Effective 2026-06-12 · v2026-06-12.1

AI / LLM Data-Flow Disclosure

Version: 2026-06-12.1 Effective: 2026-06-12

This document explains a feature that is unlike most personal health-record products and that you must understand and explicitly consent to before using.

1. The feature

Thylib supports the Model Context Protocol (MCP), an open protocol that allows compatible AI assistants — including Anthropic Claude, OpenAI ChatGPT, and Google Gemini — to run structured queries on your behalf against your Thylib data and receive structured responses back.

When you ask one of those assistants a question like "What did my last lipid panel show?" or "When was Mom's last tetanus shot?", the assistant calls a Thylib MCP "tool" on your behalf. Thylib runs the query and returns the matching records.

2. What leaves Thylib

Tool responses returned to the AI assistant include the FHIR resources matching your query — conditions, lab results and vitals (Observation), medications, allergies, immunizations, procedures, diagnostic reports, clinical documents and notes, and encounter/visit records. These may include patient name, date of birth, diagnoses, lab values, medication names and doses, and free-text clinical narratives written by your care team (visit notes, report conclusions).

These responses are delivered to the AI provider hosting the assistant you have chosen to connect. Once data has left the Thylib servers, the privacy and retention practices of that AI provider apply.

What does not leave Thylib:

  • Your patient-portal credentials and OAuth tokens.
  • Your audit log.
  • Records of other family members, unless your specific query requested them and your family role permits you to view them.

3. Currently disclosed AI providers

Connecting through MCP routes your data to whichever provider hosts the assistant you have configured. As of this document's effective date, MCP clients are commonly available from:

  • Anthropic (Claude apps, claude.ai)
  • OpenAI (ChatGPT apps)
  • Google (Gemini)
  • Open-source clients that may route to any of the above or to other model providers you configure

Each of those providers operates its own privacy and data-retention regime that is outside Thylib's control. We encourage you to read their policies before enabling MCP — including whether your conversations may be used for model training under your settings with that provider.

4. Why this matters

Most health-record apps expose your data only through their own application. Thylib is unusual in that it lets a third-party AI assistant read your records on your behalf. This is convenient — you get a conversational interface over your own chart — but it means your health data passes through a company that Thylib cannot directly control.

If you are uncomfortable with this, do not enable MCP. You can use all of Thylib's web features (your dashboard, your record timeline) without ever connecting an AI assistant; in that configuration, your data does not leave the Thylib servers except for the explicit data-export feature you trigger yourself.

5. Opt-out

You may opt out of MCP at any time by revoking the MCP credential issued to you on the connections page. Revocation takes effect immediately for new requests. Data already returned to an AI provider in past sessions is governed by that provider's retention.

6. Changes to this disclosure

Any change to this disclosure — including adding a new AI provider to the list above, changing what data leaves the system per tool, or changing this document's wording — is always treated as a material change and will require your re-acceptance on next sign-in or next MCP tool call.

7. Acknowledgement

By accepting this disclosure, you acknowledge that you understand:

  1. Tool responses you trigger via MCP send your structured health records, potentially including clinical notes, to a third-party AI provider.
  2. That provider's own privacy and retention policies apply once data leaves Thylib.
  3. You can use Thylib without enabling MCP if you prefer.