Privacy Policy

Our commitment to protecting your personal information and healthcare data in compliance with HIPAA, GDPR, PIPEDA, and other applicable privacy regulations.

Last Updated: June 19, 2026 | Version v2026.06

PRIVACY POLICY

Transcribe Health Corporation

Effective Date: December 1, 2024 Last Updated: June 19, 2026

1. INTRODUCTION AND ACCEPTANCE

This Privacy Policy ("Policy") constitutes a legally binding agreement between you and Transcribe Health Corporation, a corporation incorporated under the federal laws of Canada ("Transcribe Health," "Company," "we," "us," or "our"), governing the collection, use, disclosure, and protection of information through our AI-powered medical transcription and clinical documentation platform, including all associated services, software, applications, APIs, and websites (collectively, the "Services").

BY ACCESSING OR USING THE SERVICES, YOU EXPRESSLY ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE LEGALLY BOUND BY THIS POLICY. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY DISCONTINUE ALL USE OF THE SERVICES.

2. SCOPE, APPLICABILITY AND COVERED ENTITY RELATIONSHIPS

This Privacy Policy is NOT a Notice of Privacy Practices (NPP). When Transcribe Health processes Protected Health Information, it does so as a Business Associate on behalf of a healthcare provider (the Covered Entity). The HIPAA Notice of Privacy Practices that describes how medical information about a patient may be used and disclosed, and how a patient can access that information, is issued by the patient's own healthcare provider, not by Transcribe Health. Patients should obtain the NPP from their healthcare provider. This Policy explains how Transcribe Health, as a service provider to those providers, handles information.

2.1 Scope of Application

This Policy applies to all interactions with our Services by:

  • Licensed healthcare providers and medical professionals
  • Healthcare organizations, clinics, hospitals, and medical facilities
  • Patients whose information is processed through our Services
  • Business associates and third-party integrators
  • Visitors to our websites and applications
  • Employees and contractors of covered entities

2.2 HIPAA Business Associate Status

When we process Protected Health Information ("PHI") on behalf of Covered Entities or other Business Associates, we function as a Business Associate under HIPAA. We maintain executed Business Associate Agreements ("BAAs") with all applicable clients, which supersede this Policy to the extent of any conflict regarding PHI handling.

2.3 Jurisdictional Coverage

This Policy applies globally, with specific provisions for:

  • United States: HIPAA, HITECH Act, state medical privacy laws
  • European Union/EEA: GDPR compliance
  • Canada: PIPEDA and provincial privacy legislation
  • Other jurisdictions: Local data protection laws as applicable

3. DEFINITIONS

For purposes of this Policy:

  • "AI Systems" means our proprietary and licensed artificial intelligence, machine learning, and natural language processing technologies
  • "Aggregate Data" means data that has been combined and analyzed in a way that individual patients cannot be identified
  • "Business Associate" has the meaning defined under HIPAA
  • "Clinical Documentation" means medical notes, transcriptions, summaries, and related healthcare records
  • "Covered Entity" has the meaning defined under HIPAA
  • "De-identified Data" means data that has been processed to remove all 18 HIPAA identifiers
  • "PHI" or "Protected Health Information" has the meaning defined under HIPAA
  • "Personal Information" means any information relating to an identified or identifiable natural person
  • "Voice Data" means audio recordings, voice patterns, and acoustic characteristics

4. INFORMATION WE COLLECT

4.1 Healthcare Provider Information

  • Professional credentials (NPI numbers, DEA numbers, medical licenses, board certifications)
  • Practice information (specialty, affiliations, hospital privileges)
  • Authentication credentials and security tokens
  • Voice recordings for transcription
  • Usage patterns and preferences
  • Billing and payment information

4.2 Patient Health Information

  • Demographic information (name, date of birth, contact details)
  • Medical record numbers and identifiers
  • Clinical encounter audio recordings
  • Medical history, diagnoses, treatments, and medications
  • Laboratory results and imaging reports
  • Insurance and billing information
  • Care plans and clinical notes

4.3 Voice and Audio Data

  • Real-time audio streams from clinical encounters
  • Recorded consultations and medical dictations
  • Voice characteristics for speaker separation
  • Acoustic metadata (quality, duration, timestamps)
  • Environmental audio context (with consent)
  • Browser-extension audio capture: where you install our Chrome extension, clinical-encounter audio is captured in the browser, encrypted in the browser before any data leaves your device, transmitted as ciphertext to our backend, and decrypted only inside our Canadian processing environment. Encryption keys are scoped to your active session and never leave your device. Any locally buffered audio is purged once upload to our backend is confirmed; we do not maintain a persistent on-device store of the audio outside the active session.

