SonoCue Privacy Policy
Effective date: May 7, 2026 Last updated: May 7, 2026
This Privacy Policy describes how Pixel & Pulse Travelers ("we", "our", "SonoCue") collects, uses, and protects information when you use the SonoCue mobile application and related services ("Service").
SonoCue is a clinical reference tool intended exclusively for trained diagnostic medical sonographers (RDMS or equivalent credential holders) and ultrasound students. It is not designed for use by patients, and it is not designed to receive, process, or store Protected Health Information (PHI) as defined under HIPAA.
1. Quick summary
- What we collect: your email, name, hashed password, optional self-reported license number, and the text you type into AI Analyze.
- What we don't collect: PHI, location, contacts, photos, advertising IDs, biometrics.
- Who we share it with: the AI provider that powers AI Analyze (Anthropic or Groq), and our hosting provider (Railway).
- How long we keep it: until you delete your account. Deletion is one tap in Settings.
- Your rights: access, deletion, correction, portability, opt-out — see Section 8.
2. Information we collect
2.1 Information you provide directly
- Account information: email address, display name, password (stored only as a bcrypt hash — we never see your plaintext password).
- Optional license number: a self-reported ARDMS or equivalent credential number. This is optional and you can leave it blank. We do not verify it against any registry.
- Apple Sign In data: if you sign in with Apple, we receive your stable Apple user identifier and your email address (which may be Apple's private relay address). We never see your Apple password.
- AI Analyze input text: the clinical finding description you type. This text is sanitized for PHI patterns (SSN, MRN, phone, email, dates, DOB, patient names) on your device before transmission, and again on our server before being passed to the AI provider.
- Bookmarks: the IDs of clinical findings you save. Stored on your device only.
- AI response reports: if you flag an AI response as inaccurate, unsafe, offensive, or other, we record the report reason and any free-text details you provide.
2.2 Information we collect automatically
- AI usage metadata: the timestamp, AI provider, response time, and length of the input text — used to enforce the 5-uses-per-day limit and to monitor AI safety. We do not store the input text or the AI response after rate-limiting.
- Authentication events: sign-in success/failure timestamps and the IP address of the request, retained for security and abuse detection.
- App version, OS, and device type are visible in HTTP headers when your app makes API calls. We use this for compatibility but do not store it as user-linked records.
2.3 Information we do NOT collect
- Location data
- Contacts
- Photos, camera, or microphone data
- Advertising identifiers (IDFA / Android ID)
- Biometric data
- Web tracking or cross-app analytics identifiers
- Protected Health Information (PHI). The Service is designed to actively prevent PHI entry; you contractually agree in our Terms of Service not to enter PHI.
3. How we use your information
We use your information solely to:
- Provide the Service: authentication, sync, AI Analyze functionality
- Enforce rate limits and prevent abuse (5/day AI cap, login throttling)
- Investigate flagged AI responses and improve safety guardrails
- Communicate critical service notices (account deletion confirmation, security alerts)
We do not:
- Use your data to train any AI model
- Sell, rent, or trade your data to third parties
- Use your data for advertising purposes
- Profile you for behavioral advertising
4. AI Analyze — how it works
When you submit text to AI Analyze, the following happens:
- Your device runs PHI-pattern sanitization on the text before any network call.
- The sanitized text is sent over HTTPS to our backend server.
- Our backend re-runs the sanitization (defense in depth), checks for safety-blocked patterns (diagnosis requests, dosing requests, non-sonography modalities), and refuses the request if any are detected.
- If the request passes safety checks, the sanitized text is forwarded to one of two AI providers:
- Groq (default), running an open-source large language model (Llama 3.3 70B). Groq's terms of service permit use without retaining input data when configured.
- Anthropic (optional alternate), running Claude. We do not enable Anthropic's training data retention.
- The AI provider's response is returned to your device, with no human review unless you flag it via "Report this response."
- We log only the metadata (timestamp, response time, input length) — never the input text itself or the response itself.
Sub-processors involved in AI Analyze:
- Anthropic, PBC —
https://www.anthropic.com/legal/privacy - Groq, Inc. —
https://groq.com/privacy-policy/ - Railway Corp (hosting) —
https://railway.com/legal/privacy
5. Where data is stored
- Account data and AI usage logs are stored in a PostgreSQL database hosted on Railway in the United States (us-west region).
