How MyCaseJournal protects your sensitive medical and legal documentation
Last Updated: January 2026
HIPAA
HIPAA Aligned
Health Insurance Portability & Accountability Act
Local-first storage — PHI never transmitted to our servers
End-to-end encryption — 256-bit AES for optional sync
Access controls — Biometric & PIN authentication
Audit trails — Timestamped access logs
Data minimization — We collect only what's necessary
GDPR
GDPR Compliant
General Data Protection Regulation (EU)
Right to access — Export all your data anytime
Right to erasure — Delete everything with one tap
Data portability — PDF/JSON export formats
Consent management — Granular opt-in controls
Privacy by design — Built into our architecture
Our Privacy-First Architecture
🔐 Local-First by Default
Your medical records, journal entries, photos, and case documentation are stored on your device
only. We cannot access your sensitive data because it never leaves your phone or tablet.
MyCaseJournal was designed from the ground up with privacy as the foundation, not an afterthought. Our
local-first architecture means:
No cloud storage required — The app works completely offline
Zero-knowledge sync — If you enable cross-device sync, data is encrypted before it
leaves your device
You own your data — Export, delete, or transfer at any time
No data mining — We never analyze your content for advertising or third-party purposes
Technical Security Measures
Security Layer
Implementation
Status
Encryption at Rest
AES-256 encryption on device storage
✓ Active
Encryption in Transit
TLS 1.3 for all network communications
✓ Active
Authentication
Biometric (Face ID/Touch ID) + PIN fallback
✓ Active
Session Management
Auto-lock after inactivity, secure token rotation
✓ Active
API Security
Rate limiting, request signing, origin validation
✓ Active
Vulnerability Scanning
Automated dependency audits, penetration testing
Quarterly
Data Processing Practices
What We DO Collect
Account information — Email, name (for authentication and communications)
Usage analytics — Anonymized app usage patterns to improve the product
Crash reports — Anonymized error logs to fix bugs
What We DO NOT Collect
Medical records, diagnoses, or health information
Journal entries or personal narratives
Photos, videos, or voice recordings
Financial information or expense receipts
Case documents or legal communications
⚖️ Important Legal Notice
While MyCaseJournal implements HIPAA-aligned security practices, we are not a HIPAA-covered entity or
business associate. Our local-first architecture means we never process or store your Protected Health
Information (PHI) on our servers, which provides privacy benefits beyond traditional HIPAA compliance.
Your Rights
Under GDPR and similar privacy regulations, you have the right to:
Access
Request a copy of your data
Rectify
Correct inaccurate data
Erase
Delete all your data
Portability
Export in standard formats
Restrict
Limit data processing
Object
Opt-out of processing
Incident Response
In the unlikely event of a security incident:
We will notify affected users within 72 hours as required by GDPR
We will provide clear information about what occurred and remediation steps
We maintain comprehensive incident response procedures and conduct regular drills
Contact Our Security Team
For security concerns, vulnerability reports, or compliance inquiries: