How PDI Med handles your data

PDI Med is designed so that the most sensitive data — your patients' PHI — never reaches our servers. What we do collect is the minimum necessary to operate a secure, useful clinical reasoning platform for physicians. This policy explains what that means in practice.

Effective date: May 2026. This policy applies to physicians, clinical users, and visitors to pdi-med.com. It is governed by and consistent with the PDI Med Bylaws and Terms of Service.

• Account information. Name, email address, and professional credentials (license number, specialty) used to verify physician identity and manage platform access. This data is stored on PDI Med's authentication infrastructure and is not shared with third parties except as required to verify credentials.
• De-identified clinical artifacts. Committed encounter records, evidence spans, and clinical assertion data derived from your clinical encounters after multi-layer de-identification. These contain no PHI and are stored on PDI Med infrastructure to support your clinical reasoning tools and, if you opt in, collective intelligence.
• Platform usage signals. Functional data about how the platform is used — feature interactions, session events, error logs — used solely to maintain system health and security. We do not log clinical content or patient identifiers.
• Contact and support communications. Messages you send to PDI Med through contact forms or support channels, retained to resolve your inquiry. PHI must not be included in support communications; if it is, PDI Med treats it as a security incident.

• Protected Health Information (PHI). Raw clinical notes, patient identifiers, and PHI-bearing source documents are processed locally and through the de-identification pipeline before reaching PDI Med servers. We do not knowingly receive, store, or process PHI.
• Vault contents. Your Vault is encrypted under keys that PDI Med does not possess. We cannot access, read, or reconstruct the clinical records stored in your Vault.
• Outcome data linked to identifiable patients or physicians. PDI Med does not map clinical outcomes to individual physicians or patients. There are no outcome databases, performance scores, or physician-linked clinical result records on PDI Med infrastructure.
• Employer or payor surveillance data. PDI Med does not provide employers, insurers, health systems, or government agencies with physician-level performance data, practice pattern reports, or any individualized clinical analytics.

The PDI Med Vault is a physician-controlled cryptographic construct. It stores the physician's clinical records encrypted under keys that PDI Med does not hold in decryptable form. PDI Med's intended operating posture is zero-knowledge with respect to Vault contents.

• PDI Med cannot read your Vault. If you lose your credentials, recovery occurs via identity verification and vault remapping — not by PDI Med accessing prior contents.
• Vault contents are the physician's property. PDI Med does not claim ownership of clinical records stored in the Vault.
• On account termination, your Vault may be sealed at your request. De-identified data already contributed to collective intelligence is not selectively removed.

PDI Med uses a multi-layer de-identification pipeline to process clinical text before any structured data reaches PDI Med infrastructure. The pipeline includes client-side scrubbing, allow-list filtering, and server-side validation. Physician verification occurs before transmission.

• De-identification reduces PHI exposure risk; it is not an absolute guarantee of zero PHI leakage. No pipeline of this kind is mathematically perfect. PDI Med layers additional controls — minimum cohort sizes, suppression of rare combinations, and structural incentives — to reduce residual risk.
• The outputs of the pipeline are evidence spans: structured, de-identified records of clinical reasoning. Evidence spans document what was known, uncertain, and ordered — not the raw source notes.
• If PHI is detected on PDI Med infrastructure due to user error or pipeline failure, PDI Med treats it as a security incident subject to containment procedures.

Physicians who use PDI Med to prepare for board certification examinations generate Board Examiner Session Data — de-identified reasoning artifacts, case structures, and differential traces created during preparation activities.

• Board Examiner Session Data is used exclusively for physician learning within PDI Med.
• It is never shared with specialty boards, certifying authorities, employers, payors, or any external party.
• PDI Med does not score, evaluate, or assess board preparation sessions for credentialing purposes.
• Board preparation activity is not monitored, benchmarked, or used to generate performance metrics of any kind.

Participation in PDI Med's collective intelligence network (GZIN) is opt-in and per-encounter. If you choose to contribute committed encounter data to the aggregate network:

• Only de-identified data is contributed. No PHI, no physician identifiers, no patient identifiers are transmitted to the aggregate layer.
• Collective outputs are descriptive and population-level — distributions, uncertainty ranges, common follow-up paths. They are never physician-level, patient-level, or prescriptive.
• Minimum cohort thresholds are enforced. Rare combinations are suppressed. No individual physician can be reconstructed from aggregate outputs.
• Once integrated into aggregate systems, individual data points cannot be selectively removed without corrupting the validity of the collective record. This is disclosed as a condition of participation.
• You may withdraw from future contributions at any time without losing access to your vault or clinical reasoning tools.

• We do not sell physician or patient data. PDI Med does not sell, license, or trade physician-derived data, patient-derived data, or de-identified clinical artifacts to third parties in any form that undermines physician trust, patient trust, or creates surveillance incentives.
• Infrastructure providers. PDI Med uses cloud infrastructure and service providers (hosting, authentication, email) to operate the platform. These providers may process limited account data on our behalf under contractual data processing terms. They do not have access to clinical vault contents or de-identified clinical artifacts.
• Legal requirements. PDI Med may disclose account information if required by a valid legal order. We will not voluntarily expand scope beyond what is legally required. We will notify affected users to the extent legally permitted.
• Security incidents. If PHI is inadvertently received, relevant facts may be disclosed to legal counsel, regulators, or affected parties as required by HIPAA breach notification rules.

PDI Med will not provide employers, payors, health systems, or government agencies with physician-level clinical data, practice pattern reports, or performance analytics of any kind.

• Access. You may request a summary of account information PDI Med holds about you. Vault contents are encrypted under your keys — only you can access them.
• Correction. You may request correction of inaccurate account information. Clinical artifacts are physician-generated and are not corrected by PDI Med.
• Deletion. You may request account deletion and vault sealing at any time. De-identified data already integrated into collective intelligence systems is subject to the aggregate non-retractability policy in the Bylaws and Terms.
• Portability. PDI Med will provide reasonable assistance in exporting vault-accessible data in a structured format upon verified request.
• GDPR and state privacy laws. To the extent applicable law grants additional rights, PDI Med will honor them. Contact dan@pdi-med.com with privacy rights requests.

For privacy-related questions, requests, or concerns, contact PDI Med at dan@pdi-med.com. We aim to respond within 10 business days.

This policy may be updated as the platform evolves. Material changes will be posted here with an updated effective date. Changes will not regress on privacy architecture, physician autonomy, or the non-punitive design commitment.