CASE Logbook docs

Where your data lives

The short version: patient names and MRNs are scrambled on your phone using your backup password, then sent — still scrambled — to the app’s servers. The servers hold them but can’t read them. Only your phone, after you unlock it with your backup password, can read them.

Two places, different jobs

Your case data lives in two places:

  • The app’s servers hold everything: procedure, date, hospital, side, notes, plus the scrambled patient names and MRNs. The servers can read everything except the scrambled bits.
  • Your phone holds a working copy of your patient names in readable form, so your case list loads quickly. This copy only exists while your vault is unlocked.

The servers are the master. Your phone holds a working copy. If you wipe your phone, the next sign-in pulls everything back from the servers.

Why patient names are scrambled on your phone

Two reasons.

One. Even people with full access to the servers cannot read your patient names. The scrambled bytes are unreadable without a key derived from your backup password, which only your phone sees.

Two. Scrambling on your phone is stronger than scrambling at the server. A server-only approach protects the disk but not the running software. Scrambling on your phone means patient names are never readable on any server, ever.

The trade-off: if you forget your backup password and lose access to all your devices, the scrambled bytes on the servers become permanently unreadable. We can’t unscramble them on your behalf. See Your backup password.

How saving a name actually works

When you save a patient name, this happens in this order:

  1. Your phone scrambles the name and MRN using your backup password’s key.
  2. The scrambled bytes are sent to the servers.
  3. Once the servers confirm the bytes arrived, your phone updates its working copy.

The servers go first. If step 2 fails, your phone doesn’t pretend a name is saved that isn’t.

What the app’s servers can see

For each of your cases, the servers see:

  • Your account
  • Procedure (free text or matched from the procedure list)
  • Date, hospital, side, role
  • Notes you typed (don’t put patient names in notes — the app warns you if you try)
  • Two blobs of scrambled bytes for the patient name and MRN

The servers do NOT see the patient name or MRN in readable form. Ever.

Recovery on a new phone

When you set your backup password during onboarding, your phone creates a key, scrambles it under your password, and uploads the scrambled key to the servers. That’s the only secret material the servers hold — useless without your password.

On a new phone:

  1. Sign in with the magic link to your email.
  2. Type your backup password. Your phone unscrambles the key.
  3. Your phone fetches your cases. Names appear as the list loads.

No file to copy, no backup file to download, no cloud-drive setup.

Self-correction

Occasionally the scrambled bytes on the servers were scrambled under a key that no longer exists (usually because you reset your vault at some point). The app handles this automatically: if your phone’s working copy still has the name, the app re-scrambles under your current key and quietly updates the servers. Next time the case loads, everything reads cleanly. You see nothing.

If a name is unrecoverable both on the servers and on your phone, you’ll see a Lost in reset label on that case. Tap it and you can either re-enter the name (which fixes it) or delete the case.

Board-ready exports

When a board, an interview panel, or a credentialing body asks for your operative experience, the app can produce two documents from your cases. Both live under Settings → Backup & recovery.

  • Logbook summary — the consolidation report: how many of each procedure you’ve done, split into performed and assisted. The header is honest about what’s being counted: “512 procedures across 460 cases” means some cases involved more than one procedure. Procedures and cases are both shown, never blurred into one number.
  • Credentialing logbook — the per-case evidence: date, MRN, age and sex, procedure, hospital, your role, and whether the case has been verified against hospital records. No patient names appear anywhere in it. The MRN is the identifier — that’s how credentialing dossiers work, and it keeps the document safe to hand over.

Before exporting, you choose the scope: a specialty (yours is preselected), a hospital (all or one), and a date range. Then either download a spreadsheet file (CSV), or open the printable report and use your browser’s print dialog to save it as a PDF. The printable report carries a signature line so a consultant or head of department can attest it on paper.

Both documents are produced entirely on your device. Your phone unscrambles the patient details under your unlocked vault, builds the document, and downloads or prints it locally. The servers play no part in the export and never see the readable result. And the exports never guess: if a case has no recorded age or sex, those cells stay blank.

What is NOT scrambled

  • The clinical content of your case — procedure, date, side, complications, notes — lives on the servers in readable form. (The servers still protect them as ordinary databases do, but not with your backup password.)
  • The list of procedures you choose from.
  • Hospitals you’ve added to your profile.
  • Your account email, display name, and specialty.

The line is drawn around what could identify a specific patient. Everything else is ordinary data.