Zero-PHI Architecture and Data Handling Statement – iGlowly Assistant

Last updated: 30 March 2026

1. Purpose of This Document

This document describes the technical and organizational architecture of the iGlowly Assistant and explains how the system is designed to prevent the storage of Protected Health Information (PHI) and personal data.

The iGlowly Assistant is designed according to a data minimization, privacy-by-design, and Zero-PHI architecture principle.

This document is intended for clinics, IT departments, compliance officers, and security reviewers.

2. Definition of Protected Health Information (PHI)

For the purposes of this document, Protected Health Information (PHI) refers to individually identifiable health information, including but not limited to:

• Names
• Email addresses
• Phone numbers
• Postal addresses
• Dates of birth
• Medical records
• Photographs
• Any health information linked to an identifiable person

The iGlowly Assistant is designed so that such information is not stored in the system.

3. Zero-PHI Architecture Overview

The iGlowly Assistant is architected according to a data minimization and ephemeral processing model so that:

• Chat messages are processed ephemerally in memory (RAM);
• Chat messages are not stored in databases;
• Chat messages are not written to logs;
• Chat messages are not included in backups;
• Chat messages are not visible to clinics;
• Chat messages are not accessible to iGlowly staff;
• Chat messages are sanitized before any AI processing;
• Only structured, non-identifying topic analytics are stored.

This architecture is designed to prevent the system from storing or maintaining PHI.

4. Message Processing (Ephemeral Processing)

When a visitor interacts with the Assistant:

1. The message is received and processed in server memory (RAM);
2. The message is analyzed to determine the topic and intent;
3. Personal identifiers are removed through automated sanitization;
4. The sanitized message may be sent to an AI system to generate a response;
5. The response is returned to the user;
6. The original message is discarded and not stored.

Messages exist only temporarily during processing and are not persisted.
Once a response is generated and returned, the message is discarded from memory and is not retained by the system.

5. No Storage of Chat Messages

The iGlowly Assistant does not store:

• Full chat messages
• Assistant responses
• Conversation transcripts
• Conversation history
• Medical information
• Personal identifiers

Chat content is not stored in:

• Databases
• Application logs
• Analytics systems
• Backups
• Monitoring systems

6. No Persistent Personal Identifiers or Tracking Mechanisms

The system is designed not to collect or store personal identifiers.

The iGlowly Assistant does not store:

• Names
• Email addresses
• Phone numbers
• Addresses
• Dates of birth
• Patient IDs
• User accounts
• Cookies
• localStorage identifiers
• Browser fingerprints
• IP addresses

The system uses only a temporary session token stored in browser sessionStorage, which:

• Exists only for the duration of the browser tab;
• Is automatically deleted when the tab is closed;
• Expires after 15 minutes of inactivity;
• Is not linked to a person’s identity;
• Is not used for tracking across websites.

7. Personal Data Sanitisation Layer

If a user enters personal information into the chat, the system applies automated detection and redaction before any AI processing.

Sanitisation operates in two layers:

Layer 1 – Pattern Detection
Pattern-based detection using regular expressions to identify structured personal data such as:

• Email addresses
• Phone numbers
• Identification numbers
• URLs containing personal data

Layer 2 – AI Entity Detection
AI-based entity recognition using Microsoft Azure AI (hosted in the European Union – West Europe region) to detect:

• Names
• Addresses
• Locations
• Other personal identifiers

When personal data is detected, it is replaced with anonymised tokens such as:

• “[name removed]”
• “[email removed]”
• “[phone removed]”

Only the sanitized message is used for AI response generation.

8. AI Processing

Some responses are generated using AI.

AI processing follows this flow:

User message → Sanitisation → AI processing → Response → Message discarded

Important safeguards:

• AI receives sanitized text only;
• Raw messages are not stored;
• iGlowly does not use chat data to train AI models;
• AI providers process requests via API and do not receive user identity;
• iGlowly does not create user profiles based on conversations.
• AI processing is performed via API and is stateless on the iGlowly side; conversation content is not stored after response generation.

9. Stored Data (Anonymous Analytics Only)

The only data stored by the iGlowly Assistant consists of non-identifying structured analytics, such as:

• Treatment topic requested (e.g., Botox, dermal fillers)
• Concern topic requested (e.g., wrinkles, acne)
• Question type (e.g., pricing, recovery, booking intent)
• Language used
• Date and time of interaction
• Clinic identifier
• Anonymous session identifier (random, temporary)

No free-text messages are stored.
No personal identifiers are stored.
The system does not store message embeddings, vectorized text, or any form of semantic representation of conversations.

This data is used only to provide anonymous demand analytics to clinics and to improve the Assistant.

10. No Cookies, No Tracking, No Profiling

The iGlowly Assistant:

• Does not use tracking cookies;
• Does not use advertising cookies;
• Does not use localStorage;
• Does not use persistent browser identifiers;
• Does not perform cross-site tracking;
• Does not build user profiles;
• Does not track users across websites.

