ScribeHealth.AI Privacy Policy

Last Updated: March 18, 2025

1. Introduction

This Privacy Policy describes ScribeHealth.AI's ("ScribeHealth," "we," "us," or "our") policies and procedures on the collection, use, and disclosure of information when you use our Chrome extension and related services (collectively, the "Services"). This Privacy Policy tells you about your privacy rights and how the law protects you.

We take the privacy and security of your information seriously, particularly given the sensitive nature of medical data. Our Services are designed to help healthcare providers record, transcribe, and chart medical consultations efficiently while maintaining the highest standards of data protection and privacy.

WE DO NOT SELL YOUR DATA. We respect your privacy and the confidentiality of medical information. Your data is used only as described in this Privacy Policy to provide and improve our Services.

By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Description of Users and Acceptance of Terms

This Privacy Policy applies to:

  • Visitors: Individuals who visit our website and view only publicly available content.
  • Customers: Healthcare organizations or providers who have signed up to access and use our Services.
  • Authorized Users: Employees and contractors of Customers who are authorized to access and use our Services.

By visiting our website, Visitors are agreeing to the terms of this Privacy Policy and our Website Terms of Use.

By accessing and/or using our Services, each Customer and Authorized User is agreeing to the terms of this Privacy Policy and our Terms of Service.

3. Chrome Extension Permissions

Our Chrome extension requires several permissions to function properly:

  • activeTab: To interact with your EHR system
  • desktopCapture: To record audio from medical consultations (with patient consent)
  • tabCapture: To capture audio from virtual consultations
  • storage: To temporarily store recordings and transcriptions
  • scripting: To interact with EHR systems
  • sidePanel: To provide a control interface
  • offscreen: To process recordings in the background
  • host permissions: To integrate with specific EHR platforms
  • remote code: To update medical terminology and transcription algorithms
  • tabs: To monitor navigation between EHR sections

These permissions are necessary for the core functionality of ScribeHealth.AI and are used solely for the purposes described in this Privacy Policy.

4. Information We Collect

4.1 Personal Data

When you register for and use our Services, we may collect the following types of personal information:

  • Name
  • Email address
  • Professional credentials
  • Phone number
  • Healthcare organization affiliation
  • Account login information

4.2 Your Data

Our Services involve the recording, transcription, and analysis of medical consultations. This includes:

  • Audio recordings of medical consultations (with patient consent)
  • Transcriptions of these recordings
  • Structured medical notes derived from the transcriptions
  • Other data you input into the Services

4.3 Usage Data

We automatically collect certain information when you use our Services, including:

  • IP address
  • Browser type and version
  • Pages of our Services that you visit
  • Time and date of your visit
  • Time spent on pages
  • Device information
  • Unique device identifiers
  • Diagnostic data

4.4 Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and store certain information. These technologies include:

  • Session Cookies: Temporary cookies that are deleted when you close your browser
  • Persistent Cookies: Cookies that remain on your device until deleted
  • Web Beacons: Small electronic files used to track user behavior on pages or emails

The cookies we use include:

  • Necessary Cookies: Essential for providing basic functionalities
  • Functional Cookies: Enable personalized features
  • Analytics Cookies: Help us understand how you interact with our Services

4.5 Information Collected by Third-Party Analytics Services

We use third-party analytics services (such as Google Analytics) to evaluate your use of our Services, compile reports on activity, and analyze performance metrics. These third parties use cookies and other technologies to help analyze and provide us with data. By accessing our Services, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy.

4.6 B2B Identification Services

We may use business-to-business (B2B) services such as R2B2, Vector, or similar tools to de-anonymize website visitors for business development purposes. These services may identify the organizations associated with IP addresses that visit our website. This information is used solely for understanding our business audience and improving our services. No personal health information is ever shared with these services.

If you wish to opt out of this type of identification, please email team@scribehealth.ai with the subject line "Opt out of B2B identification."

5. How We Use Your Information

We use the collected information for the following purposes:

  • To provide and maintain our Services
  • To enable the recording, transcription, and charting of medical consultations
  • To manage your account and provide customer support
  • To improve our transcription accuracy and AI models
  • To analyze usage patterns and improve our Services
  • To communicate with you regarding updates or support
  • To comply with legal obligations
  • To detect and prevent fraudulent or unauthorized access
  • To protect the security and integrity of our Services

5.1 AI Model Training

We may use de-identified and aggregated data derived from transcriptions to improve the accuracy and effectiveness of our AI transcription and medical terminology models. This process is conducted in a secure, HIPAA-compliant environment, and no personally identifiable information or Protected Health Information (PHI) is used in model training without explicit consent.

5.2 What We Don't Do With Your Data

We do not sell your data. Unlike many digital services, ScribeHealth.AI does not sell, rent, or trade your personal information or any data collected through our Services to third parties for their marketing or advertising purposes. Your medical consultation recordings, transcriptions, and other sensitive information are used solely for providing and improving our Services.

6. Sharing Your Information

We may share your information in the following circumstances:

  • With Service Providers: Third-party vendors who provide services on our behalf, such as hosting, analytics, and customer support.
  • For Legal Purposes: To comply with legal obligations, protect our rights, or respond to legal process.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, where your information may be transferred as a business asset.
  • With Your Consent: In other cases where we obtain your explicit consent.

All third parties with whom we share information are contractually bound to maintain the confidentiality and security of your data, particularly in compliance with HIPAA where applicable.

6.1 Key Service Providers

While we may change our service providers from time to time, key types of service providers that may have access to certain data include:

  • Cloud hosting providers
  • Authentication and security service providers
  • Customer support platforms
  • Analytics services
  • Payment processors

We enter into appropriate data processing agreements with all service providers who handle personal data.

