Skip to content
Hamdosh
Get started
Privacy policy

Your records are yours.

How we collect, use, store, and protect your family's medical information — and the lines we will never cross.

Back to home

Effective 2026-06-01T00:00:00.000Z

Hamdosh is built on a single conviction: your medical records are yours. This policy explains exactly what we collect, what we do with it, and — just as importantly — what we never do with it.

What we collect

We collect only what you give us, and what we need to make the service work:

  • Account data: your email address and a hashed password (Argon2id; we never see the plaintext).
  • Family member profiles: names, dates of birth, relationships, and any allergies, conditions, or medications you choose to add.
  • Uploaded documents: prescriptions, lab reports, pharmacy receipts, after-visit summaries, and other health-related files you upload.
  • Extracted data: the structured fields (medicines, doses, dates, diagnoses, outcomes) extracted from your uploads.
  • Operational logs: application errors and authentication events. These contain no PHI. Unexpected errors are forwarded to our error-monitoring provider (Sentry) with personal data and URL query strings stripped before sending.
  • Analytics (with your consent): on our marketing site, if you accept the cookie banner, Google Analytics records page views and the campaign/source that brought you, so we can measure our marketing. In the app, we record privacy-scrubbed page paths (query strings removed, record ids replaced with :id) to understand which features help. Neither ever receives your health data.
  • Newsletter (optional, off by default): our newsletter is hosted on Substack. The signup form is not loaded until you explicitly click “Load subscribe form” — until then your browser never contacts Substack and no third-party cookies are set. If you choose to subscribe, your email address is processed by Substack under its own privacy policy; we never send Substack any health data.
  • Access audit: a per-request log of which of your own records you (or someone you’ve granted access to) viewed, edited, or exported.

We do not collect:

  • Browsing history outside our site or app.
  • Device-level location.
  • Contacts, photos, or files from your device beyond what you explicitly upload.
  • Analytics without your consent. The marketing site loads no analytics until you accept the cookie banner — decline and nothing third-party loads. Our newsletter signup is likewise click-to-load: nothing is sent to Substack until you choose to open the form. We run no advertising networks and never sell your data.

How we use it

We use your information for one purpose: to provide the Hamdosh service to you.

Specifically, that means:

  • Running the OCR pipeline on our servers over documents you upload.
  • Grouping related documents into encounters.
  • Surfacing your own treatment history when you search it.
  • Maintaining the shared reference data that keeps extraction and matching accurate for everyone — our medicine catalog, common doses, and directories of providers and pharmacies — and the aggregate usage statistics built from it. This is derived from the structured fields in uploaded documents, never sold or shared.
  • Sending you account-essential emails (password resets, security alerts, your own outcome-capture reminders if you’ve enabled them).

We do not:

  • Sell your data. Not to brokers, not to advertisers, not to insurers, not to anyone.
  • Train external AI models on your records without explicit, per-purpose consent.
  • Share your data with employers, insurers, or marketers.
  • Use your data to “personalize ads” — there are no ads.

Storage and encryption

  • All PHI columns and all uploaded files are encrypted at rest with AES-256-GCM.
  • Per-file keys are wrapped by a master key held in environment-protected storage.
  • All transit between your browser and our API uses TLS 1.3.
  • Files live in S3-compatible object storage behind signed URLs with short TTLs.
  • Encrypted backups run on a schedule; we test restores.

See Security for the full technical posture.

Your rights

You can, at any time:

  • Access every record we hold about you, in-app.
  • Export your full record as a ZIP of PDFs and JSON. No friction, no support ticket required.
  • Correct any field — most are inline-editable.
  • Delete your data at any granularity: a single uploaded image, one encounter, several at once, or all of your records — from the record itself or from Settings. See Deleting your data for exactly what each removes.
  • Delete your account entirely. We wipe everything we hold for you — including the data extracted from your documents and encrypted backups — within 30 days.
  • Audit who has accessed what. The access log is one click away.
  • Revoke any consent grant you’ve issued to another household member. Effective immediately.

If you’re in a jurisdiction with a specific privacy law (GDPR, CCPA, LGPD, etc.), you have additional rights under that law — and we will honor them. Contact us at the address below.

Deleting your data

We let you delete your data in pieces or all at once, and we’re precise about what each kind of deletion does — because “delete” should mean what you expect.

  • Deleting an image. The uploaded file is permanently erased from storage. Because we keep no hidden duplicate, you can upload the same image again later as if it were new.
  • Deleting an encounter, or all of your records. The encounter and everything that ties it to you — the uploaded images and the personal details extracted from them (your name, free-text notes, anything identifying) — are permanently erased. What remains is a de-identified summary of the medical facts (clinic, hospital, doctor, medications, symptoms, diagnoses, dates, prices) that contains no name, no account, and no identifier of any kind — nothing in it can be traced back to you. We keep that anonymous summary to keep the service accurate and improving for everyone (for example, our medicine catalog and provider directories); it is never sold, shared with third parties, used to train external AI models, or used to advertise to you.
  • Deleting your account. We erase your account and every record still linked to it — documents, extracted data, and encrypted backups — within 30 days. (Any de-identified summaries created earlier, from encounters you’d already deleted, carry no link to you and remain as anonymous data.)

We will not surface a deleted record back to you, and deleting records never affects your ability to re-upload the same documents later.

Third parties

Hamdosh runs OCR (Tesseract 5) on our own servers, not on your device. Your uploads are encrypted (AES-256-GCM) before they are written to storage, and we never sell your data or use it to train external AI models without your explicit consent.

Sub-processors

We run the hosted service on the infrastructure sub-processors below. Each stores or processes your data solely to operate Hamdosh on our behalf — none receive it for their own purposes, sell it, or use it to train models.

Sub-processorPurposeWhat it holdsBAA statusAdded
Cloudflare R2Object storage for uploaded documentsEncrypted file blobs only (AES-256-GCM; Cloudflare holds no decryption key and cannot read them)Not yet executed2026-06-01
NeonManaged PostgreSQL databaseYour structured records; PHI fields are encrypted at the application layer before they reach the databaseNot yet executed2026-06-01
Fly.ioApplication hosting & compute (API + web)Runs the Hamdosh API, which decrypts PHI transiently in memory to perform OCR, extraction, and search — never persisted to disk in plaintextNot yet executed2026-06-01

This sub-processor list was last updated on 2026-06-01. We will update it — with a new date — before we add, remove, or change any sub-processor.

Hamdosh is HIPAA-aligned but not yet certified, and we have not yet executed Business Associate Agreements (BAAs) with these providers. In the meantime we protect your data with application-layer encryption — AES-256-GCM at rest and TLS in transit — and putting BAAs in place is part of our path to certification.

Children’s data

Hamdosh is designed to be used by adults managing their family’s health, including their children’s. If you are adding a child’s record, you must be the child’s parent or legal guardian. Records of children under 13 are not visible to anyone other than the account holder and any consent-granted co-guardians.

We do not knowingly collect data directly from children under 13. We do not market the product to children.

Changes to this policy

We will update this policy if our practices change. Material changes will be announced in-app and by email at least 30 days before they take effect, with the prior version archived at a permanent URL.

Contact

Privacy questions, requests for access/export/deletion, or anything else covered above:

privacy@hamdosh.com

For security disclosures, see Security and email security@hamdosh.com.