Skip to main content

Privacy Policy

Last updated: May 25, 2026

Introduction

ReviewBox ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical record review platform at reviewbox.com (the "Service").

Information We Collect

Account Information

When you register for an account, we collect your name, email address, and password (stored in hashed form). We may also collect your organization name and role.

Medical Records

When you use the Service to process medical records, the documents you upload and the data extracted from them are stored securely. This data may include Protected Health Information (PHI) and is handled in accordance with HIPAA requirements.

Usage Data

We may collect information about how you access and use the Service, including your IP address, browser type, pages visited, and actions taken. This data is collected only with your consent via analytics cookies.

Contact Submissions

If you submit a demo request or contact form, we collect the information you provide (name, email, company, message).

How We Use Your Information

  • Provide, maintain, and improve the Service
  • Authenticate users and manage accounts
  • Process and analyze medical records as instructed by you
  • Respond to your inquiries and demo requests
  • Send transactional emails (verification, password reset)
  • Monitor usage patterns to improve performance and security
  • Comply with legal obligations

Data Processing & Infrastructure

Primary application infrastructure (hosting, storage, database) runs on Amazon Web Services in the US West (Oregon) region. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Service Providers and Subprocessors

We use the service providers below to deliver the Service. Each subprocessor that handles Protected Health Information (PHI) is bound by a Business Associate Agreement (BAA) under HIPAA, or, where a BAA is not legally required (e.g., conduit-only or non-PHI vendors), by comparable data-processing terms.

  • Amazon Web Services, Inc. (AWS) — Cloud infrastructure: container hosting (ECS), application database (RDS PostgreSQL), encrypted object storage of uploaded records and exports (S3), AI inference on medical records (Bedrock), document OCR (Textract), and medical-grade speech-to-text for clinician dictation (Transcribe Medical). Handles PHI. BAA in place.
  • Google LLC (Google Cloud / Vertex AI) — AI inference for medical record analysis, document parsing, and intake transcription. Handles PHI. BAA in place. Customer content is not used to train Google's foundation models.
  • LiveKit, Inc. — Real-time audio/video transport for telehealth visits. LiveKit acts as an encrypted conduit only: visit media is protected by end-to-end encryption with client-held keys, and LiveKit does not have access to plaintext session content. Because LiveKit cannot access PHI in this configuration, no BAA is required for its conduit role.
  • Retell AI, Inc. — Voice telephony for optional AI-assisted patient intake calls (used only when a customer enables this feature). May process limited PHI during the call. BAA in place where the feature is enabled.
  • Resend, Inc. — Transactional email delivery (account verification, password reset, system notifications). Does not receive medical records. No PHI; no BAA required.
  • Cloudflare, Inc. — Bot-protection challenge (Turnstile) on account registration. Processes IP address and challenge metadata only. No PHI; no BAA required.

Where required by law, we make our current list of subprocessors available to customers under contract and provide notice of material changes. We do not authorize subprocessors to use your data for their own purposes, and customer content is never used to train third-party AI models.

Cookies

We use cookies to operate the Service and, with your consent, to understand usage patterns. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate personal data
  • Right to Erasure — Request deletion of your personal data
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Data Portability — Receive your data in a structured, machine-readable format
  • Right to Object — Object to our processing of your personal data
  • Right to Withdraw Consent — Withdraw previously given consent at any time

To exercise any of these rights, please contact us at Contact Us. We will respond to your request within 30 days.

Your California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you the following rights:

  • Right to Know — Request the categories and specific pieces of personal information we have collected about you
  • Right to Delete — Request deletion of personal information we have collected from you
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing — ReviewBox does not sell or share personal information for cross-context behavioral advertising. The "Your Privacy Choices" link in our footer allows you to adjust analytics and marketing cookie preferences at any time.
  • Right to Limit Use of Sensitive Personal Information — Request that we limit use of sensitive personal information to purposes specified under the CPRA
  • Right to Non-Discrimination — You will not receive discriminatory treatment for exercising any of these rights

To submit a request, email Contact Us with the request type. We will verify your identity and respond within 45 days.

Data Retention

We retain your account information for as long as your account is active. Medical records and case data are retained for the duration specified in your organization's agreement with us, or until you request deletion. Contact form submissions are retained for up to 2 years. When data is deleted, it is permanently removed from our systems, including backups, within 90 days.

Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers — The subprocessors listed in "Service Providers and Subprocessors" above, each under appropriate data-processing agreements
  • Legal requirements — When required by law, regulation, or legal process
  • Business transfers — In connection with a merger, acquisition, or sale of assets

Security

We implement industry-standard security measures to protect your information, including encryption in transit and at rest, access controls, audit logging, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Contact Us