The Assistant uses only session-based memory required for technical operation.

11. Data Hosting and Processing Locations

The iGlowly Assistant infrastructure uses the following hosting and processing locations:

Application and Database Infrastructure

• Supabase (hosted on AWS infrastructure)
• Database location: European Union (Germany)
• Purpose: anonymous analytics storage, application database, server-side logic, and edge functions
• Chat messages are not stored in the database
• Supabase infrastructure includes database hosting, server-side logic (Edge Functions), and analytics storage. Chat messages are processed in memory and are not persisted in Supabase systems.

Personal Data Sanitisation

• Microsoft Azure Cognitive Services
• Region: West Europe (European Union)
• Purpose: detection and redaction of personal identifiers before AI processing

AI Processing

• OpenAI API
• Processing location: United States
• Only sanitised, non-identifying text is sent for AI response generation
• Raw messages are not stored by iGlowly

Frontend Script Delivery

• Vercel (Global CDN)
• Purpose: delivery of the iGlowly Assistant widget script (widget.js)
• Vercel serves static frontend files only and does not store chat messages or analytics data

All data transmissions are encrypted using HTTPS/TLS.

12. Access to Data

Access to data within the iGlowly Assistant system is restricted as follows:

Chat Messages

• Not stored by iGlowly
• Not accessible to clinics
• Not accessible to iGlowly staff
• Processed ephemerally in memory only
• AI providers receive only sanitised text when AI processing is required

Personal Data

• The system is designed not to collect or store personal data
• Personal identifiers are automatically redacted before AI processing
• No personal data is stored in databases, logs, or analytics systems

Anonymous Analytics

• Clinics can access aggregated analytics related to their own clinic only (e.g., topics requested, demand trends)
• iGlowly staff may access analytics for system maintenance, security, and service improvement
• Analytics contain only structured, non-identifying data and no chat transcripts

Clinics do not have access to conversations, transcripts, or visitor identities.

13. Security Measures

The iGlowly Assistant is designed according to security and data minimization principles. The following technical and organizational measures are implemented:

Encryption

• All data in transit is encrypted using HTTPS/TLS.
• Stored analytics data is encrypted at rest by the hosting provider.

Access Control

• Role-based access control is enforced.
• Each clinic can access only its own analytics data.
• Administrative access is restricted to authorized iGlowly personnel only.

Data Isolation

• Clinic data is logically isolated per clinic identifier.
• Clinics cannot access data belonging to other clinics.

No Message Logging

• Chat messages are not written to application logs.
• Chat messages are not stored in monitoring systems.
• Chat messages are not included in backups.

Retention Limitation

• Chat messages are not retained.
• Anonymous analytics are retained for statistical analysis and service improvement only.
• Technical security logs are retained for a limited period for abuse prevention and then deleted.
• Backups contain only anonymous analytics data and system configuration data, and do not contain chat messages.

Session Security

• Session tokens are stored only in sessionStorage (tab-scoped).
• Sessions expire automatically after 15 minutes of inactivity.
• No persistent identifiers are stored in the browser.

Abuse and Security Protection

• Rate limiting is implemented at session and system level.
• Automated protection against spam, automated abuse, and injection attempts is implemented.
• The system is designed to prevent attempts to extract hidden system prompts or internal system information. 

‍

14. Intended Use and Prohibited Use

The iGlowly Assistant is intended to provide general informational and educational content about treatments and clinic services.

The Assistant is not intended to be used to submit personal data, medical records, or protected health information.

Clinics and users are instructed not to use the Assistant as a patient communication channel, medical intake form, or medical record system.

Any personal data entered by users is automatically redacted where possible and is not stored by the system.

15. HIPAA Position

The iGlowly Assistant is designed so that it does not create, receive, store, or maintain Protected Health Information (PHI) in persistent form, and is architected to avoid the storage of individually identifiable health information.

Conversation content is processed ephemerally in memory, sanitized before any AI processing, and not stored. The system does not store patient identifiers, medical records, or conversation transcripts.

Because of this architecture, and when the service is used as intended, the iGlowly Assistant is generally not considered to create, receive, maintain, or transmit Protected Health Information (PHI) in a persistent manner and therefore may not require a Business Associate Agreement (BAA). Clinics and covered entities should confirm this assessment with their own legal or compliance advisors.

iGlowly can provide additional documentation regarding its Zero-PHI architecture, data handling practices, and security measures upon request.

The iGlowly Assistant is an informational and educational software tool and is not intended to be used as a system for transmitting patient information, medical records, or protected health information.

16. Summary

The iGlowly Assistant is designed according to the following principles:

• No storage of chat messages
• No storage of personal identifiers
• No storage of health records
• No cookies or tracking
• No user profiles
• No conversation history
• Messages processed ephemerally
• Messages sanitized before AI processing
• Only anonymous topic analytics stored

This architecture is designed to minimize privacy risk and prevent the storage of Protected Health Information.