LeptonX never receives, stores, processes, or transmits patient medical data. This is not a policy commitment — it is an architectural fact. This page explains what that means in practice.
Last updated: June 3, 2026
Most privacy policies begin with a description of how a company collects, stores, processes, and protects your personal data. This one begins differently.
LeptonX does not collect, receive, store, process, manage, transmit, or ever need to destroy any patient medical data. Not in the cloud. Not on our servers. Not temporarily. Not in anonymized form. Not ever.
All medical record ingestion, indexing, retrieval, and AI inference occurs exclusively on hardware owned by and located in the physical premises of the patient. LeptonX provides the software and the intelligence architecture. The patient provides — and retains sole custody of — the data.
The most important conversations about your health happen between you and your physician. Maya helps you arrive at them prepared.
Privacy is the means. The conversations are the end. LeptonX is built so the means never compromises the end.
You cannot be breached for data you never held. LeptonX has structurally eliminated the category of liability that defines the medical AI industry. Every obligation created for medical data custodians — HIPAA, GDPR, CCPA, state health data privacy laws — is an obligation LeptonX structurally cannot have.
For absolute clarity, LeptonX never collects, accesses, or processes any of the following:
All of the above resides exclusively on your own device and is never transmitted to LeptonX or any third party.
LeptonX collects a limited set of non-medical information necessary to operate its business and website. This data never includes any health information.
When you visit our website, our hosting infrastructure may collect:
Cookies and tracking. The LeptonX website uses only the minimal cookies strictly necessary for the site to function. We do not use advertising cookies, tracking pixels, cross-site trackers, session-recording tools, or third-party behavioral-analytics services that sell or share visitor data. We do not build advertising profiles, and we do not sell, rent, or share visitor information with any third party for marketing purposes.
Retention of website data. Web server logs are retained only as long as needed for security and operational diagnostics (typically no more than 90 days) and are not used to identify or profile individual visitors. Contact-form submissions are retained only as long as needed to respond to your inquiry (see Section 8).
For patients who opt in, LeptonX offers an optional cloud-based settings synchronization service. This service stores only the following:
| What the Cloud Stores | What the Cloud Never Sees |
|---|---|
| Voice speed and persona preferences | Medical records of any kind |
| Custom pronunciation lexicon entries | Lab results, diagnoses, or treatment history |
| RAG retrieval parameters you've tuned | Wearable health data |
| Wearable device mappings and format rules | Your name, date of birth, or any identifier |
| Notification and UI layout preferences | Your queries or conversation history |
| A random UUID — never your name or identity | Anything clinically meaningful |
The only thing LeptonX stores in the cloud is the shape of your preferences — never the substance of your health. A complete breach of our cloud settings infrastructure would reveal nothing about any patient's medical history.
This service is entirely optional. You can decline cloud settings sync with no loss of product functionality. All on-device processing — record retrieval, voice interaction, pattern search — operates fully on your device regardless of this setting.
When you initiate a software update (updates are always patient-initiated, never automatic), your device may transmit:
No health data, no patient identity, and no query history is ever included in update telemetry. Update checks occur only when you initiate them — LeptonX never pushes updates to your device without your explicit action.
LeptonX has designed an optional, anonymized, non-medical product-telemetry capability intended to help improve the platform. This capability is off by default, and LeptonX does not currently transmit or collect any such telemetry. No product-usage telemetry will be transmitted from any device until (a) the patient explicitly opts in, and (b) LeptonX has completed a formal external privacy and legal review of the telemetry boundary.
If and when this capability is enabled in a future release, it is designed so that any data would be limited to aggregate, non-identifying signals such as:
By design, any such telemetry would be stripped of identifying information on the device before transmission, with differential-privacy techniques (ε ≤ 1) applied locally before any data leaves the device, IP addresses discarded at ingestion, and random telemetry tokens that are never mapped to patient identity. These are design properties of the planned capability; they describe how the feature would behave if enabled, not a service that is presently running.
