Privacy Policy

Last updated: February 20, 2026

The short version: We don't store your documents, we don't store patient data, and we don't train AI on your content. DocDraft is a stateless tool — what you generate stays with you.

1. Information We Collect

Account information: Email address, name (if provided via Google sign-in), and authentication credentials. This is required to provide the Service.

Subscription information: Payment processing is handled entirely by Stripe. We do not store credit card numbers or billing details on our servers.

Usage metrics: We track document generation counts per account for plan limit enforcement. We do not store the content of generated documents.

2. Information We Do NOT Collect

Patient information — names, DOBs, MRNs, and other identifying details are processed client-side (in your browser) and never transmitted to our servers
Generated documents — document content is not stored, logged, or retained after generation
Clinical details — de-identified input sent to AI for generation is not stored or used for training

3. How We Use Information

To provide and maintain the Service
To manage your account and subscription
To enforce usage limits based on your plan
To communicate important service updates

4. AI Processing

Clinical input is sent to third-party AI providers (Anthropic/Claude) for document generation. This input is de-identified — patient names, DOBs, and identifiers are added client-side after generation, never sent to AI. AI providers do not train on API inputs per their data policies.

5. Data Security

All data is encrypted in transit (TLS/SSL). Account data is stored in Google Cloud Firestore, which provides encryption at rest. We follow security best practices appropriate for the data we handle.

6. Data Retention

Account information is retained while your account is active. Generated documents are never retained. You may request account deletion at any time by contacting us.

7. Third-Party Services

Firebase/Google Cloud — authentication and account storage
Stripe — payment processing
Anthropic (Claude) — AI document generation
Google Analytics — anonymous usage analytics

8. HIPAA & Protected Health Information

DocDraft processes clinical input through HIPAA-compliant infrastructure. All AI processing is routed through Amazon Web Services (AWS) Bedrock, which is covered under a Business Associate Agreement (BAA) with AWS. No PHI is stored, logged, cached, or persisted by DocDraft at any point.

For full details regarding our obligations as a Business Associate under HIPAA, please refer to Section 5 of our Terms of Service, which contains our Business Associate Agreement.

9. Your Rights

You may request access to, correction of, or deletion of your account data at any time. Contact us at support@docdraft.org.

10. Changes

We may update this policy. Material changes will be communicated via email or in-app notice.

11. Contact

Questions about privacy? Email support@docdraft.org.