Gazzali Zayn GAZZALI ZAYN
Case Study · Product + Engineering · Health-tech

MyHPTracker — your health records, private by architecture.

Solo build · Phase 1

A privacy-first personal health-records app (iOS + Android). It turns a messy pile of medical documents — lab reports, prescriptions, scans, handwritten notes — into a single, continuously-updated health profile you can query in plain language. The differentiator isn't a feature; it's the architecture: sensitive health content lives in the user's own storage, never the company's database. The strongest engineering result — a provider-agnostic AI layer that cut inference cost 6.5–17.3×.

AI cost
6.5–17×cheaper, measured
Health data in our DB
0only metadata pointers
AI touchpoints
4one swappable interface
Storage backends
2S3 or your Google Drive
01 · The problem

"My health" lives in a hundred PDFs.

People accumulate records across hospitals, labs, and clinics in incompatible formats — PDFs, phone photos, paper. There's no single view of "my health," and the data is locked inside documents. Existing apps either don't extract the data, or force you to hand your most sensitive information to a third party. MyHPTracker fixes both: it understands the documents and keeps the data yours.

02 · What it is

Snap a document. Get a profile.

Snap-and-understand

Photograph or upload any medical document; the system identifies the type, extracts structured data (lab values, meds, doctors, dates, findings), and writes a plain-English summary.

Living Health Profile

Every new record is automatically merged into one evolving profile.md per user — overview, medications, lab values over time, observations.

"Ask MHT"

A conversational assistant that answers questions about your own health history — with hard medical-safety guardrails: never prescribes, never replaces a doctor, always defers to a physician.

User-owned storage

At onboarding you choose where your data lives: managed cloud (S3) or your own Google Drive. For Drive users, raw documents are never persisted on the backend.

03 · The differentiator

Privacy by architecture, not by policy.

Most apps promise privacy in a policy document. MyHPTracker enforces it structurally:

The application database stores only metadata and pointers — record category, date, file path. All actual health content lives in the user's chosen storage, not the company's database. A breach of our DB leaks categories and dates, never lab values or diagnoses. Privacy isn't a setting you trust us to honour; it's where the bytes physically are.

04 · Document understanding

OCR-free, by design.

Instead of traditional OCR (Textract/Tesseract), documents are routed to a multimodal LLM. A single orchestrator detects the file type and picks the pipeline, then returns a strict, schema-validated JSON shape:

InputPipelineWhy
Images & scanned PDFsVision API → structured JSONHandles handwriting, X-rays, poor scans that defeat OCR.
Native digital PDFsText extraction → LLMFaster, cheaper when the text layer is already clean.

Honest trade-off. LLM-vision beats OCR badly on handwritten prescriptions and messy scans — but it costs more per call than raw OCR. Worth it here because accuracy on the ugly real-world documents is the whole product; a wrong lab value is worse than a slow one. Cost was then attacked separately (next section).

05 · Cost engineering

A provider-agnostic AI layer — and a 6.5–17× cost cut.

All four AI touchpoints (image analysis, text analysis, profile merge, Q&A) sit behind one IAIProvider interface, with interchangeable Claude and Gemini adapters selectable by a single env var. I added per-call token/cost telemetry and a side-by-side cost-comparison harness, then benchmarked both on real documents:

ProviderRelative cost / documentOutput quality
Incumbent model6.5–17.3×comparable
Gemini (migrated to)1× (baseline)comparable

Migrated with zero public-API changes. Because the response contract was preserved end-to-end, switching the primary provider to Gemini required no mobile release — the apps never knew. The interface that made benchmarking easy also made the migration free.

06 · The living profile

Async by default; always current.

Document upload returns immediately — the user never waits on the LLM. A BullMQ/Redis worker then merges the new record's structured data into the user's profile.md via an LLM, so the profile is continuously up to date without blocking the experience. Ask MHT answers questions over that profile, wrapped in medical-safety guardrails so it informs without ever crossing into prescribing or diagnosis.

~/mht / upload pipeline
// upload  detect type → vision | text → schema-validated JSON  (returns now)
// worker  BullMQ/Redis → LLM merge into profile.md  (async, non-blocking)
// ask    "Ask MHT" Q&A over profile  + medical-safety guardrails
// store  raw doc → user storage (S3 | Drive) · DB keeps pointer only
07 · Security & ops

Defense in depth.

Auth

Google OAuth 2.0 → short-lived (15-min) JWT access tokens with rotating refresh tokens. Admin operations gated behind a separate secret.

Dual-storage abstraction

One storage interface, S3 + Google Drive adapters; all app code depends only on the interface. Drive users' raw files transit a short-lived temp file, deleted immediately after analysis.

Database

Postgres row-level security enabled as defense-in-depth — even though the backend uses a service-role key. The cheap safety net stays on.

Observability

Structured request logging; production debugging via deploy logs; reproducible data-admin scripts (reset, inspect) that run through the same service-role client the app uses.

Stack — TypeScript · Fastify · PostgreSQL (Supabase) · BullMQ + Redis · AWS S3 / Google Drive · Anthropic Claude + Google Gemini · Render (CI/CD from main).

08 · Honest framing & next

Where it stands.

This is a solo, Phase-1 build — so the impact story is architecture and cost engineering, not scale. No user-count claims. The quantified win that holds up is real and measured on actual documents: the 6.5–17.3× AI cost reduction.

Chosen trade-offLLM-vision over OCR — accuracy on handwriting/scans bought at a higher per-call cost, then clawed back via the provider migration.
Known limitation → nextMobile token refresh: sessions currently lean on short-lived tokens; smoother silent refresh on mobile is the next fix.

More deep dives.

Two more case studies on how these systems were built.