Loading...
Last updated: February 2026
MedExtract is committed to protecting the privacy and security of your data. This policy explains how we collect, use, and protect information when you use our API and website.
We process personal data under the following GDPR legal bases: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). Health data (special category under Article 9) is processed exclusively in memory and is not stored.
Our API processes lab report documents (PDFs and images) entirely in-memory. We do not store, log, or retain any document content or extracted health data. Documents are processed and results are returned in real-time. No personal health data is persisted to disk at any point.
When you sign up for an API key, we collect your name, email address, organization name, and billing information. This data is stored securely and used to manage your account.
We collect anonymized usage metrics including API call counts, response times, and error rates. This data does not include document content or extracted results.
We use privacy-friendly analytics to understand website traffic. No personal identifiers are tracked. We do not use third-party tracking cookies.
All API traffic is encrypted via TLS 1.3. API keys are hashed at rest. Our infrastructure includes rate limiting, security headers (CSP, HSTS, X-Frame-Options), and Kubernetes network policies for pod isolation.
You have the right to access, rectify, erase, and port your personal data at any time. You also have the right to restrict or object to processing. To exercise these rights, contact our Data Protection Officer.
For any data protection related questions, contact our DPO at hello@medextract.ai. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).