Zero-PII Storage
At a glance
- Principle
- Collect the minimum; separate identity from health data
- Analytics & logs
- De-identified, no PII
- Identifiers
- Tokenised / pseudonymised
- Model training
- No identifiable patient data used
What “Zero-PII” means here
Some personal data is necessary to deliver care reminders and records, that data is processed under the consent and lawful bases described in our GDPR and HIPAA statements. “Zero-PII” describes the layers where identifying data is deliberately excluded: product analytics, operational logs, telemetry, and any model-improvement workflow operate on pseudonymised or aggregated data only.
How we minimise exposure
- Identity data is stored separately from health data and linked by tokens, not by name.
- Logs, metrics and crash reports are scrubbed of personal identifiers.
- Analytics use pseudonymous IDs and aggregates; no raw PII leaves the secure data plane.
- Retention is purpose-limited, with deletion on account closure and consent withdrawal.
AI & model use
Identifiable patient data is never used to train third-party foundation models. Where AI features process content to deliver the service, that happens inside our access-controlled environment, governed by consent and our processor terms.
Documentation available on request
- Data-minimisation & pseudonymisation overview
- Logging / telemetry redaction summary
- Data-retention schedule summary
Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.
