MedIQGPT
MedIQGPT
Back to Policies

Privacy Policy

How MedIQGPT collects, uses, and protects your personal and medical data - and your rights over it.

Effective Date: February 19, 2026

1. Who We Are

MedIQGPT is operated by DialectAI Technologies Private Limited, a company registered in India. We are the data controller for personal data processed through the Service.

This Privacy Policy applies to all users of the MedIQGPT mobile app, web app, and associated APIs and services.

2. Data We Collect

We collect the following categories of personal data:

Account Information

  • Name, email address, and (optionally) phone number.
  • Authentication data (managed by Supabase Auth; passwords are never stored in plaintext).
  • Profile preferences: language, voice settings, notification preferences.
  • Role within the platform (individual, family caregiver, care provider, admin).

Medical Documents

  • Uploaded files (PDFs, images, scans) - stored encrypted in Cloudflare R2 (AES-256-GCM).
  • Extracted structured data from those documents: dates, provider names, diagnoses, medications, lab values, document types.
  • User-added metadata: custom tags, notes, document categories.

Usage Metadata

  • Document access events (view, download, share) - recorded in the audit log.
  • Search queries (used to fulfil the search; not retained for profiling).
  • Job status records for OCR/processing pipeline events.

Voice Input (Session-Only)

  • Audio is transcribed via Azure Speech-to-Text for the purpose of answering your query. See the Voice Transcription section for details.

Technical Data

  • IP address (used for rate limiting and abuse prevention; not retained in user profile).
  • Device type, browser/app version (used for debugging).
  • Session tokens (see Cookie Policy).

3. How Data Is Processed

Your data is processed for the following purposes, each with a corresponding legal basis (relevant under DPDP Act 2023 and GDPR-aligned principles):

  • Providing the Service: Storing, indexing, and retrieving your medical documents; enabling search; managing family-group access - all necessary to fulfil our contract with you.
  • OCR & AI extraction: Running your uploaded documents through Optical Character Recognition (OCR) and LLM extraction to produce structured, searchable records - done only after you upload a document and with your consent.
  • Conversational queries: Sending relevant context (selected records, metadata) to an LLM API so the AI agent can answer your health record questions - done only in response to your explicit query.
  • Security & fraud prevention: Audit logs, session management, and access controls - legitimate interest for protecting your data.
  • Service communications: Emails regarding job status, data export, account security - necessary for providing the Service.

4. LLM & AI Processing

Documents and queries may be processed by third-party Large Language Model (LLM) APIs. We take the following commitments regarding AI processing:

  • Privacy-compliant APIs only: We use enterprise-grade, privacy-compliant AI APIs - currently Azure OpenAI (Microsoft Azure) and optionally AWS Bedrock. Both providers operate under data processing agreements that prohibit the use of your data for training their models.
  • Your data is never used for AI model training. Neither MedIQGPT nor any upstream AI provider will use your medical records or queries to train, fine-tune, or improve any AI model.
  • Minimum context sent: Only the specific records or extracts relevant to your current query are sent to the LLM. We do not send your full medical history on every request.
  • No third-party data access: LLM API calls are authenticated and encrypted. The AI provider processes the data to generate a response and does not retain it beyond the request.
  • Explicit consent: You must explicitly initiate a query or upload for AI processing to occur. No background AI processing happens without your action.

5. Voice Transcription

When you use the voice query feature, your audio is processed by Azure Cognitive Services Speech-to-Text:

  • Session-only retention: Voice transcripts are used only to fulfil your immediate request. Once the response is returned to you, the transcript is not stored, logged, or retained in any database.
  • Not used for profiling: Voice data is not associated with your profile, not used to build a behaviour profile, and not retained for any secondary purpose.
  • Provider commitment:Microsoft Azure’s Speech-to-Text service (under our enterprise agreement) does not use submitted audio for training its speech models.
  • Opt-out: You can choose not to use the voice feature and use text input only. There is no functional penalty for doing so.

6. Data Sharing

We share your data only in the following circumstances:

  • With people you explicitly authorise: Family members you invite, care providers you grant access to, or physicians you share records with. You control who has access and can revoke it at any time.
  • With service infrastructure providers: Cloudflare (R2 storage, CDN), Supabase (database and auth), Azure (AI/OCR APIs, hosting), and MeiliSearch (search index). These providers act as data processors under our instructions and do not have the right to use your data for their own purposes.
  • When required by law: If we receive a lawful order from a government authority requiring disclosure, we will comply and notify you to the extent permitted by law.

7. We Never Sell Your Data

MedIQGPT does not sell, rent, license, or otherwise transfer your personal or medical data to any third party for any commercial purpose.

Our business model is based on subscription revenue from users - not from advertising or data monetisation. Your health records are never an asset we would trade.

8. Medical Information & AI Advice

MedIQGPT uses AI to help you find and understand your own medical records. The following principles govern all health-related AI responses:

  • Informational only: AI responses are based on the records you have uploaded and general health information. They are informational, not clinical.
  • Mandatory disclaimer:Every AI-generated health response includes a “consult a qualified healthcare professional” disclaimer. This is not optional - it is shown every time.
  • Serious cases redirected: If a query indicates an emergency, urgent, or serious medical concern, the AI is designed to actively redirect you to emergency services or qualified healthcare professionals - not to attempt an answer.
  • Doctor finder: MedIQGPT may use web search and AI to help you find local doctors, clinics, or specialists by area and budget. This is a discovery service; we do not endorse or verify specific providers.

9. Your Rights

Under applicable law (including the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for Indian users and GDPR-aligned principles for others), you have the following rights regarding your personal data:

  • Right to Access: Request information about and a copy of the personal data we hold about you.
  • Right to Correction and Updating: Request correction of inaccurate, incomplete, or outdated personal data.
  • Right to Erasure:Request deletion of your account and all associated personal data that is no longer necessary for the purposes for which it was collected. See the Refund & Cancellation Policy for the process.
  • Right to Export:Download all your uploaded documents and extracted metadata at any time from Settings → Data & Privacy → Export My Data.
  • Right to Withdraw Consent: Withdraw consent for processing of your personal data at any time. Withdrawal may limit the functionality of the Service.
  • Right to Grievance Redressal:Indian users may contact our Data Protection Officer (see Contact & DPO below) to raise a privacy grievance under the DPDP Act. We aim to respond within 30 days.

To exercise any of these rights, contact us at [email protected].

10. HIPAA - United States

Where the Services are used by healthcare providers, healthcare organisations, insurers, or other entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”), the Company complies with applicable HIPAA requirements.

  • Business Associate:Where applicable, the Company acts as a Business Associate under HIPAA when processing Protected Health Information (“PHI”) on behalf of a Covered Entity. A Business Associate Agreement (“BAA”) governs the processing and protection of PHI in such arrangements.
  • PHI Safeguards: We implement encryption of PHI in transit and at rest, role-based access controls, multi-factor authentication, audit logging of access to PHI, and incident detection and response procedures.
  • Minimum Necessary Standard: Access to PHI is limited to the minimum necessary information required to perform the intended function or service.
  • Breach Notification: In the event of a breach involving PHI, the Company will notify the Covered Entity without unreasonable delay and cooperate in meeting HIPAA breach notification requirements.

11. Cross-Border Data Transfers

The Services may involve the transfer and processing of personal data across multiple jurisdictions. You acknowledge that your information may be processed in countries outside your country of residence, including in India and in countries where our infrastructure and AI processing providers operate.

Where such transfers occur, the Company ensures that appropriate safeguards are in place to protect your personal data in accordance with applicable law, including contractual safeguards with service providers and security controls aligned with international standards.

12. Multi-User Profiles & Profile Delegation

MedIQGPT allows you to create multiple profiles within a single account for family members, dependents, or other individuals you are authorised to act on behalf of.

  • Primary account holder responsibility: The primary account holder is responsible for managing profile access, assigning permissions, and ensuring that data shared within delegated profiles is authorised by the relevant individuals.
  • Separate records: Each profile maintains its own records, health data, and documents within the account.
  • Data processing: Personal and health data belonging to delegated profiles is processed under the same privacy principles described in this Policy. The primary account holder should ensure that any individual whose data is uploaded has given appropriate consent or that the primary holder has legal authority to act on their behalf (e.g., as a parent or legal guardian).

13. Data Retention

  • Active accounts: We retain your data for as long as your account is active or as needed to provide the Service.
  • After cancellation: Following account cancellation, your data is retained for 10 days to allow you to download an export. After the 10-day period (or earlier upon your confirmation), all data is permanently deleted.
  • Audit logs: Audit log entries may be retained for up to 12 months for security and compliance purposes, even after account deletion, in anonymised form only.
  • Voice transcripts: Not retained beyond the session (see Voice Transcription section).

14. Children’s Privacy

MedIQGPT is not intended for use by children under the age of 13. Users managing the medical records of minors must be at least 18 years old and have legal authority to do so (e.g., as a parent or legal guardian). We do not knowingly collect personal data from children under 13.

15. Policy Changes

We may update this Privacy Policy as the Service evolves. When we make material changes - for example, adding a new data category or changing how we use your data - we will notify you by email and/or in-app notice at least 14 days before the change takes effect.

Continued use of the Service after the effective date of a revised policy constitutes acceptance of the new terms.

16. Contact & Data Protection Officer

For privacy-related questions, data requests, or grievances, contact us at:

Indian users have the right to raise a grievance with our Data Protection Officer at the email address above. We aim to respond to all privacy requests within 30 days.