4.4 AI Processing Data

  • Transcription outputs and confidence scores
  • Clinical insights and suggested diagnoses codes
  • Natural language processing results
  • Model training feedback and corrections
  • Quality assurance annotations
  • Assistant conversation data: questions you submit through the standalone Assistant chat (which may include patient context entered as free text and constituting PHI), the AI-generated responses returned to you, the public medical literature citations attached to those responses, conversation titles, timestamps, and the ordered message history within a conversation. Assistant conversations are persistent and remain accessible to you across sessions until you delete them or your account is closed.

4.5 Technical and Usage Data

  • Device identifiers and hardware information
  • IP addresses and network information
  • Browser type and operating system
  • Session recordings (with consent)
  • Feature usage and interaction patterns
  • Performance metrics and error logs
  • Integration logs with EHR/EMR systems
  • Chrome extension telemetry and audit metadata: where the extension is installed, we collect non-content metadata associated with each capture or insertion event, including a recording session identifier, the detected EHR system, the extension version, capture and insertion timestamps, inactivity-timeout events, and integrity hashes used to maintain a tamper-evident audit log. Audit-log entries are retained locally on your device for a limited rolling window and mirrored to our server-side audit log on the same retention basis as other PHI-access logs.

4.6 Third-Party Integration Data

  • EHR/EMR system data from supported integrations
  • Practice management system information
  • Laboratory and imaging system interfaces
  • Pharmacy and prescription data
  • Insurance eligibility and claims data

5. AI-SPECIFIC DATA PROCESSING

5.1 AI Model Training and Improvement

We employ the following approaches to AI model training and improvement:

  • Third-Party AI Processing: We use established AI providers (such as Anthropic and Google Cloud Vertex AI) under Business Associate Agreements for transcription processing, clinical note generation, and Assistant chat responses
  • Data Minimization: Only the minimum necessary data is sent to AI providers for processing, and no PHI is retained by AI providers beyond the processing session
  • No Persistent Training on PHI: Your patient data is not used to train general-purpose AI models
  • De-identified Data Only: Any aggregate analysis or model improvement uses fully de-identified data in accordance with HIPAA safe harbor requirements
  • Assistant Conversation Context: To generate coherent multi-turn answers, the Assistant feature transmits the current question together with prior messages from the same conversation (the conversation-history context window) to the third-party AI provider on each request. Conversation history is stored on our infrastructure in Canada and is sent to the AI provider only at the moment of processing — providers under our zero-retention contractual terms do not retain it. Only the messages from the specific conversation you are currently using are included; we do not concatenate or share content across separate conversations, across users, or across organizations.
  • Medical Literature Retrieval: To produce evidence-based citations alongside Assistant answers, we maintain a local index of de-identified medical literature metadata inside our Canadian infrastructure, queried using your raw question (which never leaves our infrastructure), and we supplement that index with calls to public, non-PHI-receiving medical-research APIs. Calls to those public APIs carry only PHI-scrubbed query variants derived from your question (for example, a generic drug name or symptom phrase) — never the raw question, patient context, user identifiers, organization identifiers, conversation identifiers, or any other Personal Information.

5.2 Voice Processing

  • Voice data is processed using advanced acoustic models for accurate transcription
  • Speaker diarization to distinguish between multiple speakers
  • Acoustic data retained only for the minimum necessary period

5.3 Clinical Intelligence Generation

Our AI systems generate:

  • Automated clinical documentation and SOAP notes
  • ICD-10/CPT coding suggestions
  • Clinical decision support insights (not medical advice)
  • Quality measure tracking and reporting
  • Population health analytics (aggregate only)
  • Evidence-based Q&A with literature citations: through the standalone Assistant chat, AI-generated answers to clinical questions, accompanied by citations to public medical literature sources. Citations are surfaced so you can independently verify the source material. As with all AI output we generate, these answers are informational, are not medical advice, and must be reviewed by a qualified healthcare professional before being relied upon in patient care.

