← Back to ChartKey

Privacy Policy

Effective date: June 23, 2026  ·  Last updated: June 23, 2026

The short version: ChartKey helps you organize your health history. You own your information. We do not sell it, do not use it for advertising, and do not share it except to operate the service. You can delete your account and your data at any time.

Contents

  1. Who we are
  2. What we collect
  3. How we use it
  4. Consumer health data
  5. How we share
  6. Your rights
  7. Security
  8. Children
  9. Changes & contact

1. Who we are

ChartKey is a personal health record organizer operated by Aaron Whipkey ("we," "us," "our"). You sign up directly as a consumer; we are not a healthcare provider, health plan, or healthcare clearinghouse. We are subject to the FTC Act, the FTC Health Breach Notification Rule, and applicable state privacy laws — including Washington's My Health My Data Act (MHMD), California's Confidentiality of Medical Information Act (CMIA), and other consumer health-data statutes.

This policy covers yourchartkey.com, app.yourchartkey.com, and any related services (the "Service"). It covers two stages: the waitlist (live now) and the ChartKey application (in development / limited access).

2. What we collect

On the waitlist

  • Email address, first name, and role (patient or caregiver)
  • Basic technical data (IP address, timestamp) for security and abuse prevention

We do not collect any health information on the waitlist.

In the application

  • Account details — email, name, and date of birth, provided when you sign up
  • Patient profiles — names, dates of birth, and relationships you enter for people in your care
  • Health information you enter — symptoms, conditions, medications, and allergies you document through the app
  • Health records from your provider — if you choose to connect your electronic health records via SMART on FHIR, we retrieve the data you authorize (such as encounters, diagnoses, medications, allergies, and clinical notes)
  • Usage and technical data — log data, device type, browser, and IP address, used for security and to operate the service

3. How we use your information

PurposeWhat it involves
Provide the ServiceStore and display your health information; run the AI features that help organize what you document
Communicate with youSend account emails (confirmations, password resets, early-access notices)
Keep the Service secureDetect fraud, abuse, and unauthorized access; maintain audit logs
Improve the ServiceAggregate, de-identified usage patterns — never individual health records

We do not sell your personal information. We do not use your health information for advertising or share it with data brokers. We do not use your health information to train AI models without your explicit consent.

4. Consumer health data — your rights and our commitments

Your health information belongs to you

ChartKey collects consumer health data as defined under Washington's My Health My Data Act and similar state laws. We treat this category of information with heightened protection regardless of which state you live in.

We will never sell your health data. We will never share it for advertising. We will not share it with any third party beyond what is necessary to operate the service you requested — and only with your consent.

Consent

We ask for your opt-in consent when you create an account. Connecting your health records from a provider is always optional and always requires a separate, explicit authorization step — you initiate it, you control which provider, and you can revoke it at any time. We do not collect health data silently or as a condition of basic account access.

How your health information is stored

All health information is stored encrypted at rest and in transit on AWS infrastructure in the United States, within a private network not accessible from the public internet. Credentials and sensitive configuration are stored in AWS Secrets Manager and never appear in application code or logs.

AI features

ChartKey uses AI (via Amazon Bedrock) to help organize and summarize health information you provide. The AI features operate within AWS — your health data does not leave AWS infrastructure to reach a third-party AI provider. AI features are constrained to documentation and organization only; they do not diagnose, advise, or make clinical determinations. See our Terms of Service for more on this constraint.

5. How we share your information

We do not sell or rent your information. We share it only in these limited circumstances:

  • Service providers — cloud infrastructure (AWS), email delivery, and other vendors who process data on our behalf under contract, with access limited to what they need to do their job
  • Legal requirements — if required by law, court order, or to protect the safety of users or the public
  • Business transfer — if ChartKey is acquired or merges with another company, your information may transfer as part of that transaction; we will notify you and you will have the opportunity to delete your account before the transfer completes
  • With your consent — for any other purpose, only with your explicit opt-in

We do not share your health information with employers, insurers, marketers, or data brokers — ever.

6. Your rights

You have the following rights over your information, regardless of where you live. To exercise any of them, email us at hello@yourchartkey.com. We will respond within 30 days.

  • Access — request a copy of the personal and health information we hold about you
  • Correction — ask us to correct inaccurate account information (note: health information you entered is always editable directly in the app)
  • Deletion — request deletion of your account and all associated information; we will delete or de-identify it and confirm when done. Note that information shared with your healthcare providers before deletion cannot be recalled by us.
  • Export / portability — request a machine-readable export of your health information
  • Withdraw consent — disconnect a linked health record source or withdraw consent for any specific data use at any time
  • Opt out of non-essential communications — every email we send includes an unsubscribe link

Waitlist

Every waitlist confirmation email includes a one-click link that removes you from the list and deletes your waitlist data. You can also email us at any time to be removed.

7. Security

We use reasonable technical and organizational safeguards to protect your information:

  • Encryption in transit (TLS) and at rest (AES-256) for all health data and credentials
  • Private network isolation — databases are not accessible from the public internet
  • Least-privilege access — internal systems access only what they need
  • Audit logging of access to sensitive data
  • No PHI in application logs, source code, or AI prompts beyond what is strictly necessary

No system is perfectly secure. In the event of a qualifying breach of your unsecured health information, we will notify you and the FTC (and any required state regulators) without unreasonable delay and no later than 60 days after discovery, as required by the FTC Health Breach Notification Rule.

8. Children

The waitlist and direct account sign-up are for adults (18 and older). We apply an age gate at sign-up and do not knowingly allow children under 13 to create accounts directly.

Parents and guardians may create and manage health profiles for children in the application. If you believe a child's information has been collected without appropriate parental authorization, contact us at hello@yourchartkey.com and we will promptly delete it.

9. Changes and contact

We may update this policy as the Service evolves. When we make material changes, we will notify you by email or in-app notice and update the date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Questions, requests, or concerns about this policy or your information: