1. Overview

This Privacy Policy describes how Scribe360 collects, uses, stores, and protects information — including Protected Health Information (PHI) — when you use our AI medical scribe platform. We are committed to HIPAA compliance and the responsible handling of patient data.

This policy should be read alongside our Terms of Service (which includes the Business Associate Agreement) and our HIPAA Compliance page.

2. Information We Collect

Account Information

• Name, email address, and password (hashed, never stored in plaintext)
• Practice name, NPI number, specialty, role, and owner status
• Practice address and phone (optional, entered by practice owner)
• Acknowledgment records (version and timestamp)

Clinical Data (PHI)

• Patient names, dates of birth, gender, and guardian information
• Audio recordings of patient encounters (temporary — deleted after physician approval)
• Encounter transcripts with speaker diarization
• AI-generated SOAP notes, ICD-10/CPT code suggestions, E/M levels, medications, follow-up items, and after-visit summaries
• Physician edits to AI-generated content (tracked per section with timestamps)
• Per-section feedback ratings (thumbs up/down with optional comments)

Usage Data

• Login timestamps, session duration, IP addresses
• Encounter creation, approval, and transfer activity
• Feature usage patterns (anonymized)

We do not collect: social media profiles, advertising identifiers, location data, device fingerprints, or any data from third-party tracking services.

3. Protected Health Information (PHI)

Scribe360 processes PHI as part of clinical documentation. We handle PHI in accordance with HIPAA requirements:

• Minimum necessary — we collect only the PHI needed for documentation
• Access controls — PHI is accessible only to authorized users within the patient's practice
• Practice isolation — all encounters are scoped to a single practice; no cross-practice data access
• Audit trail — every access to PHI is logged immutably
• No PHI in logs — application logs are scrubbed of patient data via PhiLogTarget
• No PHI in errors — error responses never expose patient data

4. How We Use Your Data

• Provide the medical scribe service (transcription, SOAP generation, code suggestions, after-visit summaries)
• Manage your account and practice membership
• Send transactional emails (verification, invitations, password reset, security alerts)
• Send marketing communications to free tier users (product updates, feature announcements, upgrade offers) — you may opt out at any time via the unsubscribe link in each email
• Maintain security and prevent unauthorized access
• Generate aggregate, de-identified usage statistics to improve the service
• Comply with legal obligations

We do not use PHI for marketing, advertising, or any purpose unrelated to clinical documentation. We do not sell your data to third parties.

Legal disclosures. We may disclose your data if required by law, subpoena, court order, or government investigation. In such cases, we will notify you before disclosure unless legally prohibited from doing so, and will make reasonable efforts to narrow the scope of any compelled disclosure.

5. AI Model Training & Improvement

Scribe360 uses third-party AI models (Google Gemini and Anthropic Claude) for SOAP note generation. Regarding AI training:

• Third-party model training: Our agreements with AI providers (Google, Anthropic) prohibit them from using PHI submitted through our service to train their general models. PHI is processed under BAAs and used only to generate your output.
• Our own improvement: We may use de-identified data (with all 18 HIPAA identifiers removed per the Safe Harbor method) to improve our prompt templates, specialty keyword lists, and documentation accuracy. This data cannot be traced back to any individual patient.
• Feedback data: Per-section feedback ratings you provide (thumbs up/down) are used to evaluate and improve AI output quality. Feedback is linked to encounter data only in de-identified form.

We do not fine-tune or train custom AI models on your identifiable PHI.

6. Data Sharing & Third-Party Processors

We share data with third-party service providers only as necessary to operate the service. All processors handling PHI are bound by Business Associate Agreements:

Provider	Purpose	Data Shared	BAA
Deepgram, Inc.	Audio transcription (ASR)	Encounter audio	Yes
Google LLC	AI SOAP generation (Gemini)	Encounter transcript, patient context	Yes
Anthropic, PBC	AI SOAP generation fallback (Claude)	Encounter transcript, patient context	Yes

We do not sell, rent, or share your data with third parties for their marketing purposes. Transactional emails (verification, invitations, password reset) are sent via our own mail server and contain no PHI.

7. Subprocessor Changes

We will notify you by email at least 30 days before engaging a new subprocessor that handles PHI. You may object within 15 days of notification. If you object and we cannot reasonably accommodate your concern, you may terminate your account with a full data export.

