Privacy Policy

Introduction

ReviewBox ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical record review platform at reviewbox.com (the "Service").

Information We Collect

How We Use Your Information

• Provide, maintain, and improve the Service
• Authenticate users and manage accounts
• Process and analyze medical records as instructed by you
• Respond to your inquiries and demo requests
• Send transactional emails (verification, password reset)
• Monitor usage patterns to improve performance and security
• Comply with legal obligations

Data Processing & Infrastructure

All data is processed and stored on Amazon Web Services (AWS) infrastructure in the US West (Oregon) region. We use the following AWS services:

• Amazon S3 — Encrypted storage of uploaded medical records and exports
• Amazon RDS (PostgreSQL) — Encrypted database for application data
• Amazon ECS — Container hosting for the application
• Amazon Bedrock — AI processing of medical records (no model training on your data)
• Amazon Textract — OCR processing of uploaded documents

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). AWS maintains its own HIPAA BAA with us, and we operate under a Business Associate Agreement with our customers who handle PHI.

Cookies

We use cookies to operate the Service and, with your consent, to understand usage patterns. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):

• Right of Access — Request a copy of the personal data we hold about you
• Right to Rectification — Request correction of inaccurate personal data
• Right to Erasure — Request deletion of your personal data
• Right to Restrict Processing — Request that we limit how we use your data
• Right to Data Portability — Receive your data in a structured, machine-readable format
• Right to Object — Object to our processing of your personal data
• Right to Withdraw Consent — Withdraw previously given consent at any time

To exercise any of these rights, please contact us at privacy@reviewbox.com. We will respond to your request within 30 days.

Data Retention

We retain your account information for as long as your account is active. Medical records and case data are retained for the duration specified in your organization's agreement with us, or until you request deletion. Contact form submissions are retained for up to 2 years. When data is deleted, it is permanently removed from our systems, including backups, within 90 days.

Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

• Service providers — AWS for hosting and AI processing, under appropriate data processing agreements
• Legal requirements — When required by law, regulation, or legal process
• Business transfers — In connection with a merger, acquisition, or sale of assets

Security

We implement industry-standard security measures to protect your information, including encryption in transit and at rest, access controls, audit logging, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

privacy@reviewbox.com