MedLegal Vault← Back to home

Privacy Policy

Last Updated: April 9, 2026

1. Introduction

MedLegal Vault is operated by FlowFront AI (“we,” “us,” or “our”). Our platform facilitates medical records requests between attorneys and healthcare providers. This Privacy Policy describes how we collect, use, store, and protect personal information when you use MedLegal Vault.

By accessing or using MedLegal Vault, you agree to the practices described in this policy. If you do not agree, please do not use the platform.

2. Information We Collect

We collect the following categories of information:

  • Account Information: Full name, email address, password (stored as a cryptographic hash, never in plain text), phone number, role (attorney or clinic staff), organization name, and state bar number (for attorneys).
  • Records Request Data: Patient names, dates of birth, record types requested, case reference numbers, and request descriptions.
  • Medical Records and Documents: Medical records, diagnostic reports, billing records, and other documents uploaded by clinics for fulfillment purposes. These are stored in encrypted cloud storage.
  • Payment Information: Payment transactions are processed through Stripe, Inc. We do not store full credit card numbers, CVVs, or other sensitive payment credentials on our servers. Stripe’s privacy policy governs their handling of payment data.
  • Usage Data: IP addresses, browser type and version, device information, pages visited, access timestamps, and referring URLs.
  • Communications: Emails sent through the platform, support inquiries, and transactional messages.

3. How We Use Information

We use collected information for the following purposes:

  • To provide, operate, and maintain the MedLegal Vault platform.
  • To process medical records requests and facilitate fulfillment between attorneys and clinics.
  • To generate AI-powered case summaries from medical records for attorney review.
  • To process payments, issue invoices, and manage billing.
  • To send transactional emails including request updates, payment confirmations, clinic invitations, and authorization reminders.
  • To maintain HIPAA compliance, including audit trails and access logging.
  • To improve the platform, diagnose technical issues, and enhance security.

We never sell personal information to third parties. We never use medical records data for advertising, marketing, or any purpose unrelated to the records request workflow.

4. How We Protect Information

We implement multiple layers of security to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
  • Encryption at Rest: Medical records and sensitive data are encrypted using AES-256 encryption in our cloud storage (Amazon Web Services S3).
  • Access Controls: Role-based access controls ensure that only authorized users can access specific data. All data access events are logged.
  • Password Security: Passwords are hashed using bcrypt with industry-standard salt rounds. We never store passwords in plain text.
  • Audit Logging: All access to Protected Health Information (PHI) is logged with timestamps, user identifiers, and action details.
  • Infrastructure Security: Our infrastructure is hosted on AWS with SOC 2-aligned security practices, regular monitoring, and incident response procedures.

5. HIPAA Compliance

We recognize that medical records contain Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). We implement the following safeguards:

  • Administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
  • Comprehensive audit logs of all PHI access and disclosures, retained for a minimum of six (6) years.
  • Business Associate Agreements (BAAs) executed with covered entities upon request, prior to the first records request.
  • PHI access limited to authorized personnel on a need-to-know basis.
  • Prompt notification of security incidents or breaches as required by the HIPAA Breach Notification Rule.
  • Workforce training and access management procedures.

6. AI-Generated Summaries

MedLegal Vault uses artificial intelligence to generate structured case summaries from medical records. These summaries are intended as review tools to help attorneys quickly assess records across seven legal categories.

  • AI summaries do not constitute medical advice, legal advice, or expert opinion.
  • Summary data is processed securely within our infrastructure and is not shared with third-party AI providers for training purposes.
  • Users should independently verify all AI-generated content against the source medical records.
  • We do not guarantee the accuracy, completeness, or reliability of AI-generated summaries.

7. Data Sharing and Disclosure

We share information only as necessary to operate the platform:

  • Between Attorneys and Clinics: As part of the records request workflow, relevant request information is shared between the requesting attorney and the fulfilling clinic.
  • Stripe: Payment information is shared with Stripe for transaction processing, subject to Stripe’s Privacy Policy.
  • Amazon Web Services: We use AWS for cloud hosting, file storage, and email delivery (SES), subject to AWS’s Privacy Policy.
  • Legal Requirements: We may disclose information if required by law, court order, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell, rent, or trade personal information to any third party for commercial purposes.

8. Data Retention

  • Account Data: Retained while your account is active. Upon account deletion request, we will remove your personal information within 30 days, subject to legal retention requirements.
  • Medical Records: Retained as long as necessary for the request lifecycle and as required by applicable state and federal record retention laws.
  • Audit Logs: Retained for a minimum of six (6) years per HIPAA requirements.
  • Payment Records: Retained as required by applicable tax, financial, and accounting regulations.

9. Your Rights

You have the following rights regarding your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may update your account information at any time through your account settings.
  • Deletion: You may request deletion of your account and associated personal information, subject to legal retention requirements.
  • Data Portability: You may request an export of your data in a machine-readable format.

To exercise any of these rights, contact us at the email address listed below.

10. Cookies and Tracking

  • We use essential cookies for authentication and session management. These are necessary for the platform to function.
  • We do not use advertising cookies, marketing trackers, or third-party tracking pixels.
  • We may use aggregate analytics to understand platform usage patterns. This data is anonymized and cannot identify individual users.

11. Children’s Privacy

MedLegal Vault is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided personal information, we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email to registered users or through a prominent notice on the platform. Your continued use of MedLegal Vault after any changes constitutes acceptance of the updated policy.

13. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

  • Email: giulio@flowfrontai.com
  • Company: FlowFront AI
  • Location: Tampa, FL