Imprint

Privacy & Terms

Last updated 2026-05-09 · Version 0.3

Plain-English summary. Imprint is a place to store your medical files that you control. We don't sell your data, share it with anyone you didn't share it with first, or use it to train models. The files live on a server we run; you decide who sees them by handing out a link or a QR. You can delete everything any time. This page is the long-form version of that.

Contents

Who runs Imprint
What we collect, what we don't
How sharing works
Security model
HIPAA, FDA, and what Imprint is not
Retention and deletion
Liability — read this
Changes & contact

1. Who runs Imprint

Imprint is built by Imprint Health, Inc. and is currently in pre-launch / beta. The product is open-source — every line of code that handles your data is at github.com/roshan-b1/imprint. You can audit it yourself.

2. What we collect, what we don't

What you put in (we store):

Your identity fields (name, DOB, blood type, sex, height/weight, organ-donor flag) — only what you type.
Medical history you enter or upload: allergies, medications, conditions, surgeries, anesthesia notes, vaccinations, implants.
Files you upload: X-rays, MRI scans, op-report PDFs, lab results, photos of paper documents.
An audit log of who scanned/opened your record and when.
If you sign in with email: your email address and a hashed sign-in session token.

What we don't collect:

No third-party trackers. No Google Analytics, no Facebook pixel, no advertising SDKs.
No biometrics, no precise location, no microphone or camera access without your explicit click.
No social-graph or contact-list import.
No data sold to data brokers, insurance companies, or pharma. Ever. This is not a "for now" — it's a structural commitment, written into the business model: patients are the user, B2B partners (clinics, device companies) are the customer for separate co-branded offerings.

3. How sharing works

Your record is reachable via a share token that's part of a URL like imprint.health/r/<token>. Anyone with that URL can see Tier 1 (your name, blood type, allergies, current medications, emergency contact, DNR/donor flag) — the information needed if you can't speak for yourself in an emergency.

Everything else (full surgery history, X-rays, op reports, implants, conditions) is Tier 2 and is gated behind a 4-digit PIN that you set. Anyone wanting to see Tier 2 has to enter the PIN you give them. You can rotate your PIN and your share token at any time, which invalidates the old links instantly.

Doctors can also add to your record: visit notes, new medications, X-rays, op-report photos, etc. Their additions are tagged "provider-attested," signed with their name and facility, and audit-logged. You see every addition in your Activity tab.

4. Security model

PINs are hashed. We use PBKDF2-HMAC-SHA256 with 200,000 iterations and a per-record random salt. We can't read your PIN, even with full database access.
Brute-force protection. Tier-2 unlock attempts are rate-limited per IP and per share token. Five wrong PINs in 15 minutes blocks further attempts until the window rolls.
Atomic writes. File saves are written to a temp file then renamed, so a crash mid-save can't corrupt your record.
HMAC-signed sessions. Sign-in cookies are signed with a server-side secret. Tampering invalidates them. Cookies are HttpOnly + SameSite=Lax + Secure (in production).
Path-traversal guard. All record IDs are validated as [a-zA-Z0-9_-]{1,64} at the route level.
Magic-link auth. No passwords. Sign-in tokens are 24-byte URL-safe randoms, single-use, expire in 15 minutes.
Encryption in transit. HTTPS only in production. Apple Wallet refuses passes over HTTP and so do we.
Audit log. Every Tier-2 unlock, every provider edit, every failed PIN attempt is logged with timestamp and (in production) the IP that issued the request.

What we don't do yet (and you should know): the consumer beta does not encrypt files at rest with per-user keys — files sit on the host's disk. We will add AES-256-GCM at rest with KMS-backed keys before any B2B HIPAA-bound deployment. The code path is there; the integration with a managed KMS is the missing piece.

5. HIPAA, FDA, and what Imprint is not

HIPAA. The consumer product is patient-controlled. You enter your own data; you choose who to share it with by handing over a link or QR. This is the same legal model as Apple Health Medical ID, MedicAlert, or any patient-held health record. No HIPAA Business Associate Agreement is required between Imprint and individual users in this model, because patients voluntarily disclose their own information.

For B2B deployments — where a clinic or device manufacturer issues Imprints to their patients — Imprint becomes a Business Associate of the covered entity and signs a BAA. Standard HIPAA technical controls apply: encryption at rest, encryption in transit, access logging, breach notification.

FDA. Imprint is a record-keeping tool, not a medical device. We do not diagnose, treat, prescribe, or recommend. We carry patient-entered and provider-attested data, like a notebook. No FDA classification applies.

What we are not. Imprint is not a substitute for your hospital's electronic health record. We don't have the certified pharmacy interaction database of an EHR; we don't run clinical decision support; we don't replace your doctor's chart. Treat Imprint as a portable copy of your own files — useful, but always verifiable against the source.

6. Retention and deletion

Your record lives until you delete it. There is no retention timer. If you delete your account, your patient JSON file, your audit log, your uploaded files, and your hashed PIN are all removed from active storage within 24 hours. Encrypted backups roll off within 30 days.

Deletion does not remove what doctors may have copied to their own charts at the time of sharing. If you shared your X-ray with a doctor, that doctor still has whatever they downloaded. Imprint can only control what's on Imprint's servers.

7. Liability — read this

Imprint is patient-entered information. Verify before clinical decisions.

Information in Imprint is provided as-is. We make no warranty that the data is accurate, complete, or current — those qualities depend on what you and your providers entered, and when. Doctors should treat Imprint records the same way they treat any patient-reported history: useful context, independently verified before action.

To the maximum extent allowed by law, Imprint Health, Inc. is not liable for clinical outcomes arising from reliance on Imprint records. The full Terms of Service version of this disclaimer (loss limitation, governing law, dispute resolution) will be added before we leave beta.

8. Changes & contact

We'll update this page when the product changes meaningfully. Material changes (new data collected, change in retention policy, change in third-party dependencies) will trigger an in-product notification before they take effect.

Questions, requests, or concerns: hello@imprint.health. For security disclosures, please email the same address with [security] in the subject line.

This document is part of Imprint v0.3 (pre-launch beta). It will be replaced with a formal Privacy Policy and Terms of Service before general availability. Nothing on this page is legal advice.