← Back to hl7online.com

Privacy Policy

Last updated: April 8, 2026

hl7online.com is operated by VimByte LLC ("we," "us," "our"). This policy explains what data we collect, why, and how we protect it.

The short version

• HL7 messages are parsed in your browser. When you paste an HL7 message, it is processed entirely by JavaScript running on your device. The raw message is never sent to our servers.
• AI questions are sent to our server. When you ask the AI a question, the parsed message data and your question are sent to our Jetson Nano backend for processing. This data is not stored permanently.
• We log AI queries. Your AI questions and basic usage metadata (timestamp, response time) are logged to improve the service. We do not log the HL7 message content sent with queries.
• We collect your email at signup. We use it for account verification, password reset, and occasional service updates. We never sell or share your email.

What we collect

Account information: Email address, display name (optional), and a bcrypt-hashed password. We never store your password in plain text.

Usage data: When you use the AI feature, we log: your user ID, the endpoint called, a timestamp, response time, and the text of your AI question. This helps us understand how people use the tool and improve AI responses.

Session data: IP address and user agent string are stored with your session for security purposes (detecting suspicious login activity).

What we do NOT collect:

• Raw HL7 messages (parsed client-side, never sent to us unless you ask the AI a question)
• Protected Health Information (PHI) beyond what may appear in AI queries — use the "Anonymize PHI" toggle to strip patient data before asking
• Tracking cookies, advertising IDs, or third-party analytics

How we use your data

• Account management: Email verification, password reset, session management
• Service improvement: Understanding which AI questions are most common so we can improve local (non-server) answers
• Rate limiting: Enforcing fair usage limits to keep the service available for everyone
• Security: Detecting and preventing abuse, brute force attempts, and unauthorized access

Data storage and security

Your data is stored in an encrypted SQLite database on our self-hosted hardware, protected by:

• HTTPS via Cloudflare Tunnel (TLS encryption in transit)
• bcrypt password hashing (computationally expensive to crack)
• Hashed session tokens (database compromise does not expose active sessions)
• Restricted file permissions on the database
• Daily encrypted backups

Data retention

Account data is retained as long as your account is active. Usage logs are retained for 90 days, then automatically purged. You can request account deletion at any time by emailing nick.davies@vimbyte.com.

Third-party services

• Cloudflare: Provides DDoS protection and TLS termination. Cloudflare may process your IP address per their privacy policy.
• Resend: Delivers transactional emails (verification, password reset). Your email address is shared with Resend for this purpose only.

Your rights

• Access: Request a copy of the data we hold about you
• Deletion: Request deletion of your account and associated data
• Correction: Update your email or display name at any time

To exercise any of these rights, email nick.davies@vimbyte.com.

Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated via the email address associated with your account.

Contact

Questions about this policy? Email nick.davies@vimbyte.com.