Privacy Policy

Last updated: 2026-06-19

1. Introduction

MedGraphAI (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered scientific figure generation platform and related services (collectively, the “Service”).

By accessing or using MedGraphAI, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you register an account, we collect your email address and a hashed password. We do not store your password in plain text — it is irreversibly hashed using industry-standard bcrypt.

2.2 Content You Upload

When you use the Service, you may upload manuscripts, figures, images, or other documents (“User Content”). We process User Content solely for the purpose of providing the Service (i.e., analyzing research documents and generating publication-ready figures). We do not use your User Content for training AI models unless you explicitly opt in.

2.3 Usage Data

We automatically collect certain technical information when you access the Service, including:

  • IP address and browser type
  • Pages visited and time spent
  • Feature usage and generation counts
  • Device and operating system information

This data is used for service improvement, security monitoring, and quota enforcement.

2.4 Email Verification Codes

During registration and password reset, we send a one-time verification code to your email address. These codes expire after 10 minutes and are not stored beyond their validity period.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Provision: To process your requests, generate figures, and deliver the core functionality.
  • Account Management: To authenticate you, manage your membership tier, track quota usage, and send service-related communications (e.g., verification codes, password reset links).
  • Security: To detect and prevent fraud, abuse, and unauthorized access.
  • Improvement: To analyze usage patterns and improve the Service’s performance and user experience.
  • Legal Compliance: To comply with applicable laws, regulations, and lawful requests.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

  • Service Providers: We may engage trusted third-party vendors (e.g., email delivery services, cloud infrastructure providers such as MongoDB and Redis) to assist in operating the Service. These providers are contractually bound to process your data only on our behalf and in accordance with this policy.
  • AI/LLM Providers: User Content may be transmitted to third-party large language model providers (e.g., OpenAI, Anthropic) solely for generating figures and analyzing documents. These providers process data per their own privacy policies and do not use your content for model training unless their policies state otherwise. We encourage you to review the privacy policies of the AI providers we use.
  • Legal Obligations: We may disclose information if required by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website.

5. Data Retention

We retain your account information for as long as your account is active. User Content (uploaded manuscripts, generated figures) is retained for the duration necessary to provide the Service, or until you request deletion.

Verification codes and password reset codes are automatically expired after 10 minutes. Usage logs and technical data are retained for a reasonable period for analytics and security purposes, after which they are anonymized or deleted.

If you wish to delete your account and associated data, please contact us at the email address provided below.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Passwords are hashed using bcrypt with a per-password salt.
  • All data in transit is encrypted via TLS/HTTPS.
  • JWT tokens are signed with HMAC-SHA256 and include expiration.
  • Database access is restricted by authentication and IP allowlisting.

However, no method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Request transfer of your data to another service.
  • Objection: Object to certain processing activities.

To exercise any of these rights, please contact us at the email address below. We will respond within the timeframe required by applicable law.

8. Cookies

MedGraphAI uses essential cookies and localStorage to maintain your authenticated session (JWT token storage) and remember your preferences. We do not use tracking cookies or third-party advertising cookies. You may disable cookies in your browser settings, but this may prevent you from logging in or using certain features of the Service.

9. Third-Party Services

Our Service integrates with third-party services, including but not limited to:

  • Email Service: For sending verification codes and password reset emails.
  • AI/LLM Providers: For document analysis and figure generation.
  • Cloud Infrastructure: MongoDB and Redis for data storage and caching.

These third-party services have their own privacy policies governing the use of your information. We encourage you to review them. We are not responsible for the privacy practices of third-party services.

10. Children’s Privacy

MedGraphAI is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

11. International Data Transfers

Your information may be transferred to and processed on servers located outside your country of residence. By using the Service, you consent to such transfers. We take steps to ensure that your data receives an adequate level of protection regardless of where it is processed.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and notify registered users via email for material changes. Continued use of the Service after such changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: support@topbeeai.com