Skip to content
CodeItRight.ai

Privacy Policy

Last Updated: March 2026

What We Collect

  • Account information: name, email address
  • Optional: NPI number, specialty, practice name
  • Encounter parameters: patient type, billing method, MDM levels, time values, AI-extracted coding elements (diagnoses, data items, risk factors)
  • Usage data: calculation counts, feature usage

What We Do NOT Collect or Store

  • Clinical notes are never stored. Notes are processed in-memory and discarded after AI analysis. They are never written to our database, never logged, and never cached.
  • Patient names, dates of birth, or any identifiable patient data
  • Social Security Numbers, medical record numbers, or insurance IDs
  • Medical records, images, or documents
  • Any Protected Health Information (PHI) as defined by HIPAA

AI Note Analysis — Data Flow

When you use the AI Note Analyzer feature:

  1. Client-side PHI scan: Before your note leaves your browser, our PHI detector scans for common identifiers (names, DOB, SSN, phone numbers, email, addresses) and warns you to remove them.
  2. Encrypted transmission: Your de-identified note is sent over HTTPS (TLS 1.2+) to our server.
  3. AI processing: Our server forwards the note to OpenAI's API for structured extraction of medical coding elements (diagnoses, data items, risk factors). OpenAI processes the data under their API data usage policy and does not use API inputs for model training.
  4. Immediate disposal: After the AI response is received, the clinical note is discarded from server memory. It is never written to disk, database, or log files.
  5. Only coding parameters saved: If you choose to save the encounter, only anonymous coding parameters (MDM levels, time, extracted element summaries) are stored — never the original note text.

Third-Party Services

  • OpenAI: Clinical notes are processed by OpenAI's GPT-4o model via their API. OpenAI's API data usage policy states that API inputs are not used to train their models. We will execute a Business Associate Agreement (BAA) with OpenAI for HIPAA compliance prior to processing PHI.
  • Supabase: Account data and anonymous encounter parameters are stored in Supabase (hosted on AWS) with row-level security and encryption at rest.
  • Stripe: Payment processing only. Stripe receives payment information but no encounter or clinical data.
  • Vercel: Application hosting. Clinical note data passes through Vercel's serverless functions during processing but is never persisted.

HIPAA Compliance

CodeItRight.ai is designed with a zero-PHI-storage architecture. Clinical notes are processed in-memory and never saved. We will execute Business Associate Agreements (BAAs) with our infrastructure providers (OpenAI, Supabase, hosting) as required by HIPAA prior to processing PHI. Encounter parameters stored in our database are anonymous and cannot be linked to any specific patient.

Data Storage & Security

  • All data encrypted in transit (TLS 1.2+) and at rest
  • Row-level security: each user can only access their own data
  • No request body logging on AI analysis endpoints
  • API routes enforce authentication and rate limiting

Data Deletion

You can delete individual encounters at any time from your History page. To delete your entire account and all associated data, contact us at support@codeitright.ai.

Changes to This Policy

We will notify registered users via email of any material changes to this privacy policy. The "Last Updated" date at the top reflects the most recent revision.

Back to Home