LeptonX's architecture is specifically designed so that LeptonX does not meet the definition of a Covered Entity or Business Associate under HIPAA, because LeptonX never creates, receives, maintains, or transmits Protected Health Information on behalf of a covered entity or individual.
A note on what this means — and what it does not. When we describe our architecture as being structurally outside HIPAA's custody triggers, we mean exactly that: because LeptonX never holds your medical data, the obligations HIPAA places on data custodians do not attach to LeptonX. This is a statement about our architecture, not a government certification. "Structurally outside HIPAA's custody model" is not the same as "HIPAA-certified" or a regulator's endorsement, and we do not claim any such certification. The protection comes from the design, not from a compliance badge.
That said, LeptonX voluntarily aligns its security practices with recognized frameworks including:
LeptonX does this not because it is required — but because voluntary alignment with the highest standards reflects the company's commitment to trust and transparency.
All your medical data resides exclusively on hardware owned by and physically located on your own premises. LeptonX does not operate data centers, cloud storage, or remote processing infrastructure for patient data.
Your device is the data center. It sits in your home, under your roof, on your terms. You control:
LeptonX cannot remotely access, read, modify, delete, or interact with the data on your device. The system is designed with no backdoor, no remote management capability, and no silent data transmission.
Certain categories of health information carry heightened sensitivity and, in some jurisdictions, heightened legal protection — including genetic information (protected under the Genetic Information Nondiscrimination Act, "GINA"), mental and behavioral health records, reproductive and sexual health information, substance-use treatment records, and the records of minors.
LeptonX handles all of these categories identically to all other medical data: entirely on your own device, never transmitted to LeptonX or any third party. Because no medical data of any category ever reaches LeptonX, no special-category or sensitive data is collected, processed, sold, shared, or used for any secondary purpose by LeptonX. The structural protection described throughout this policy applies in full to every category of sensitive health information without exception.
When you authorize your LeptonX device to connect to Epic MyChart, the authorization occurs directly between your device and the Epic FHIR API. LeptonX provides the software that enables this connection. LeptonX never sees, proxies, or intermediates the FHIR data transfer. Your OAuth2 access token, refresh token, and retrieved medical records remain exclusively on your device.
Your LeptonX device runs on underlying operating-system and hardware platforms. To the extent your device or any companion application interacts with platform vendors (for example, an operating-system vendor or a mobile-platform provider such as Apple or Google), those vendors' own privacy policies govern any data they collect through their platforms. LeptonX does not transmit your medical data to these vendors. We encourage you to review the privacy practices of the platform your device and any companion app run on.
Companion applications, where offered, may be distributed through third-party application marketplaces (such as the Apple App Store or Google Play), which collect their own download and account data under their respective privacy policies. Patient-initiated software updates are retrieved from LeptonX-controlled update infrastructure and transmit only the minimal, non-medical update telemetry described in Section 3.3.
The LeptonX website (leptonx.org) loads fonts from Google Fonts. This is a standard web practice. Google's privacy policy governs their handling of any data associated with font delivery. No medical or patient data is involved.
LeptonX does not display advertisements. LeptonX does not sell, license, or share any user data — medical or otherwise — with advertisers, data brokers, insurance companies, employers, pharmaceutical companies, or any other third party. This is a permanent, structural commitment, not a policy that can be changed at the discretion of management.
LeptonX does not retain your medical data because it never possesses it. If you wish to delete your local records, you can do so at any time by deleting the data from your own device. No request to LeptonX is necessary because LeptonX has no copy to delete.
Information submitted through our website contact forms is retained only for the purpose of responding to your inquiry, and no longer than reasonably necessary for that purpose. You may request deletion of your contact information at any time by emailing privacy@leptonx.org.
If you have enabled optional cloud settings sync, you may request deletion of your synced preferences at any time. Upon request, your settings profile (identified only by a random UUID) will be permanently deleted within 30 days.