5.4 De-identification and Anonymization

  • Automated removal of all 18 HIPAA identifiers
  • Expert determination method for complex cases
  • Synthetic data generation for model training
  • K-anonymity and l-diversity techniques
  • Regular audits of de-identification effectiveness

5.5 Model Transparency and Explainability

  • Audit logs of all AI-generated content
  • Confidence scores and uncertainty quantification
  • Explainable AI features showing decision rationale
  • Human-in-the-loop review options
  • Regular bias testing and fairness audits

5.6 Automated Decision-Making and Artificial Intelligence (ADMT)

This section provides the information required by GDPR Article 13(2)(f), Quebec Law 25 § 12.1, and applicable California automated-decision-making rules. It describes how we use AI and automated processing, the logic involved, and the consequences for you.

Where we use AI. The Services use artificial intelligence and automated processing in four places:

  • Speech-to-text transcription of clinical-encounter audio into text;
  • Clinical-note and document generation, including structured SOAP-style notes from a transcript;
  • Medical-coding suggestions (for example, suggested ICD-10 / CPT codes); and
  • The standalone Assistant, which answers clinical questions and returns AI-generated responses, and may surface citations to source material.

The logic involved (plain-language). Audio is converted to text by automatic speech-recognition models. The resulting text is then processed by large language models, operated by our AI subprocessors under Business Associate Agreements and zero-retention contractual terms (see § 5.1 and § 8.2), to draft notes, suggest codes, or answer Assistant questions. Our AI providers do not retain your data after a request is processed and do not train their models on it.

Significance and consequences for you. These features are clinical-documentation and decision-support aids; they do not make decisions about any individual and do not replace professional judgment. Every AI output (transcript, note, code suggestion, or Assistant answer) is informational and must be reviewed and validated by a qualified healthcare professional before it is relied upon in patient care. Human review is a contractual requirement under our Business Associate Agreement (human-in-the-loop).

No solely-automated decisions with legal or similarly significant effect. We do not make decisions about you that produce legal effects or similarly significantly affect you (such as eligibility, denial of care, or pricing) based solely on automated processing without human involvement, within the meaning of GDPR Article 22. The AI features above are advisory and are always subject to professional human review.

Your right to be informed and to submit observations (Quebec Law 25 § 12.1). Where a decision affecting you is based on automated processing of your personal information, you have the right to be informed of that fact, to be informed of the personal information used and the principal factors that led to the decision, and to submit observations to a member of our personnel who is able to review the decision. To exercise this right, or to request human review of any AI-assisted output that concerns you, contact our privacy contact using the details in § 23.

6. LEGAL BASIS AND LAWFUL PROCESSING

6.1 HIPAA Permitted Uses

We process PHI under HIPAA's permitted uses for:

  • Treatment activities as directed by healthcare providers
  • Healthcare operations including quality improvement
  • Payment activities including claims processing
  • As required by law or court order
  • Public health activities as permitted
  • Health oversight activities
  • Research with appropriate authorization

6.2 GDPR Legal Bases

For EU/EEA residents, we process data based on:

  • Performance of contract (service delivery)
  • Legal obligations (regulatory compliance)
  • Vital interests (emergency medical situations)
  • Legitimate interests (security, fraud prevention)
  • Explicit consent (marketing, optional features)
  • Special category data processed under Article 9(2)(h) for healthcare

6.3 Consent and Authorization

  • Informed consent obtained for voice recording
  • HIPAA authorizations for uses beyond treatment, payment, and operations
  • Granular consent for optional features
  • Parental consent for minors where required
  • Opt-in consent for marketing communications

7. USE OF INFORMATION

7.1 Primary Service Delivery

  • Real-time medical transcription and documentation
  • Clinical note generation and structuring
  • Medical coding assistance and validation
  • Integration with healthcare IT systems
  • Provider workflow optimization
  • Quality assurance and accuracy improvement
  • Standalone Assistant chat: answering clinical questions you submit through the persistent Assistant chat surface, retrieving relevant excerpts from public medical literature sources, returning AI-generated responses with literature citations, persisting the resulting conversations so you can list, resume, and review them later, and providing the conversation-history context required to generate coherent multi-turn answers within a conversation

7.2 AI and Machine Learning

  • Training and improving transcription models
  • Enhancing medical terminology recognition
  • Developing clinical intelligence features
  • Reducing bias and improving fairness
  • Creating specialty-specific models
  • Generating aggregate insights (fully de-identified)

