"My health" lives in a hundred PDFs.
People accumulate records across hospitals, labs, and clinics in incompatible formats — PDFs, phone photos, paper. There's no single view of "my health," and the data is locked inside documents. Existing apps either don't extract the data, or force you to hand your most sensitive information to a third party. MyHPTracker fixes both: it understands the documents and keeps the data yours.
Snap a document. Get a profile.
Photograph or upload any medical document; the system identifies the type, extracts structured data (lab values, meds, doctors, dates, findings), and writes a plain-English summary.
Every new record is automatically merged into one evolving profile.md per user — overview, medications, lab values over time, observations.
A conversational assistant that answers questions about your own health history — with hard medical-safety guardrails: never prescribes, never replaces a doctor, always defers to a physician.
At onboarding you choose where your data lives: managed cloud (S3) or your own Google Drive. For Drive users, raw documents are never persisted on the backend.
Privacy by architecture, not by policy.
Most apps promise privacy in a policy document. MyHPTracker enforces it structurally:
The application database stores only metadata and pointers — record category, date, file path. All actual health content lives in the user's chosen storage, not the company's database. A breach of our DB leaks categories and dates, never lab values or diagnoses. Privacy isn't a setting you trust us to honour; it's where the bytes physically are.
OCR-free, by design.
Instead of traditional OCR (Textract/Tesseract), documents are routed to a multimodal LLM. A single orchestrator detects the file type and picks the pipeline, then returns a strict, schema-validated JSON shape:
| Input | Pipeline | Why |
|---|---|---|
| Images & scanned PDFs | Vision API → structured JSON | Handles handwriting, X-rays, poor scans that defeat OCR. |
| Native digital PDFs | Text extraction → LLM | Faster, cheaper when the text layer is already clean. |
Honest trade-off. LLM-vision beats OCR badly on handwritten prescriptions and messy scans — but it costs more per call than raw OCR. Worth it here because accuracy on the ugly real-world documents is the whole product; a wrong lab value is worse than a slow one. Cost was then attacked separately (next section).
A provider-agnostic AI layer — and a 6.5–17× cost cut.
All four AI touchpoints (image analysis, text analysis, profile merge, Q&A) sit behind one IAIProvider interface, with interchangeable Claude and Gemini adapters selectable by a single env var. I added per-call token/cost telemetry and a side-by-side cost-comparison harness, then benchmarked both on real documents:
| Provider | Relative cost / document | Output quality |
|---|---|---|
| Incumbent model | 6.5–17.3× | comparable |
| Gemini (migrated to) | 1× (baseline) | comparable |
Migrated with zero public-API changes. Because the response contract was preserved end-to-end, switching the primary provider to Gemini required no mobile release — the apps never knew. The interface that made benchmarking easy also made the migration free.
Async by default; always current.
Document upload returns immediately — the user never waits on the LLM. A BullMQ/Redis worker then merges the new record's structured data into the user's profile.md via an LLM, so the profile is continuously up to date without blocking the experience. Ask MHT answers questions over that profile, wrapped in medical-safety guardrails so it informs without ever crossing into prescribing or diagnosis.
Defense in depth.
Google OAuth 2.0 → short-lived (15-min) JWT access tokens with rotating refresh tokens. Admin operations gated behind a separate secret.
One storage interface, S3 + Google Drive adapters; all app code depends only on the interface. Drive users' raw files transit a short-lived temp file, deleted immediately after analysis.
Postgres row-level security enabled as defense-in-depth — even though the backend uses a service-role key. The cheap safety net stays on.
Structured request logging; production debugging via deploy logs; reproducible data-admin scripts (reset, inspect) that run through the same service-role client the app uses.
Stack — TypeScript · Fastify · PostgreSQL (Supabase) · BullMQ + Redis · AWS S3 / Google Drive · Anthropic Claude + Google Gemini · Render (CI/CD from main).
Where it stands.
This is a solo, Phase-1 build — so the impact story is architecture and cost engineering, not scale. No user-count claims. The quantified win that holds up is real and measured on actual documents: the 6.5–17.3× AI cost reduction.
