How MyLGHealth Handles Your Data - Compliance - MyLGHealth

MyLGHealth is an AI-powered educational tool that helps patients understand their medical documents. We are not a hospital, clinic, insurance provider, or licensed healthcare service. We do not diagnose, treat, or provide medical advice. What we do is take complicated medical reports and explain them in plain language.

We handle sensitive health documents — even temporarily — we take data protection seriously. This page explains exactly what happens to your data when you use MyLGHealth, and how our practices align with major data protection laws around the world.

 

What Actually Happens When You Upload a Document

When you upload a lab report or prescription to MyLGHealth, the following happens in this exact order:

  1. Your file is sent to our server over an encrypted HTTPS connection.
  2. The document is converted to an image format in server memory for processing.
  3. The image is sent to our AI model, which reads the document and generates a plain-language summary.
  4. The summary is returned to your browser and displayed on screen.
  5. Your original file is deleted from server memory immediately after processing. It is not written to any disk, database, or permanent storage at any point during this process.

No account is required. No email address is collected. No login is needed. We do not know who you are when you use the analyzer.

If you choose to share your report with the MyLGHealth community — which is entirely optional and requires your explicit action — a separate process begins. You are asked to provide your name, and you must check a consent box confirming you understand your name and AI summary will be publicly visible. Only then is the summary stored and your document or image is shared.

You receive a unique delete link that lets you permanently remove your shared report at any time, each link is unique and private to original user, without needing to contact us or provide any reason.

United States — HIPAA Alignment

The Health Insurance Portability and Accountability Act (HIPAA) regulates how covered entities, that is, hospitals, clinics, insurance companies, health care clearinghouses, and its business partners, manage Protected Health Information (PHI).

MyLGHealth is not a HIPAA covered entity. We do not provide healthcare, we do not charge insurance companies and do not keep patient medical records. We are a learning technology resource. HIPAA’s regulatory requirements do not legally apply to us.

That notwithstanding, the information that you post on MyLGHealth is health-related and in our view, it is entitled to the same protection whether it is by legal mandate or not. The following ways our practices comply with the main security principles of HIPAA:

  • Data minimization. The minimum necessary standard in HIPAA stipulates that the minimum PHI should be utilized to achieve a certain purpose. MyLGHealth simply does an analysis of your document to create a summary. We do not harvest your data to do analytics, ads, profiling, or any other secondary use. After generating the summary, the original document is no longer present on our systems.
  • No ongoing storage of PHI. Covered entities under HIPAA should consider the location of PHI and its access under the law. MyLGHealth has done away with this issue because your document is not kept anywhere. There is no database of patient files. No archive. Nothing to breach as there is nothing to retain.
  • Encryption in transit. The HIPAA stipulates that PHI sent electronically must be encrypted. Any information into and out of MyLGHealth is encrypted with TLS (HTTPS). Your document is sent out of your browser to our server over an encrypted channel.
  • Access controls. Our server infrastructure is configured to use token-based authentication to access the API, to limit access by rate, and to validate the files to reject anything that is not a legitimate medical document format (PDF, JPG, PNG only).
  • No user identification. HIPAA is extremely concerned with the association of health data and personal identity. To use the analyzer, you are not required to create an account, enter your name, or give an email address, or identify yourself in any way to use MyLGHealth. Without knowing whose document it is, we process your document.

In case you are a healthcare provider thinking of referring patients to MyLGHealth, it is important to note that we are not a Business Associate as the term is used under HIPAA and we do not sign Business Associate Agreements (BAAs), although we do follow HIPAA principles in our practices.

European Union — GDPR Alignment

The General Data Protection Regulation (GDPR) is the European Union’s data protection framework. It applies to any organization that processes personal data of individuals located in the EU, regardless of where the organization itself is based.