- Transit encryption: all communication between your device and our server uses HTTPS / TLS 1.3.
- At-rest encryption: Railway and its infrastructure providers encrypt stored data using industry-standard encryption.
- Bookmarks are stored only on your device, in encrypted local storage. They are not synced to our servers.
6. Data retention
| Data category | Retention period |
|---|---|
| Account data (email, name, password hash) | Until you delete your account |
| AI usage metadata | Until you delete your account |
| Auth events (IP, timestamp) | Up to 12 months for security review, then anonymized |
| AI response reports | Up to 12 months for safety review, then anonymized |
| Bookmarks | Stored on your device only — not retained on our servers |
When you delete your account through the in-app Settings, all account-linked records are permanently deleted from our database within 30 days. Data already de-linked from your account (e.g., anonymized auth events) cannot be recovered or re-associated.
If you signed in with Apple, account deletion also revokes the linked Apple authentication token via Apple's auth/revoke endpoint, as required by Apple's App Store guidelines.
7. Children's privacy
SonoCue is intended for credentialed sonography professionals and ultrasound students aged 18 and over. We do not knowingly collect data from children under 18. If you believe we have collected data from a child, contact us at the email below and we will delete it.
8. Your rights
Regardless of where you live, you have the following rights regarding your data:
8.1 Access
You can view all your account data within the app under Settings → Account.
8.2 Deletion
You can delete your account at any time via Settings → Delete Account. The deletion is permanent and immediate. You can also email us at the address below to request deletion.
8.3 Correction
You can update your name and email by contacting us. (In-app editing of name/email is planned for a future release.)
8.4 Portability
You can request a JSON export of all your account-linked data by emailing us. We will respond within 30 days.
8.5 Region-specific rights
California residents (CCPA/CPRA): you have the right to know what categories of personal information we collect, to whom it is disclosed, the right to delete, the right to correct, and the right to opt-out of "sale" or "sharing" of personal information. SonoCue does not sell or share personal information for cross-context behavioral advertising. Contact us to exercise any rights. We will not discriminate against you for exercising any CCPA right.
Washington State residents (My Health My Data Act): even though SonoCue is designed not to collect health data tied to identifiable individuals, you have the right to know what consumer health data we may collect, to delete it, and to withdraw consent at any time. Contact us for any of these requests.
EU/UK residents (GDPR / UK GDPR): you have the right to access, rectification, erasure, portability, restriction of processing, objection, and the right to lodge a complaint with your supervisory authority. Our lawful basis for processing is performance of the contract you accepted in our Terms of Service.
9. Security
We protect your data through:
- HTTPS/TLS 1.3 encryption in transit
- bcrypt password hashing (we cannot retrieve your password — only verify it)
- JWT session tokens with 30-day expiry
- Server-side rate limiting and PHI sanitization
- Industry-standard cloud infrastructure (Railway, Postgres)
No system is 100% secure. If we discover a breach affecting your data, we will notify you in accordance with applicable law.
10. Changes to this policy
We may update this policy as the Service evolves. Material changes will be communicated through an in-app notice or by email to the address on your account. The "Last updated" date at the top of this document reflects the most recent revision.
11. Contact us
For privacy questions, deletion requests, or to exercise any right above:
Email: sonocue@pixelandpulsetravelers.com Mailing address: Pixel & Pulse Travelers, [Owner address — Otis to fill in]
We respond to privacy requests within 30 days.
12. HIPAA disclaimer
SonoCue is not a HIPAA-covered service. We are not a "Business Associate" of any health care provider, and the Service is not designed to receive or store Protected Health Information (PHI). You agree, in our Terms of Service, not to enter PHI into the Service. If you do enter PHI despite this prohibition, our PHI-sanitization layer is designed to redact it, but we provide no guarantee that all PHI patterns will be detected. The Service is not appropriate for patient-specific clinical decision-making.
If you are an institution seeking a HIPAA-compliant tier with a Business Associate Agreement, contact us about the SonoCue Enterprise option (in development).
This document is a plain-English description of our practices. It is not a contract — see the Terms of Service for the contractual relationship between you and us.