Privacy Policy

Last updated: March 9, 2026

1. Introduction

Reportex ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, store, and protect data when you use our HIPAA-compliant clinical report preparation platform.

2. Information We Collect

Account Information

When you register, we collect your name, email address, and organization details. This information is used for account management, authentication, and team collaboration.

Clinical Data

Clinical data you enter — including case details, session records, symptom checklists, diagnoses, psychometric scores, and functional impairments — is stored securely and used solely for report preparation within your organization.

Usage Data

We collect anonymized usage data such as page views, feature usage patterns, and performance metrics to improve the Service. This data does not contain clinical content or PHI.

3. How We Use Information

We use your information exclusively to:

  • Provide and maintain the report preparation service
  • Authenticate users and enforce access controls
  • Match knowledge base references to your clinical data for report drafting
  • Maintain audit logs for compliance and security
  • Improve service reliability and performance

We do not sell, rent, or share your data for marketing purposes. Your clinical data is never used for advertising or shared with unrelated third parties.

4. PHI Handling & HIPAA Compliance

As a HIPAA-compliant platform, we implement stringent protections for Protected Health Information (PHI):

  • No PII in the data layer — Clients are identified by reference codes, not names. Personal identifiers are stored only in designated, encrypted fields.
  • Encryption at rest — Sensitive fields (transcripts, API keys) use AES-256-GCM encryption via Cloak.
  • Encryption in transit — All connections use TLS 1.2 or higher.
  • PHI scanning — Export validation scans for unintended PHI before document creation.
  • Automatic redaction — PHI fields are automatically redacted in audit log entries.

5. Data Storage & Security

Your data is stored securely with the following measures:

  • PostgreSQL database hosted in the United States
  • Field-level AES-256-GCM encryption for sensitive data
  • Regular encrypted backups with point-in-time recovery
  • Infrastructure hosted on Fly.io with US-based data residency
  • Session affinity and secure WebSocket connections for real-time features

6. Third-Party Services

Reportex uses AI language model providers (such as Anthropic's Claude) to assist in report drafting. When clinical data is sent to these providers for report preparation:

  • Data is transmitted over encrypted connections
  • Providers are contractually prohibited from using your data for model training
  • Only the minimum necessary clinical context is included in each request
  • All AI interactions are logged in our audit system

7. Data Retention & Deletion

We follow these data retention practices:

  • Soft-delete architecture — Deleted records are marked with a timestamp rather than permanently removed, allowing recovery if needed.
  • Configurable retention — Organizations can configure data retention periods according to their compliance requirements.
  • Transcript purge — Session recording transcripts are automatically purged 30 days after report approval.
  • Account deletion — Upon account termination, your data will be retained only as required by law, then securely deleted.

8. Access Controls

We enforce strict access controls to protect your data:

  • Role-based access — Permissions are assigned based on user roles (admin, user) within your organization.
  • Organization-scoped multi-tenancy — All data queries are filtered by organization. Data is never accessible across organizational boundaries.
  • Three-layer authorization — Access is verified at the router, page mount, and individual action levels.

9. Audit Logging

All data access and modifications are recorded in an append-only audit log. These logs:

  • Cannot be modified or deleted after creation
  • Automatically redact PHI fields to protect sensitive information
  • Record the acting user, timestamp, action type, and affected resource
  • Are available to organization administrators for compliance review

10. Your Rights

You have the right to:

  • Access — Request a copy of all data associated with your account
  • Correction — Request correction of inaccurate personal information
  • Deletion — Request deletion of your account and associated data
  • Export — Export your reports and clinical data in standard formats
  • Restriction — Request restriction of certain data processing activities

To exercise any of these rights, contact us using the information below.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of material changes via email or through the Service before they take effect.

12. Contact Information

For privacy-related questions or to exercise your data rights, contact us at:

Reportex
Email: privacy@reportex.com