8. Data Security

Encryption in transit	TLS for all data transmission
Encryption at rest	Full-disk encryption (encrypted VDI on dedicated servers)
Authentication	Bcrypt password hashing (cost factor 13), session timeouts
Access control	Role-based permissions via custom AccessManager, practice-scoped data isolation
Audit logging	Immutable audit trail for all PHI access, retained minimum 3 years
Session security	HttpOnly, Secure (production), SameSite=Lax cookies
CSRF protection	Token-based CSRF validation on all state-changing requests
Rate limiting	Brute-force protection on authentication and API endpoints
Anti-enumeration	Generic error messages on login, password reset, and email verification (HIPAA anti-enumeration)

9. Data Retention & Deletion

Audio recordings	Deleted promptly after physician approves the encounter. Not retained for replay.
Encounter data	Retained while your account is active. Available for export. Soft-deleted encounters have a 30-day grace period before permanent deletion.
Transcripts & SOAP notes	Retained as part of encounter data for the life of the account.
Audit logs	Retained for a minimum of 3 years (configurable per compliance requirements). Immutable — cannot be edited or deleted.
Account data	Retained while account is active. Disabled accounts preserved for audit trail integrity.
After account closure	30-day data export window, then permanent deletion from active systems. Backup copies purged within 7 days of active deletion.

10. Breach Notification

In the event of a Breach of Unsecured PHI (as defined in 45 CFR 164.402):

• We will notify the affected Covered Entity (practice) within 10 business days of discovering the breach
• Notification will include: identification of affected individuals (to the extent known), types of PHI involved, description of what occurred, steps taken to investigate and mitigate, and contact information
• We will cooperate with your breach notification obligations to affected individuals and HHS under 45 CFR 164.404-408
• For security incidents that do not rise to the level of a Breach, we will notify you within a reasonable timeframe and provide details of the incident and remediation

11. Cookies & Session Management

Scribe360 uses essential cookies only:

• Session cookie — maintains your login session (HttpOnly, Secure in production, SameSite=Lax)
• CSRF token — prevents cross-site request forgery attacks

We do not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies of any kind. We do not use Google Analytics, Facebook Pixel, session replay tools, or any third-party analytics or advertising services.

12. HIPAA Compliance

Scribe360 is designed and operated as a HIPAA-compliant service. Key safeguards include:

• Administrative safeguards — access policies, role-based permissions, physician acknowledgment, team management with owner hierarchy
• Physical safeguards — encrypted storage on dedicated servers, access-controlled infrastructure
• Technical safeguards — encryption, audit logging, session management, PHI-stripping log targets, anti-enumeration, rate limiting
• Business Associate Agreements with all third-party providers handling PHI (see Section 6)
• Minimum necessary standard — data access limited to what is needed for the specific function

For detailed information, see our HIPAA Compliance page and the Business Associate Agreement in our Terms of Service.

13. Your Rights Under HIPAA

As a user and Covered Entity, you and your patients have rights regarding PHI. We support the following HIPAA individual rights:

• Right of access — you may request copies of PHI we maintain on behalf of your practice (45 CFR 164.524). We will respond within 15 business days.
• Right to amendment — you may request amendments to PHI if you believe it is inaccurate or incomplete (45 CFR 164.526).
• Right to accounting of disclosures — you may request an accounting of disclosures of PHI we have made on behalf of your practice (45 CFR 164.528).
• Right to restriction — you may request restrictions on certain uses and disclosures of PHI (45 CFR 164.522). We will accommodate agreed-upon restrictions.
• Right to confidential communications — you may request that we communicate with you through alternative means or at alternative locations.
• Right to data export — you may export your encounter data at any time via the service, or request a full export in CSV/JSON format.
• Right to account deletion — you may request deletion of your account and data, subject to legal retention requirements for audit logs.

To exercise any of these rights, contact us or email support@scribe360.app.

14. Data Location & Transfer

All Scribe360 data is stored and processed in the United States. We do not transfer PHI outside of the United States.

Third-party processors (Deepgram, Google, Anthropic) process data in the United States under BAAs that require US-based processing of PHI.

If you access the service from outside the United States, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

15. State Privacy Laws

In addition to HIPAA, certain state privacy laws may apply to your use of Scribe360:

California (CCPA/CPRA). PHI collected and processed in compliance with HIPAA is exempt from the California Consumer Privacy Act. Non-PHI account and usage data for California residents is subject to CCPA. California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise CCPA rights, contact us.

Texas (TDPSA). The Texas Data Privacy and Security Act provides similar rights for Texas residents regarding non-PHI personal data. HIPAA-covered data is exempt.

If additional state privacy laws apply to you, contact us and we will work with you to address your requirements.

16. Children's Privacy

Scribe360 does not knowingly collect personal information directly from children under 13. The service processes pediatric patient data as part of clinical documentation, which is handled under HIPAA regulations and the patient-physician relationship. Access to pediatric patient data requires appropriate guardian consent, obtained by the treating physician.

17. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. Your continued use of the service after the effective date constitutes acceptance. Previous versions of this policy are available upon request.

18. Contact

For privacy-related questions, HIPAA rights requests, or to report a security concern:

• Contact form
• Email: support@scribe360.app

---

Last updated: March 28, 2026