7. Data Security

We implement and maintain reasonable security measures to protect your personal information from unauthorized access, destruction, use, modification, or disclosure. These measures include:

  • Encryption of data in transit and at rest
  • Secure user authentication
  • Regular security assessments
  • Access controls and audit logs
  • HIPAA-compliant data handling practices

However, no method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, including:

  • To provide the Services you have requested
  • To comply with legal and regulatory requirements
  • To resolve disputes
  • To enforce our agreements

When your data is no longer required for these purposes, we will securely delete or anonymize it.

8.1 Medical Data Retention

For medical consultation recordings and transcriptions:

  • Raw audio recordings are retained for [X days/months] after transcription is complete and verified
  • Transcriptions are retained according to applicable medical records retention requirements and/or your organization's data retention policies
  • You may request deletion of specific recordings or transcriptions at any time, subject to applicable legal and regulatory requirements

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: The right to know what personal information we have collected about you
  • Correction: The right to request correction of inaccurate information
  • Deletion: The right to request deletion of your personal information
  • Data Portability: The right to receive a copy of your data in a structured format
  • Objection: The right to object to the processing of your personal information
  • Withdraw Consent: The right to withdraw consent at any time

To exercise these rights, please contact us using the information provided in the "Contact Us" section.

10. California Privacy Rights

If you are a California resident, you have specific rights under California law:

10.1 California Consumer Privacy Act (CCPA) Rights

The CCPA provides California residents with the following rights:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request the deletion of your personal information that we collect or maintain.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Opt-Out of Sale: We do not sell personal information, so there is no need to opt out.

To submit a request under the CCPA, please contact us at privacy@scribehealth.ai or through the methods listed in the "Contact Us" section.

10.2 California Shine the Light Law

California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@scribehealth.ai.

10.3 California Online Privacy Protection Act (CalOPPA)

We comply with CalOPPA by providing this Privacy Policy that covers how we collect, use, disclose, and store your information. We also respond to "Do Not Track" signals as described in Section 15.

11. European Union Privacy Rights (GDPR)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):

11.1 Legal Basis for Processing

We process your personal data on the following legal bases:

  • Consent: Where you have given us explicit consent to process your personal data.
  • Contract: Where processing is necessary for the performance of a contract with you.
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation.
  • Legitimate Interests: Where processing is necessary for our legitimate interests and does not override your fundamental rights and freedoms.

11.2 Data Subject Rights

As an EEA resident, you have:

  • Right to Access: The right to request copies of your personal data.
  • Right to Rectification: The right to request correction of inaccurate information.
  • Right to Erasure: The right to request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: The right to request restriction of processing in certain circumstances.
  • Right to Data Portability: The right to receive your personal data in a structured format.
  • Right to Object: The right to object to processing based on legitimate interests or direct marketing.
  • Rights Related to Automated Decision-making: The right not to be subject to a decision based solely on automated processing.

11.3 Data Transfers Outside the EEA

When we transfer your personal data outside the EEA, we ensure a similar degree of protection by implementing appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules for transfers within our group of companies
  • Consent mechanisms when applicable

11.4 Supervisory Authority

If you believe our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.

12. Children's Privacy

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without verification of parental consent, we take steps to remove that information from our servers.

13. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from those in your country.

By using our Services, you consent to the transfer of your information to the United States where our servers are located. We ensure appropriate safeguards are in place to protect your information when transferred internationally.

14. Cookie Management

Most web browsers allow some control of most cookies through browser settings. You can manage cookies in the following ways:

  • Browser Settings: You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
  • Opt-Out Links: For third-party cookies, you can follow the opt-out links provided in Section 4.5.
  • Analytics Opt-Out: For Google Analytics specifically, you can use the Google Analytics Opt-Out Browser Add-on available at: https://tools.google.com/dlpage/gaoptout.

Note that if you disable or refuse cookies, some parts of our Services may become inaccessible or not function properly.

15. Do Not Track Signals

Some browsers feature a "Do Not Track" (DNT) setting that signals to websites that you do not want to have your online activity tracked. Because there is not yet a common understanding of how to interpret DNT signals, we do not currently respond to DNT signals. However, we continue to monitor developments in this area and may revisit our policy as standards evolve.

16. Links to Other Websites

Our Services may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. These links are provided solely for your convenience and do not imply endorsement of the linked websites.

17. HIPAA Compliance

ScribeHealth.AI is designed to be HIPAA-compliant. We implement physical, technical, and administrative safeguards as required by HIPAA to protect the confidentiality, integrity, and availability of protected health information (PHI).

Our HIPAA compliance program includes:

  • Regular risk assessments
  • Employee training
  • Business Associate Agreements with relevant service providers
  • Encryption of PHI
  • Access controls and audit logs

17.1 Business Associate Agreements

We enter into Business Associate Agreements (BAAs) with healthcare providers who use our Services. These agreements establish the permitted and required uses and disclosures of PHI, provide that we will not use or disclose PHI other than as permitted or required by the BAA or as required by law, and require appropriate safeguards to prevent unauthorized use or disclosure of PHI.

18. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

We will also notify you via email and/or a prominent notice on our Services before the changes become effective. You are advised to review this Privacy Policy periodically for any changes.

19. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@scribehealth.ai

Data Protection Officer

To communicate with our Data Protection Officer, please email team@scribehealth.ai

By using ScribeHealth.AI, you acknowledge that you have read and understand this Privacy Policy and agree to its terms.