7.3 Security and Compliance

  • Identity verification and authentication
  • Fraud detection and prevention
  • Security incident investigation
  • HIPAA compliance auditing
  • Regulatory reporting obligations
  • Risk assessment and mitigation

7.4 Business Operations

  • Billing and payment processing
  • Customer support and service
  • Product development and improvement
  • Analytics and performance monitoring
  • Legal compliance and dispute resolution
  • Corporate transactions (with appropriate safeguards)

8. DISCLOSURE AND SHARING

8.1 Healthcare Ecosystem Sharing

We share information within the healthcare ecosystem solely as permitted by HIPAA and applicable law:

  • Referring and consulting physicians
  • Healthcare facilities and hospitals
  • Laboratories and imaging centers
  • Pharmacies (for medication-related information)
  • Health information exchanges (HIEs)
  • Accountable care organizations (ACOs)

8.2 Service Provider Disclosures

We engage carefully vetted service providers under strict contractual obligations:

  • Cloud infrastructure providers (Google Cloud Platform)
  • AI/ML processing services (Anthropic, Google Cloud Vertex AI - with BAAs where applicable)
  • Content delivery and security services (Cloudflare)
  • Payment processors (Stripe - PCI-DSS Level 1 compliant)
  • Demo scheduling: Cal.com (open-source, self-hosted on Transcribe Health infrastructure in Canada). When you book a product demo via our /demo page, your name, email address, optional booking responses, and selected meeting time are stored on this self-hosted instance.
  • Calendar synchronization: Google Workspace and Google Calendar API (United States). Demo meeting events are synced to a Transcribe Health staff member's Google Calendar so they can host the meeting; Google receives the attendee name, email, and meeting time.
  • Authentication and Sign-In Services: Google Identity Services / Google Sign-In (United States). When you visit our sign-in or sign-up pages, we may display a Google "One Tap" prompt if you are signed into a Google account in your browser. Loading this prompt involves loading code from accounts.google.com; Google receives your IP address, user-agent, and the fact that you visited our authentication page. We load Google Identity Services only on /signin and /signup — not on any other page of our site. The same applies if you click the "Sign in with Google" button. You can disable Google One Tap in your Google account settings or by signing out of your Google account in this browser.
  • Transactional email delivery: Purelymail (United States). Booking confirmations, password reset emails, and similar service messages are routed through this SMTP relay.
  • Customer support and live chat: Chatwoot (open-source, self-hosted on Transcribe Health infrastructure in Canada).
  • Security and monitoring services
  • Professional service firms (under confidentiality)

8.2.1 Subprocessors

For the canonical, continuously-maintained list of our subprocessors under GDPR Art. 28(2) and the equivalent obligations under PIPEDA Principle 4.8 and HIPAA Business Associate arrangements, please refer to our public Trust Center:

trust.transcribe.health/trust/ze9crmjAAAEAFgAAAZzRSS9ZuLmCU8ZM

The Trust Center is the source of truth; the list in § 8.2 is a non-exhaustive summary that may lag the Trust Center between policy revisions. Material changes (adding a new subprocessor that processes ePHI or personal data of EU/Canada/California residents) trigger an advance notice through the agreement-update process described in § 24.

AI-inference subprocessors and cross-border processing. Our AI inference, transcription, clinical-note generation, and Assistant features transmit content to two AI subprocessors at the moment of processing: Google Cloud Vertex AI and Anthropic. Both process Protected Health Information under a Business Associate Agreement and under zero-retention terms (they retain nothing after a request completes and do not train on your data). To the extent this AI-inference flow involves processing of Quebec residents' personal information outside Quebec, it is among the cross-border flows covered by the Privacy Impact Assessment we maintain under Quebec Law 25 (see § 8.2.2). This naming of the AI-inference flow is consistent with our Trust Center and with Schedule C of our Data Processing Agreement.

8.2.2 Cross-Border Data Transfers

Our primary infrastructure resides in Canada. Some of the service providers listed above process limited personal information in the United States — specifically Google Workspace (calendar synchronization), Google Identity Services (authentication / Sign in with Google / One Tap), and Purelymail (transactional email delivery). For these transfers, we rely on the providers' published Data Processing Addenda and Standard Contractual Clauses where applicable. For Quebec residents, we maintain a Privacy Impact Assessment under Quebec Law 25 (§ 3.3 and § 17) covering these flows. You may request a summary by contacting our Security Officer.

