Privacy Policy

Last updated: April 9, 2026

iDoctor by Medivis ("iDoctor," "we," "us") is a personal health knowledge graph and AI assistant. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services through iMessage and the web portal at idoctor.medivis.com.

1. Information We Collect

Information You Provide

  • Account information: Phone number, name, date of birth, sex, email address.
  • Health records: Medications, lab results, conditions, observations, appointments, providers, vaccinations, and other health data you enter or upload.
  • Documents: PDFs, images, and other files you upload for processing.
  • Messages: Conversations with iDoctor via iMessage and the web chat.
  • Preferences: Notification settings, timezone, check-in style, morning brief timing.
  • Emergency contact: Name, phone, and relationship of your designated emergency contact.

Information We Collect Automatically

  • Session data: IP address, user agent, session timestamps for security and fraud prevention.
  • Usage data: Feature usage patterns, page views, and interaction metrics (no health data in analytics).
  • Audit logs: Records of data access and modifications for compliance and security review.

Information From Connected Services

  • Gmail (optional): If you connect your Gmail account, we search for health-related emails from lab portals, pharmacies, and providers. We only access emails matching specific health-related filters. Email content is processed and discarded; only extracted health data is retained.

2. How We Use Your Information

  • Provide personalized health assistance through AI-powered conversation.
  • Extract, organize, and display your health records in the portal.
  • Generate proactive health reminders and morning briefs.
  • Detect medical emergencies and direct you to appropriate resources.
  • Process and bill your subscription.
  • Improve service quality and reliability.
  • Comply with legal obligations.

We never sell your personal or health information. We never use your health data for advertising.

3. AI Processing

iDoctor uses AI (Anthropic Claude) to understand your messages, interpret health records, and generate personalized responses. Your messages and health context are sent to Anthropic's API for processing. Anthropic does not retain your data for model training under our agreement.

iDoctor is not a medical device and does not provide diagnoses, treatment recommendations, or emergency medical care. AI responses are educational and informational. Always consult your healthcare provider for medical decisions.

4. Data Storage and Security

  • All data is stored in Azure-hosted PostgreSQL with encryption at rest.
  • Documents are stored in Azure Blob Storage with encryption.
  • All connections use TLS 1.2 or higher.
  • Authentication uses phone-based OTP with bcrypt-hashed codes.
  • Session tokens are SHA-256 hashed before storage.
  • Gmail refresh tokens are AES-256-GCM encrypted.
  • Audit logs are maintained for compliance and security review.
  • No protected health information (PHI) appears in application logs.

5. Data Sharing

We share data only with the following categories of service providers, under contractual protections:

  • Anthropic: AI processing (messages and health context for generating responses).
  • Sendblue: iMessage delivery (message content for sending/receiving).
  • Microsoft Azure: Cloud infrastructure (database, storage, compute).
  • Stripe: Payment processing (no health data shared with Stripe).
  • Google: Gmail OAuth and email access (only if you connect Gmail).

We do not share your data with any other third parties except as required by law.

6. Your Rights and Controls

  • Access: View all your health data in the portal at any time.
  • Export: Download a complete copy of your data as JSON from Settings.
  • Correction: Edit any health record in the portal.
  • Deletion: Delete your account and all associated data from Settings. Soft deletion occurs immediately; permanent deletion after 30 days.
  • Gmail disconnect: Revoke Gmail access at any time from Settings. Tokens are immediately deleted and revoked with Google.
  • Session management: View and revoke active sessions from Settings.

7. Data Retention

  • Active accounts: Data retained for the life of the account.
  • Deleted accounts: Soft-deleted immediately, permanently purged after 30 days.
  • Audit logs: Info-level logs retained 90 days. Warning/critical logs retained for compliance (up to 7 years).
  • Expired sessions and OTP codes: Automatically purged daily.

8. Children

iDoctor is not intended for use by individuals under 18. We do not knowingly collect information from minors.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via iMessage or the portal. Continued use after changes constitutes acceptance.

10. Contact

For privacy questions or data requests, contact us at privacy@medivis.com.