insureds, and litigants, and their providers. For that data we are a processor / service provider / business associate: we process it only to deliver the Services on the customer's documented instructions, protect it with the safeguards in the DPA and BAA, disclose it to no one except the subprocessors those documents authorize, and delete it on the schedule the customer controls.
We cannot independently answer requests to access, correct, or delete information inside a customer's case files — those files may be evidence in active litigation or claims, and altering them is not ours to decide. Section 12 explains what we do instead.
07Retention
Longer retention applies only where law, litigation hold, or a customer's written instruction requires it. Deletion includes backups, on the cycle described in the DPA.
08Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is role-scoped and case-scoped, protected by MFA, and logged — every PHI access event is auditable. Controls are documented SOC 2 audit-ready, and our full security posture, including how to request the security package under NDA, is published at the Trust Center. No transmission or storage method is perfectly secure; if we learn of a breach affecting your data, we will notify you as the DPA, the BAA, and applicable law require.
09Your rights & choices
- Access, correction, deletion, portability: email [email protected] from the address on file (or provide equivalent verification). We respond within 30 days and will explain any legal basis for declining (e.g., records we must keep for tax or audit purposes).
- Marketing: every marketing email has an unsubscribe link; opting out never affects service or security notices.
- Cookies: manage preferences via the cookie banner, the Cookie Policy, or your browser. We honor Global Privacy Control (GPC) signals.
- Account data: administrators can update account details in-product; closing an account triggers the retention schedule above.
We will never discriminate against you for exercising a privacy right. Authorized agents may submit requests with proof of authority.
10US state privacy rights
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights to know/access, correct, delete, and obtain a portable copy of personal information, and to opt out of sale, sharing/targeted advertising, and certain profiling. We do not sell or share personal information and do not profile in a way that produces legal or similarly significant effects, so there is nothing to opt out of — but the request channel exists regardless: [email protected].
California (CCPA/CPRA) disclosures. In the preceding 12 months we collected these categories: identifiers (name, email, IP); customer-records information (billing contact); commercial information (transactions); internet activity (site/feature usage); approximate geolocation (from IP); professional information (organization, role); and sensitive personal information limited to account log-in credentials (used only to authenticate you — never to infer characteristics). Sources, purposes, and recipients are as described in Sections 2, 4, and 5. We do not use or disclose sensitive personal information beyond what CCPA §7027(m) permits. California's Shine-the-Light and Delete Act rights are likewise honored via the same contact.
Appeals (VA, CO, CT, and similar): if we decline a request, reply to our decision email within 30 days and a different reviewer will decide your appeal within 45 days; if it is denied, we will give you a way to contact your state attorney general.
11EEA, UK & international visitors
The Services are hosted in the United States and designed for US medical-legal work. If you use them from outside the US, your information is transferred to and processed in the US. For personal data subject to the GDPR or UK GDPR, our legal bases are those in Section 4; transfers rest on Standard Contractual Clauses (and the UK Addendum) or another lawful mechanism, and the DPA's transfer terms apply to Customer Content.
EEA/UK individuals may also object to or restrict processing, withdraw consent at any time, and lodge a complaint with their supervisory authority (or the UK ICO). Contact us first if you like — most issues resolve in one email.
12If your medical records were processed through our platform
You may have found this page because a law firm, insurer, third-party administrator, or medical evaluator handling your matter used Medrecords AI to review your records. We are that organization's technology vendor. We do not decide what happens to your records, and we cannot release, correct, or delete them on our own — they are part of your legal or claims file, controlled by the organization handling it.
- To exercise rights in your records (access, amendment, an accounting of disclosures), contact the organization handling your matter, or your healthcare provider or health plan for HIPAA rights in the source records.
- If you contact us instead at [email protected], we will acknowledge you, forward your request to the responsible customer within five (5) business days where we can identify them, and support their response as the DPA and BAA require. We will not respond on the merits ourselves unless the customer instructs us to or the law requires.
- HIPAA complaints: you may complain to the U.S. Department of Health and Human Services, Office for Civil Rights (hhs.gov/ocr). No one will retaliate against you for filing a complaint.
13Job applicants
If you apply to work with us, we collect what you submit (résumé, contact details, work history, links) plus interview notes and references you authorize, and use it only to evaluate your application, communicate with you, and meet legal obligations. We keep applicant data for two (2) years after the decision (or longer with your consent to be considered for future roles), then delete it. Applicants have the same rights and contact channel as Section 9. We never ask applicants for medical information, and we do not make automated hiring decisions.
14Cookies & similar technologies
We use a deliberately small set: essential cookies for sign-in and security, a preference cookie for your choices, analytics, and marketing cookies on this public website — the latter two run by default and can be turned off any time, and marketing is always off on our Solutions and Test-a-File pages regardless. Every cookie and localStorage key we set is named, with provider, purpose, and lifetime, in the Cookie Policy. None of this runs on the authenticated platform; GPC and browser opt-outs are honored.
15Children
The Site and Services are professional tools not directed to anyone under 18, and we do not knowingly collect personal information from minors as users or visitors. (Records processed about minors — for example, in a pediatric injury case — are Customer Content protected under the DPA and BAA at the customer's direction.) If you believe a minor has provided us personal information, contact [email protected] and we will delete it.
16Changes & contact
We may update this Notice as our practices or the law change. Material changes get at least 30 days' notice by email or in-product message before taking effect; the current version always lives at this page with its effective date. This Version 2.1 supersedes the Privacy Policy dated January 1, 2025.
30 North Gould Street
Sheridan, Wyoming 82801, USA