8.3 Legal and Regulatory Disclosures

We may disclose information when required by:

  • Court orders, subpoenas, or legal process
  • Government investigations or audits
  • Public health authorities
  • Health oversight agencies
  • Law enforcement (with appropriate legal basis)
  • National security or intelligence agencies

8.4 Business Transfers

In connection with any merger, acquisition, or sale of assets:

  • Due diligence under strict confidentiality
  • Successor entities bound by this Policy
  • Notice provided of any material changes
  • Opportunity to request data deletion where permitted
  • Continued protection under applicable BAAs

9. DATA SECURITY AND SAFEGUARDS

9.1 Technical Security Measures

We implement industry-leading security including:

  • Encryption: AES-256 at rest, TLS 1.3+ in transit
  • Client-side encryption (Chrome extension): where our Chrome extension captures clinical-encounter audio, audio is encrypted in the browser before transmission, so ciphertext rather than plaintext crosses the network. Encryption keys are session-scoped and never leave your device.
  • Tamper-evident audit log: extension-side audit log entries are integrity-protected so that local tampering with the audit trail is detectable on upload reconciliation.
  • Multi-Factor Authentication: Required for all PHI access
  • Network Security: Next-generation firewalls, IDS/IPS, DDoS protection
  • Endpoint Protection: EDR, anti-malware, device management
  • Vulnerability Management: Continuous scanning and patching
  • Secure Development: SAST, DAST, dependency scanning

9.2 Administrative Safeguards

  • Security officer designation and responsibilities
  • Security awareness training (self-directed for the current single-person team and scheduled in the compliance calendar; formal tracked training as the workforce grows)
  • Access management and least privilege principles
  • Sanction policies for violations
  • Regular risk assessments and audits
  • Business continuity and disaster recovery plans
  • Incident response procedures

9.3 Physical Security

  • Data center security with industry-standard protections
  • Environmental controls and monitoring
  • Media disposal and sanitization procedures
  • Facility access controls and surveillance
  • Workstation security policies
  • Mobile device management

9.4 Compliance Program

Our compliance program includes:

  • HIPAA Security Rule and Privacy Rule compliance (active)
  • SOC 2 Trust Services Criteria (pursuing alignment; Type II attestation in progress)
  • PIPEDA and provincial health privacy legislation compliance (active)
  • NIST Cybersecurity Framework alignment (active)
  • ISO 27001/27701 certification (roadmap)
  • HITRUST CSF certification (roadmap)

10. DATA RETENTION AND DELETION

10.1 Retention Periods

The Services are not a system of record. We retain Personal Information only as long as needed to deliver the Services and meet our legal obligations. The table below states the retention period and the justification for each category. Healthcare providers remain responsible for retaining patient records in their own certified medical-record system per applicable law.

| Data category | Retention period | Basis / justification | |---|---|---| | Audio recordings (clinical-encounter audio) | Automatically and permanently deleted 90 days after transcription completes. Your organization may optionally enable earlier auto-deletion in 1-30 day windows (disabled by default). | Default mandatory window enforced platform-wide; optional earlier window supports data-minimization (GDPR Art. 5(1)(e), PIPEDA Principle 4.5, Quebec Law 25). | | Transcriptions and session records (contain PHI) | Retained 7 years, then automatically deleted (subject to a 6-year HIPAA minimum). | HIPAA documentation floor; provider record-keeping support. | | AI-generated clinical notes / documents (contain PHI) | Same as the transcript they derive from (7 years, optional earlier deletion as above). | Treated as part of the clinical record produced from the encounter. | | Assistant conversations (questions, AI responses, citations, history) | Persist until you delete them or 30 days after account closure. | Service delivery (you can resume conversations); minimized to the active relationship. | | Chrome-extension audit / telemetry metadata (session ID, EHR detected, version, timestamps, integrity hashes) | Server-side: 6 years on the same basis as other PHI-access logs. On-device: limited rolling window, purged automatically. | HIPAA audit-control requirement, 45 CFR 164.312(b). | | Account data (provider profile, credentials, preferences) | Duration of the account; deleted within 30 days of account closure, except where law requires retention. | Service delivery and contract. | | Billing data (via Stripe) | Retained as required by tax / financial-record law (typically 7 years). | Legal obligation; Stripe processes billing only. | | Cal.com demo-booking data (name, email, responses, meeting time) | Retained for 24 months after the demo, then deleted; deleted earlier on request. | Self-hosted in Canada; pre-sales contact, storage-limitation default. | | Marketing data | Until consent withdrawal, plus any period required by law. | Consent (opt-in). | | CASL suppression list (unsubscribed recipients) | Indefinite. | Required to honour unsubscribe requests under Canada's Anti-Spam Law (CASL § 6). | | Audit logs (security / HIPAA) | Minimum 6 years. | HIPAA Security Rule documentation retention, 45 CFR 164.312(b) and 164.530(j). | | De-identified / aggregate data | May be retained indefinitely. | No longer Personal Information once de-identified to the HIPAA standard. |