Because LeptonX holds no medical data and only a minimal amount of non-medical data (Section 3), the data subject to these rights is limited. To the extent LeptonX holds any personal information about you, you have the right to:
How to exercise your rights. Email privacy@leptonx.org with your request. We will verify the request and respond within the timeframe required by applicable law (generally within 30–45 days). There is no charge to exercise these rights. Note that, for medical data on your own device, you exercise the equivalent rights directly — the data is yours to access, export, or delete at any time without involving LeptonX.
If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. LeptonX honors these rights for the limited non-medical personal information it may hold (Section 3).
Do Not Sell or Share My Personal Information. LeptonX does not sell your personal information and does not share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding twelve months, and we have no mechanism or business model to do so. Because we do not sell or share personal information, no opt-out is necessary — but you may always contact us to confirm.
California residents also have the right to know what personal information is collected and how it is used (described in Section 3), the right to delete personal information (Section 8), the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights (Section 9). To exercise any California right, contact privacy@leptonx.org.
LeptonX's sovereign, on-device design gives you complete control of your medical data. With that control comes a corresponding responsibility: because your data lives on hardware you own and control, its physical and digital security is in your hands. To protect your data, we recommend that you:
This is the natural trade-off of true data ownership: the same architecture that ensures no company can breach your data also means that safeguarding the device is your role. LeptonX builds the protections into the system; you maintain the environment they run in.
For the limited non-medical data LeptonX does handle (website operations, contact forms, optional settings sync), we implement:
For device-side security, LeptonX devices implement:
LeptonX does not knowingly collect personal information from children under 13 through its website. Our products are intended for adult patients or for use by authorized adult caregivers. Where a LeptonX device is used to organize the records of a minor, that activity occurs entirely on the caregiver's own device under the caregiver's control; no such data reaches LeptonX. If we learn that we have inadvertently collected personal information from a child under 13 through our website, we will delete it promptly.
LeptonX's architecture is inherently aligned with international data-residency expectations because patient medical data never leaves the patient's physical premises. There is no cross-border transfer of medical information to comply with because no transfer occurs.
For the limited non-medical data associated with our website and optional services (Section 3), data may be processed in the United States. By using our website, you consent to this processing. If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR / UK GDPR to access, correct, delete, restrict, and port your personal data, and to object to certain processing — contact privacy@leptonx.org to exercise these rights. The lawful bases on which we process the limited non-medical data are your consent and our legitimate interest in operating and securing our website and services.
We may update this privacy policy to reflect changes in our practices or applicable law. Material changes will be posted on this page with an updated effective date and recorded in the version history below. Our fundamental architectural commitment — that LeptonX never possesses patient medical data — is not a policy position that can be changed. It is a structural property of the system's design.
LeptonX Health Intelligence LLC
Privacy Inquiries: privacy@leptonx.org
General Inquiries: contact@leptonx.org
Website: www.leptonx.org
If you have questions about this privacy policy, our data practices, or the architectural design of our privacy protections, we welcome your inquiry. We believe transparency is a competitive advantage, and we are happy to explain any aspect of our approach in detail.
| Version | Effective Date | Summary of Changes |
|---|---|---|
| 2.0 | June 3, 2026 | Expanded non-PHI data detail (cookies, logs, retention); added consolidated Privacy Rights, California CCPA/CPRA & Do-Not-Sell-or-Share, Sensitive Categories, Your Responsibilities, and Version History sections; expanded third-party/OS/app-store disclosure; clarified that "structurally outside HIPAA" is not a certification; clarified that anonymized product telemetry is not currently transmitted (off by default, pending external privacy/legal review). |
| 1.0 | May 19, 2026 | Initial published privacy policy — zero-data-custody architecture. |
Most privacy policies are written to describe how a company handles the tension between using your data and protecting it. LeptonX does not have that tension. We built a system where the question "what happens to my data?" has the simplest possible answer: it stays exactly where it is. On your device. In your home. Under your control. Always.