Where patient data goes, what AI sees, and how control works.
MyDosha is a practitioner-controlled intake and reference workspace. This page answers the practical privacy questions clinics, firms, schools, and hospitals ask before using AI with sensitive health data.
Current position: no model training on API traffic; clinic-level AI controls available
1. Where the data goes
Patient and practitioner records are stored in Supabase. Serverless application code runs on Vercel. Transactional email is sent through Resend. Billing is processed by Stripe. AI-backed intake, dossier, chat, dictation parsing, and polish features use Anthropic's Claude API when enabled.
2. Whether model providers retain it
Anthropic API inputs and outputs are not used to train models under the API terms. Anthropic's standard API backend retention is up to 30 days unless a stricter contract, legal requirement, or feature-specific exception applies.
3. What is logged
MyDosha keeps an append-only audit log for sensitive events such as exports, deletes, invoice actions, login/security events, and frontend error beacons. Runtime logs are used for debugging and are designed to avoid full patient free-text, secret tokens, and full query-string URLs.
4. Whether firms can disable AI
Yes. Clinics can disable AI globally or by feature: AI intake, dossier generation, AI chat and polishing, dictation parsing, and AI import parsing. These controls are enforced server-side.
5. How deletion and export works
Practitioners can export a full practice ZIP archive from the portal. Patients can export or request deletion of their own file through token-gated patient access, subject to the practitioner's legal retention duties.
Marketing telemetry boundary
Google Ads tags are used for public marketing and signup measurement only. They are not loaded in the doctor portal, patient portal, journal, invoice view, or patient intake page.
Sub-processors
| Provider | Purpose | Data category | Notes |
|---|---|---|---|
| Supabase | Primary database | Patient records, clinical JSON, journals, invoices, clinic settings | DPA and EU SCCs referenced in the Privacy Policy. |
| Anthropic | AI processing | Only the input needed for the enabled AI feature | No model training on API traffic; standard retention up to 30 days. |
| Vercel | Hosting and serverless functions | Transient requests and runtime logs | No separate persistent clinical file store. |
| Resend | Transactional email | Email addresses and email content for OTPs, reminders, access links, care-plan messages | Emails may contain patient-facing care content when a practitioner sends it. |
| Stripe | Subscription billing | Practitioner billing/customer data | MyDosha does not store card numbers. |
| Google Ads | Marketing measurement | Public marketing/signup telemetry | Not loaded on clinical/patient workspace pages. |
Logging inventory
| Log | Used for | Examples | Retention position |
|---|---|---|---|
| Audit log | Security, accountability, data-rights evidence | Export, delete, invoice, auth, frontend error events | Append-only; privacy policy states 24 months. |
| Runtime logs | Debugging and incident response | 5xx errors, redacted email delivery status, rate-limit signals | Platform retention; do not treat as legal archive. |
| Email provider events | Delivery troubleshooting | Resend message IDs, bounces, delivery state | Provider dashboard/log retention. |
| Database backups | Operational recovery | Daily logical backup artifact | 90 days off-platform; not a practitioner legal archive. |
Export and deletion controls
- Practitioner export: portal ZIP archive with patient files, dossier JSON, clinical JSON, journals, photos, invoices, inventory items, and inventory transactions; sensitive export events are audit logged.
- Patient self-export: token-gated patient endpoint can return a full patient file where clinic settings allow it.
- Patient deletion: token-gated deletion request path, subject to clinic retention mode and applicable legal duties.
- Practice deletion: phrase-confirmed practice deletion flow, rate-limited and audit logged.
- Backups: operational backup copies age out separately and are not a replacement for the practitioner's statutory archive.
Current archive format
The practitioner ZIP archive includes machine-readable JSON plus CSV summaries. Login tokens, password hashes, secret hashes, and hosted-invoice access tokens are intentionally excluded from the archive.