Privacy Policy

Last updated: March 2026

Overview

MedExtract is committed to protecting the privacy and security of your data. This policy explains how we collect, use, and protect information when you use our API and website.

Data Controller

MedExtract (legal entity to be confirmed) is the data controller for the personal data processed through this website and API. For data protection inquiries, contact our Data Protection Officer at the address listed below.

Legal Basis for Processing

We process personal data under the following GDPR legal bases: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). Health data (special category under Article 9) is processed exclusively in memory and is not stored.

Data Processing

Our API processes lab report documents (PDFs and images) entirely in-memory. We do not store, log, or retain any document content or extracted health data. Documents are processed and results are returned in real-time. No personal health data is persisted to disk at any point.

Information We Collect

Account Information

When you sign up for an API key, we collect your name, email address, organization name, and billing information. This data is stored securely and used to manage your account.

Usage Data

We collect anonymized usage metrics including API call counts, response times, and error rates. This data does not include document content or extracted results.

Website Analytics

This website does not currently use analytics tracking software.

IP Address Processing

We process IP addresses for rate limiting, abuse prevention, and security purposes. IP addresses are not stored beyond the duration of the request unless required for security incident investigation. This processing is based on our legitimate interest in maintaining service security (Article 6(1)(f) GDPR).

Sub-Processors

• Resend: Email delivery service for contact form notifications and newsletter communications. Processes email addresses.
• Cloudflare: CDN, DDoS protection, and bot management. Processes IP addresses and sets necessary cookies for security.
• Vercel: Website hosting and serverless function execution. Processes request metadata including IP addresses.

Data Security

All API traffic is encrypted via TLS 1.3. API keys are hashed at rest. Our infrastructure includes rate limiting, security headers (CSP, HSTS, X-Frame-Options), and Kubernetes network policies for pod isolation.

Data Retention

• Document content: Zero retention. Processed in-memory and discarded immediately.
• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Usage metrics: Retained in anonymized form for up to 12 months.
• Contact form submissions: Retained for up to 24 months for commercial follow-up, then deleted.

Your Rights (GDPR Articles 12-22)

You have the right to access, rectify, erase, and port your personal data at any time. You also have the right to restrict or object to processing. To exercise these rights, contact our Data Protection Officer.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, use the cookie preferences panel at the bottom of any page, or contact our DPO.

Data Protection Officer

For any data protection related questions, contact our DPO at dpo@medextract.ai. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

We will respond to data subject requests within one month of receipt, in accordance with Article 12(3) of the GDPR.