Account closure and PHI. Closing an account does not shorten any PHI-retention period. The mandatory 90-day audio, 7-year transcript/clinical-note, and 6-year audit-log periods run to completion regardless of account status. On termination, final disposition of Protected Health Information (return or destruction) follows the return-or-destroy provision of the applicable Business Associate Agreement, not the account-closure timelines above.

HIPAA does not itself prescribe a minimum retention period for PHI in patient records; the record-retention obligations applicable to your practice are set by state, provincial, and professional regulations. The residual-backup treatment in § 10.2 applies to all categories above and does not extend any of these periods; residual encrypted backups age out on a bounded cycle.

10.2 Deletion and Disposal

  • Cryptographic erasure for encrypted data
  • Physical destruction of storage media
  • Secure overwriting procedures
  • Certificate of destruction provided
  • Audit trail of deletion activities
  • Third-party verification where applicable

When data is deleted from our active systems under Section 10.1 or in response to a deletion request, residual copies may persist in our encrypted backups until those backup sets expire on their normal schedule (object-storage backups within 30 days; database backups within 14 days). Individual records cannot be excised from an encrypted backup snapshot; backups are encrypted, access-controlled, and disposed of using the methods above when they age out. This residual-backup window is the standard treatment for backup media under HIPAA and PIPEDA and does not extend the retention periods described in Section 10.1.

11. INTERNATIONAL DATA TRANSFERS

11.1 Data Residency

Our production environment runs on a single Canadian-resident infrastructure stamp:

  • All Personal Health Information at rest — Postgres records, MinIO object storage, Redis caches, audit logs — lives on Canadian infrastructure under PIPEDA / Quebec Law 25
  • Audio transcription (speech-to-text) runs on self-hosted infrastructure within the Canadian stamp; raw audio never leaves Canada
  • AI inference jurisdiction is decoupled from at-rest residency and depends on your organization's country (see Section 11.2)

US and EU stamps are on our roadmap. They will be deployed when customer demand contractually requires US-only or EU-only residency. Until those stamps exist, US customers may operate on the Canadian stamp under a cross-border Data Processing Agreement (DPA) executed at onboarding. EU residency is not currently available; please contact us if you require it.

11.1.1 AI Inference Routing

AI inference is routed per organization's country of operation, independent of where the at-rest data lives. The route is logged on every clinical AI request:

  • Canadian organizations — AI inference runs on the Canadian stamp's self-hosted models; no cross-border processing
  • United States organizations — clinical AI inference runs on Google Vertex AI in a US region under the executed Google Cloud Business Associate Agreement; this is a documented cross-border processing leg covered by the customer's DPA
  • Other jurisdictions — clinical AI defaults to the Canadian stamp's self-hosted models; expanded coverage is added per region as it becomes available

11.1.2 Removed legacy claims

Earlier versions of this policy advertised "US-only data storage" and "EU data residency" as options. These options are not currently available; the descriptions above replace them. We will update this policy when the corresponding stamps go live.

11.2 Transfer Mechanisms

When international transfers occur:

  • Standard Contractual Clauses (EU Commission approved)
  • Adequacy decisions where applicable
  • Binding Corporate Rules for intra-group transfers
  • Explicit consent for specific transfers
  • Derogations for vital interests or legal claims

11.3 Transfer Safeguards

  • End-to-end encryption for all transfers
  • Transfer impact assessments
  • Supplementary measures per Schrems II
  • Government access transparency reporting
  • Enhanced contractual guarantees

12. YOUR PRIVACY RIGHTS

12.1 HIPAA Rights

The rights below derive from HIPAA. Note: the formal vehicle for these rights is your healthcare provider's Notice of Privacy Practices, not this Policy (see the callout in § 2). Where Transcribe Health holds your PHI as a Business Associate, we support your provider in honouring these rights:

