MedFast.AI

Privacy & Data Protection

Last updated: 2026-05-28 (v2) · Drafted to align with India's Digital Personal Data Protection Act 2023 (DPDP Act) and the IT Act 2000 (sensitive personal data rules).

In one sentence

We don't store any of your medical content — not your document, not the extracted text, not the AI's analysis. The only things on our server are what's needed to run your account and prevent abuse. Everything else (family vault, reports, notes, photos, vaccinations, passport) lives in your browser on your device.

1. Who we are (Data Fiduciary)

MedFast.AI is operated by Harkirat Singh Lamba, India. We are the Data Fiduciary for the personal data described in this policy. Contact: hslamba95@gmail.com.

2. Grievance Officer

Under the DPDP Act, you have the right to raise grievances about how your personal data is handled. Our Grievance Officer is:

Harkirat Singh Lamba

Grievance Officer, MedFast.AI

hslamba95@gmail.com

We aim to acknowledge grievances within 48 hours and resolve them within 30 days. If you are unsatisfied, you may approach the Data Protection Board of India.

3. What personal data we collect

From our database, only:

We never store: your medical documents, extracted text, AI explanations, your family-vault members, your notes, your photos, your passport data, your medications list, your trends, or your vaccinations. These all live in your browser on your device.

4. How analysis works (and what leaves your device)

For typed PDFs (most lab reports and discharge summaries): the text is extracted in your browser using PDF.js. Only the extracted text is sent to our server, then forwarded to the AI provider for analysis. Your PDF file itself never leaves your device.

For photos and scanned images (including handwritten doctor's notes): we compress the image in your browser and send it to the AI for visual reading. This is the only way to handle handwriting reliably. The image is used for the single analysis request and is not retained — neither by us nor by the AI provider, per their data-handling policy.

The AI's response is sent back to your browser and shown to you. Nothing — not the text, not the image, not the AI response — is written to disk on our side.

5. Purpose of processing

We process personal data only for these explicit purposes:

6. Cross-border data transfers

The AI provider (Google Gemini or Anthropic Claude via OpenRouter, depending on routing) and our hosting (Vercel) are based outside India. The extracted text / image is transmitted to these providers for the duration of one analysis request and is not retained by them, per their published data-handling policies.

The DPDP Act permits cross-border transfers unless the Central Government restricts a specific destination. As of the policy date, no such restriction applies to the destinations we use.

7. Data retention

Account data: kept while your account is active. Deleted within 7 days of account deletion, except for legally mandated records (e.g. tax or compliance logs).

Per-analysis usage rows: retained for 12 months then auto-deleted. Aggregated, anonymised counts may be kept indefinitely for product analytics.

Salted IP hashes: retained for 30 days for rate-limit enforcement.

Audit logs of admin actions: retained for 2 years for compliance review.

8. Your rights under the DPDP Act

You have the right to:

9. Children & minors

You must be 18 or older to create an account. We ask for age confirmation at signup.

Family members under 18: as the account holder, you may add your minor children to the Family Vault. The medical data for those children (reports, notes, vaccinations, passport, etc.) is stored only in your browser on your device — we never receive it on our server. You are responsible, as the parent or lawful guardian, for the lawful processing of your minor's data on your device.

Under the DPDP Act, we will not track minors, target them with advertisements, or take any action specifically directed at minors' data on our server (we don't have any to begin with).

10. Security measures

11. Personal data breach notification

If we discover a personal data breach that affects you, we will notify both you and the Data Protection Board of India within 72 hours of becoming aware of it, as required under the DPDP Act.

12. What we'll never do

13. Third-party processors

We rely on the following sub-processors. Each has its own privacy policy and security posture:

14. Changes to this policy

We will update this policy when we change how we handle data. If the change is material, we will require you to re-acknowledge it via the in-app safety notice. The version date at the top of this page indicates the current version.

15. Contact us

For any privacy question or to exercise any right under this policy, email hslamba95@gmail.com. Acknowledgement within 48 hours; resolution within 30 days where possible.

Back to home