Privacy Policy & Data Handling

Last Updated: 20 April 2025

Welcome to JJ, your multilingual medical intake assistant. We are committed to protecting your privacy and handling your personal information responsibly and in accordance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA) where applicable to the data we handle.

Information We Collect

• Account Information: When you log in via Google OAuth, we receive your name and email address as provided by Google. This is used for identifying you within the application and for communication purposes (e.g., emailing transcripts).
• Chat Interaction Data: We collect the language you select for the chat and the content of your conversation with the JJ assistant. This includes the medical information you provide during the intake process, which may constitute Protected Health Information (PHI).
• Usage Data: To ensure fair use and manage resources, we track the number of chat sessions initiated per user (identified by email) on a monthly basis using Google Cloud Firestore.

How We Use Your Information

• To Provide the Service: Your name, language preference, and conversation content are used to facilitate the medical intake chat with the AI assistant.
• To Generate Transcripts & Summaries: The conversation content is used to generate a raw transcript and a processed SOAP note summary. These are formatted into a PDF and emailed to your registered email address upon completion of the chat.
• To Improve the Service: Conversation data is processed by Anthropic's Claude model to generate responses and SOAP notes. We may analyze trends in conversation data (in an aggregated and de-identified manner where feasible) to improve system prompts and performance. We do *not* use identifiable PHI for general model training purposes outside the direct provision of service to you.
• Resource Management: Usage data (session counts) is used solely to manage access limits and ensure the availability of the service.

Data Storage and Security

• Authentication: Handled securely via Google OAuth 2.0. We do not store your Google password. Session management uses Flask's secure cookies or server-side sessions.
• Transcripts & PDFs: Raw text snippets during the chat and the final processed PDF transcript (containing potential PHI) are stored securely in a designated Google Cloud Storage (GCS) bucket within our Google Cloud Platform project. Access to this bucket is restricted to authorized personnel and service accounts necessary for application function (e.g., PDF generation, email attachment). GCS employs robust security measures, including encryption at rest.
• Processed HTML (Admin): HTML fragments of SOAP notes generated for admin review are also stored in GCS with restricted access.
• Medical Term Dictionaries (RAG): Language-specific medical term lists used by the RAG system are stored in Google Cloud Firestore. This data does not contain user PII or PHI.
• Usage Tracking: Monthly interaction counts per user email are stored in Google Cloud Firestore. Access is restricted.
• AI Processing: Conversation data is sent to Anthropic's API for processing. Anthropic has its own security and privacy policies regarding data handling, which you should review. Data transmitted to/from Anthropic is encrypted via HTTPS.
• HIPAA Compliance Considerations: We utilize Google Cloud Platform services (GCS, Firestore) that can be configured for HIPAA compliance. While this application is a proof-of-concept, we strive to handle potential PHI collected during the intake process in a manner consistent with HIPAA security and privacy principles, including access controls, encryption, and secure infrastructure.
• Email Delivery: Processed PDF transcripts are sent via email using SMTP through Google Workspace (Gmail), which employs TLS encryption for transmission. Be aware that the security of email depends on both sender and receiver configurations.

Data Retention

Currently, chat transcripts and processed PDFs stored in Google Cloud Storage are retained for **[Specify Period - e.g., 90 days]** for operational and potential review purposes. Usage tracking data in Firestore is retained for **[Specify Period - e.g., 12 months]**. We are establishing a formal data retention schedule. You can contact us for information regarding your specific data or to request deletion where permissible.

Interaction Limits

Please note that to ensure fair access for all users and manage operational costs, there is currently a limit of 3 chat sessions per user per calendar month. Your remaining session count for the current month is displayed when you start a new chat.

Your Rights

Depending on your jurisdiction and the nature of the data, you may have rights regarding your personal information, such as the right to access, correct, or request deletion of your data. Please contact us using the information below to discuss such requests. Note that deletion may be subject to medical record retention requirements if applicable.

Third-Party Services

• Google Cloud Platform (Storage, Firestore, Authentication)
• Anthropic (AI Language Model)
• Google Gemini (AI Language Model)
• Stripe (Payment processing for donations - if used)
• Google Workspace (Email sending)

We recommend reviewing the privacy policies of these third-party services.

Contact Us

If you have any questions about this privacy policy or our data handling practices, please contact Marcus Cooper at coop@farehard.com or call (256) 778-1876.