  • MyLGHealth is used by people all over the world, the EU included. When a user (located in the EU) uploads a medical document, it has personal data in it – and in most instances, it is special category data (health data) as provided in Article 9 of the GDPR. Our practices comply with GDPR in the following way:
  • Legal basis of processing (Article 6). By submitting a document to be analysed, the lawful basis is your actual act – you are deciding to send the document to be analysed to have a summary. It is you who starts the processing. In the case of community sharing, the legal foundation is your express permission, which was provided by the consent checkbox prior to submission.
  • Special category data (Article 9). Health information demands further safeguards as per GDPR. MyLGHealth uses health data to create an educational summary, only as requested by you. This processing is founded on your express permission that is presented through your voluntary upload. The data is not used for any other purpose.
  • Right to erasure (Article 17). The GDPR allows people the right to the deletion of their personal data. In the case of analyzed documents, this right is fulfilled automatically – your file is erased from memory as soon as it is processed, even before you could even ask it to be erased. In the case of shared community reports, you will be provided with a delete link upon sharing it, which will enable you to exercise your right to erasure immediately, without any communication, request or response to us.
  • Minimization of data (Article 5(1)(c)). GDPR dictates that personal information must be sufficient, pertinent and only as much as is required. MyLGHealth does not store any personal information other than the information you give willingly. To analyse: only the document. To share: your name, an optional message and the AI summary. No email. No logging of IP addresses in excess of rate limiting. No behavioral tracking.
  • Limit on storage (Article 5(1)(e)). GDPR stipulates against storing personal data longer than it should be. In the case of documents to be analyzed, the storage time is measured in seconds – time between the upload and the generation of the summary. In shared reports, you determine the time completely with your delete link.
  • Data protection by design (Article 25). GDPR stipulates that the system architecture must have data protection built into it, rather than it being an add-on. MyLGHealth was initially created in such a way that it did not require any personal data to be stored. The architecture reads and writes documents in memory and discs. It is not any policy that is overlaid over a system that might have stored your original document – the system is not designed to store a copy of your original document.
  • International transfers. MyLGHealth relies on Cloudflare to deliver content and to store common community reports. Cloudflare has data processing contracts and Standard Contractual Clause when it comes to international data transfers as stipulated in GDPR Chapter V.

MyLGHealth does not currently appoint an EU representative under Article 27, as our processing of EU personal data is not on a large scale and is not systematic monitoring. In case we have a sufficient number of EU users that this is applicable, then we will designate a representative and revise this page.

Australia — Privacy Act and My Health Records Act Alignment

Australia’s Privacy Act 1988, along with the Australian Privacy Principles (APPs), governs how personal information is handled by organizations. The My Health Records Act 2012 specifically addresses health records in the digital context.

MyLGHealth is not an Australian healthcare provider, and we do not participate in Australia’s My Health Record system. We do not access, contribute to, or integrate with any Australian government health infrastructure. Our alignment with Australian privacy law is as follows:

  • APP 3 — Collection of personal information. The APPs require that organizations collect only the personal information reasonably necessary for their functions. MyLGHealth collects the minimum data required: your uploaded document for analysis (deleted after processing), and for community sharing, only your name and optional message. No Medicare numbers, no tax file numbers, no addresses, no dates of birth are collected or required.
  • APP 5 — Notification of collection. Australian law requires that individuals be told what information is being collected and why. This page, along with our Terms of Service and Medical Disclaimer, serves that function. You know exactly what happens to your data before you upload it.
  • APP 6 — Use and disclosure. Personal information should only be used for the purpose it was collected. Your document is used to generate a summary and nothing else. It is not disclosed to third parties, not used for marketing, not sold, and not retained for future use. The AI model does not learn from or retain your individual document.
  • APP 8 — Cross-border disclosure. The APPs require that before disclosing personal information overseas, reasonable steps are taken to ensure the overseas recipient handles it consistently with the APPs. MyLGHealth’s server infrastructure processes data through secured, encrypted channels. Shared community reports are stored on Cloudflare R2, which operates under Cloudflare’s data processing agreements that include provisions consistent with international privacy standards.
  • APP 11 — Security of personal information. Organizations must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access. MyLGHealth protects your data through encryption in transit (HTTPS/TLS), immediate deletion of uploaded files after processing, token-based API authentication, file type validation, rate limiting, and server-side security checks that reject potentially malicious uploads.
  • APP 13 — Correction of personal information. If you have shared a report and the information is incorrect, you can delete the entire report using your delete link and re-share a corrected version if you wish. There is no stored data from analysis-only usage that would require correction, because no data is retained.

Canada — PIPEDA Alignment

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Several Canadian provinces have substantially similar legislation (Alberta’s PIPA, Quebec’s Law 25, British Columbia’s PIPA).