  • Access your PHI and receive copies
  • Request amendments to incorrect PHI
  • Accounting of disclosures
  • Request restrictions on uses and disclosures
  • Confidential communications
  • File complaints with OCR

12.2 GDPR Rights (EU/EEA Residents)

  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure/"Right to be Forgotten" (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Object to processing (Article 21)
  • Automated decision-making rights (Article 22) — see § 5.6 for our ADMT disclosure

12.3 CCPA/CPRA Rights (California Residents)

Transcribe Health does not sell or share personal information, and does not use sensitive personal information for any purpose other than providing the Services and purposes the CPRA exempts from the right to limit. We nonetheless honour the following rights and provide the controls described below.

  • Know what information we collect
  • Delete personal information
  • Correct inaccurate information
  • Opt out of the sale or sharing of personal information
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising your rights

Opt-out control. Although we do not sell or share personal information, we provide an opt-out control regardless. If you have a Transcribe Health account, you can set your opt-out preference at any time from your account's Privacy & Data Rights settings, using the "Do Not Sell or Share My Personal Information" control. When you opt out, we display a confirmation of your opt-out status and the date it took effect; you may opt back in after the 12-month period required by California law.

Limit the use of sensitive personal information. Because we use sensitive personal information solely to provide the Services and for purposes the CPRA exempts from the right to limit, no separate limitation is required for those uses. We do not use sensitive personal information to infer characteristics about you.

Global Privacy Control (GPC). We honour the Global Privacy Control browser signal. If your browser or extension sends a GPC signal (the Sec-GPC header), we treat it as a valid request to opt out of any sale/sharing of personal information and reflect your opted-out status accordingly; the status is shown to you so you can confirm it has been applied.

To make any CCPA/CPRA request you may also contact us at privacy@transcribe.health (see § 12.5 and § 23).

12.4 PIPEDA Rights (Canadian Residents)

  • Access personal information
  • Challenge accuracy and completeness
  • Withdraw consent
  • Register complaints with Privacy Commissioner
  • Know about breaches affecting you
  • For Quebec residents: the right to be informed of, and to submit observations on, automated decisions based on your personal information (Law 25 § 12.1) — see § 5.6

12.5 Exercising Your Rights

  • Submit requests to: hello@transcribe.health
  • Identity verification required
  • Response within 30 days (45 for complex requests)
  • No fee for reasonable requests
  • Appeal process available
  • Designated agent submissions accepted with authorization

13. CHILDREN'S PRIVACY

13.1 Age Restrictions

  • The Services are a professional tool for healthcare providers and are not directed to children. We do not knowingly collect personal information directly from children for our own purposes.
  • United States (COPPA): we do not knowingly collect personal information from children under 13 for our own commercial purposes.
  • EU/EEA/UK (GDPR Art. 8): where a child's consent is the basis for an online service, the digital-consent age ranges from 13 to 16 depending on the Member State; below that age, consent must be given or authorised by the holder of parental responsibility.
  • Quebec (Law 25): for a minor under 14, any collection of personal information requires the consent of the person having parental authority, except where collection is clearly for the minor's benefit.
  • California (CCPA/CPRA): because we do not sell or share personal information, this restriction does not arise in practice; were it to, we would not sell or share the personal information of consumers we know to be under 16 without affirmative authorization (from the minor if 13-15, or from a parent/guardian if under 13).
  • Patient PHI relating to minors is processed only on behalf of, and under the authority of, the healthcare provider, whose own Notice of Privacy Practices and applicable health-records law govern parental access and adolescent-confidentiality rules.

13.2 Parental Rights

  • Access to minor's information (subject to state law)
  • Consent management for minor patients
  • Restrictions on sensitive health topics per jurisdiction
  • Transition procedures at age of majority

14. COOKIES AND TRACKING TECHNOLOGIES

14.1 Cookies and Similar Technologies We Use

We use a minimal set of cookies. We do not use advertising cookies, and we do not load third-party analytics or marketing trackers on our marketing site. The table below lists the cookies set in connection with the Services.

