Privacy Policy

The documents you add and the details extracted from them — all encrypted. Minimal account information (email, region, language, preferences). Non-sensitive metadata in plaintext for ordering, such as dates and categories. An append-only log of AI processing calls that records only metadata (model, token counts, timing) — never the content.

Only to provide the product: to read, translate, organize, chart, and share your records at your request, and to operate your account and billing. We never sell your data, never use it for advertising, and never use it to train AI models.

When AI processing is on, a document is decrypted transiently in your region and sent to our processing partner (Anthropic) under a zero-retention, no-training agreement. You can turn AI off at any time in Settings; we’ll still store your documents, but won’t extract from them.

We use a small set of vetted infrastructure providers. They are listed, with their purpose and region, on our subprocessors page.

Access and export your full record in one tap. Delete your account permanently at any time — deletion destroys your encryption key, making your data irrecoverable. Where local law grants further rights (access, correction, portability, objection), we honor them; contact us to exercise any of them.

We process and store your data in the region matched to where you are, and we open regions deliberately to meet local requirements. Some regions aren’t available yet.

Questions or requests: privacy@pmco.health.