MyLGHealth is not a Canadian organization, but Canadian residents may use our service. Here is how our practices align with PIPEDA’s ten fair information principles:

  • Accountability. MyLGHealth takes responsibility for the personal information under its control. This page documents our practices transparently. Our development team at Team MyLgHealth (https://my-lghealth.com) is responsible for ensuring compliance with these documented practices.
  • Identifying purposes. PIPEDA requires that the purposes for collecting personal information be identified before or at the time of collection. MyLGHealth’s purpose is clear and singular: to generate an AI-powered educational summary of your uploaded medical document. No secondary purposes exist.
  • Consent. PIPEDA requires meaningful consent for the collection, use, and disclosure of personal information. When you upload a document for analysis, your consent is implied by your voluntary action — you chose to use the tool. When you share a report publicly, your consent is explicit — you fill in your name, check a consent box, and click share. You can withdraw consent for shared reports at any time by using your delete link.
  • Limiting collection. Personal information should be limited to what is necessary for the identified purposes. MyLGHealth does not collect email addresses, phone numbers, physical addresses, government identification numbers, or any information beyond what is needed to generate your summary and, if you choose, publish your shared report.
  • Limiting use, disclosure, and retention. Personal information should not be used or disclosed for purposes other than those for which it was collected, and should be retained only as long as necessary. Your uploaded document is retained for seconds — the duration of processing — and then permanently deleted. Shared reports are retained until you choose to delete them.
  • Accuracy. PIPEDA requires that personal information be as accurate, complete, and up-to-date as necessary. The AI-generated summary is based on what is visible in your document. MyLGHealth does not modify, edit, or add to the information contained in your original document. If the summary of a shared report contains inaccuracies, you can delete it and re-analyze.
  • Safeguards. Personal information must be protected by security safeguards appropriate to the sensitivity of the information. Health information is highly sensitive. MyLGHealth safeguards include encryption in transit, no persistent storage of analyzed documents, file validation and malicious upload rejection, rate limiting, and token-based API authentication.

South Africa — POPIA Alignment

South Africa’s Protection of Personal Information Act (POPIA) regulates the processing of personal information and established the Information Regulator as the enforcement authority. POPIA applies to any responsible party that processes personal information of South African data subjects.

MyLGHealth may be used by individuals in South Africa. Here is how our practices align with POPIA’s conditions for lawful processing:

  • Condition 1 — Accountability. The responsible party must ensure compliance with POPIA’s conditions. MyLGHealth documents its data practices transparently on this page and takes responsibility for how data is handled within our systems.
  • Condition 2 — Processing limitation. Personal information must be processed lawfully, in a manner that does not infringe the privacy of the data subject, and must be adequate, relevant, and not excessive. MyLGHealth processes only the document you upload, only for the purpose of generating a summary, and retains nothing after processing is complete. For community sharing, only your name and optional message are stored alongside the AI summary.
  • Condition 3 — Purpose specification. Personal information must be collected for a specific, explicitly defined, and lawful purpose. MyLGHealth’s purpose is explicitly defined: educational summarization of medical documents. Records of shared reports are retained only until the user deletes them.
  • Condition 6 — Access to information. Data subjects have the right to access their personal information. For analysis-only usage, there is no personal information to access because nothing is stored. For shared reports, your report is publicly accessible at its URL, and you maintain full access and deletion control through your delete link.
  • Condition 7 — Security safeguards. A responsible party must secure the integrity and confidentiality of personal information through appropriate technical and organizational measures. MyLGHealth implements encryption (HTTPS/TLS), immediate file deletion after processing, server-side file validation, rate limiting, and token-based authentication. Our architecture was designed to minimize the data available for potential compromise — the most effective security measure is not having the data in the first place.
  • Special personal information (Section 26). POPIA classifies health data as special personal information requiring additional protections. MyLGHealth processes health data based on the data subject’s explicit consent (voluntary upload and, for sharing, the consent checkbox). The processing is limited to the stated purpose and the data is not retained beyond what is necessary.

Summary of Data Practices Across All Regions

Practice How MyLGHealth handles it
Document storage after analysis Deleted from memory immediately. Never written to disk.
User accounts or login Not required. Not collected.
Email or phone collection Not required. Not collected.
Original document for shared reports Only uploaded if user explicitly chooses to attach it during sharing.
Shared report deletion Instant, via unique delete link provided at time of sharing. No request process.
Data used for advertising Never. No advertising exists on MyLGHealth.
Data sold to third parties Never.
AI model training on your data Your individual document is not used to train or fine-tune the AI model.
Encryption All data transmitted over HTTPS/TLS.
Cookies and tracking No tracking cookies. No behavioral analytics. No fingerprinting.
Server location Cloudflare global infrastructure with encrypted storage for shared reports.

Contact

If you have questions about how MyLGHealth handles your data, or if you need to exercise any rights described on this page, contact us at:

This page was last updated in April 2026.

my-lghealth

MyLGHealth is a free AI-powered health document reader. Upload your lab report or prescription and get an instant plain language summary, privately and securely.

Navigate

About

Community Reports

Contact Us

Consult a Doctor

Legal

Terms of Service

Privacy Policy

Medical Disclamer

How Our Website Works

2026 @ my-lghealth

MyLGHealth
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.