Skip to content
HANKAI
DevelopersWhat's new

Trust

Trust & data practices

How this documentation site handles analytics, feedback, free text, AI assistance, and content review. Each statement describes what the platform technically does and is verifiable against the site's source code.

What this page covers

This page describes the documentation site you are reading. It is not the HANK AutoCoder product and does not process patient or clinical data here. Every statement below describes what this site technically does and is grounded in its source code. It is not a legal notice and makes no certification or contractual claim.

First-party analytics only

The only telemetry this site collects is a first-party page-view count. The page-view beacon posts to our own origin (/api/analytics/view) and sends only the in-app path — the query string is never read or transmitted, and an optional topic id. There is no third-party analytics script, no external tracker or beacon to any other host, and the beacon sets no cookie.

Verifiable in components/analytics-beacon.tsx and services/analytics.ts.

No personal identifiers stored with analytics or feedback

A stored page-view row carries only a URL path (normalized — query string and fragment stripped, length-capped), an optional topic reference, and a timestamp. There is no IP address column, no user-agent, no referrer, and no user identity. The “Was this helpful?” widget stores only a topic id, a yes/no answer, and an optional scrubbed comment. In both paths a per-request session value is used solely as an in-memory rate-limit key and is never written to the database — the column is always stored as null.

Verifiable in services/analytics.ts and services/feedback.ts (the session hash is written NULL).

Free text is scrubbed before it is stored

Any free text a reader can submit — a feedback comment, a search query that returned no results, or a reported documentation issue — runs through a shared scrubber before storage. It strips identifier-shaped substrings (such as Social Security, medical-record, and date-of-birth shapes, as well as email, phone, and card/account number shapes, plus secret/API-key shapes) and normalizes the text first so common evasions (invisible characters, extra separators) cannot smuggle a value past the scan. If nothing survives scrubbing, the value is stored as null rather than as cleartext.

Verifiable in lib/publish/scrub.ts (scrubFreeText), used by services/feedback.ts, services/search.ts, and services/issues.ts.

Content changes are audited and reviewed

Every content mutation on the publishing API writes an audit-log row recording the action and the actor resolved from the validated token — never from the request body. A publish-policy gate sits in front of going live: any automated/bot write is forced into a pending state and can never auto-publish, and content flagged sensitive or matching an identifier pattern is force-pended for human review regardless of who submitted it. Bot-authored content reaches the public only after a human approves it.

Verifiable in app/api/v1/_audit.ts, services/audit.ts, and lib/publish/policy-gate.ts.

Public and internal content are kept separate

Public read paths hard-code a public-and-published filter and expose no parameter that could widen visibility, so internal or draft content is never served to an anonymous reader. The same boundary applies to the machine-readable surfaces: internal content never enters the public llms.txt index, the sitemap, or the public discovery API that backs the read-only documentation tools. Internal content is reachable only on a separate, identity-gated path.

Verifiable in services/topics.ts, services/llm.ts, and app/api/structure/route.ts.

AI assistance is transparent and grounded

Documentation pages that were written with AI assistance carry a visible AI-assistedbadge. The “Ask AI” assistant answers only from the published documentation, cites its sources, and declines to make a clinical or medical-coding determination for a specific patient or claim — directing you to the product or qualified staff instead. When the documentation does not cover a question, it says so rather than guessing. Before any question is sent to the third-party model, it is run through the same scrubber described above so identifier shapes do not leave our origin.

Verifiable in components/guide/meta-line.tsx, services/ask.ts, and lib/ask-llm.ts.

Report a security issue

Found a security problem with this documentation site? Report it here — no account needed. It goes straight to the site maintainers' review queue as a one-way intake: we don't collect your contact details, so include everything we'd need to reproduce and assess the issue (we can't follow up to ask). Don't paste live secrets, credentials, or any personal or patient data — describe them instead; secret- and identifier-shaped text is scrubbed before storage. This same channel is published in machine-readable form at /.well-known/security.txt (RFC 9116).

Verifiable in app/.well-known/security.txt/route.ts, app/api/issues/route.ts, and services/issues.ts.