| Cookie | Provider | Purpose | Duration | Party | |---|---|---|---|---| | access_token | Transcribe Health (auth-service) | Strictly necessary, holds your authenticated session (HttpOnly, Secure). | Session / short-lived | First-party | | refresh_token | Transcribe Health (auth-service) | Strictly necessary, renews your session without re-login (HttpOnly, Secure). | Up to session-renewal window | First-party | | NEXT_LOCALE | Transcribe Health | Functionality, remembers your language/region (e.g. en-US, en-CA, fr-CA). | Persistent (until changed) | First-party | | __cf_bm, cf_clearance | Cloudflare | Strictly necessary, bot-management and security for our CDN/WAF. | Up to ~30 min / as set by Cloudflare | Third-party (infrastructure) |

Strictly-necessary cookies do not require consent. Where any non-essential cookie is introduced in the future, we will obtain consent first where required (ePrivacy/GDPR, Quebec Law 25, CPRA).

14.2 Your Choices

  • Cookie consent management platform
  • Browser-based controls
  • Global Privacy Control (GPC) signals honored
  • Do Not Track (DNT) signal response
  • Opt-out of analytics via hello@transcribe.health

15. AI TRANSPARENCY AND ETHICS

15.1 AI Principles

We commit to:

  • Transparency: Clear disclosure of AI use
  • Fairness: Regular bias testing and mitigation
  • Accountability: Human oversight of AI decisions
  • Privacy by Design: Privacy considered at every stage
  • Beneficence: AI used to improve healthcare outcomes
  • Non-maleficence: Do no harm principle

15.2 Clinical Decision Support Disclaimer

IMPORTANT: Our AI-generated clinical insights are provided for informational purposes only and do not constitute medical advice. Healthcare providers retain full responsibility for clinical decisions. AI outputs must be reviewed and validated by qualified medical professionals before use in patient care.

15.3 Research and Development

  • Research conducted on de-identified data only
  • IRB approval for research involving PHI
  • Publication only of aggregate results
  • Opt-in participation for specific research
  • Right to withdraw from research uses

16. DATA BREACH NOTIFICATION

16.1 Breach Response Procedures

In the event of a breach:

  • Immediate investigation and containment
  • Risk assessment and harm evaluation
  • Notification within HIPAA required timeframes (60 days for individual notification under 45 C.F.R. §164.404)
  • GDPR notification within 72 hours where applicable to a supervisory authority
  • Individual notice via email and certified mail
  • Regulatory reporting to HHS, state attorneys general
  • Credit monitoring offered where appropriate

Where Transcribe Health acts as a Business Associate, breach notification to the Covered Entity is governed by the applicable Business Associate Agreement, which requires notice within five (5) business days of discovery. This BA-to-Covered-Entity obligation is separate from, and does not displace, the regulator- and individual-facing notification timelines described above.

16.2 Breach Prevention

  • Continuous security monitoring
  • Periodic security assessment (an internal white-box assessment was completed; an independent third-party penetration test is planned), scheduled in the compliance calendar
  • Employee security training
  • Vendor risk assessments
  • Incident response drills
  • Cyber-liability insurance (being procured; no coverage amount stated until a policy is bound)

17. LIMITATION OF LIABILITY AND INDEMNIFICATION

17.1 LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT FOR RIGHTS AND REMEDIES THAT CANNOT BE LIMITED OR WAIVED UNDER APPLICABLE LAW (INCLUDING NON-WAIVABLE RIGHTS UNDER GDPR/UK GDPR, CCPA/CPRA, PIPEDA, QUEBEC LAW 25, BC PIPA, ALBERTA PIPA, AND HIPAA), IN NO EVENT SHALL TRANSCRIBE HEALTH, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AFFILIATES, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, REVENUE, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATING TO THIS POLICY OR THE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY AND WHETHER OR NOT TRANSCRIBE HEALTH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Aggregate cap. To the maximum extent permitted by applicable law, our total aggregate liability arising out of or relating to this Policy or the Services shall not exceed the total fees paid by your organization to Transcribe Health in the trailing twelve (12) months preceding the event giving rise to the claim.

Protected Health Information. This aggregate cap does not apply to, and does not govern, liability for Protected Health Information. The handling of Protected Health Information, and the parties' respective liability for it, is governed exclusively by the applicable Business Associate Agreement (which, per BAA v2026.06, applies the general contractual liability cap with no PHI-specific supercap). Nothing in this Policy limits or excludes any liability that cannot be limited or excluded under applicable law, or any statutory privacy right that the law makes non-waivable.

17.2 Indemnification

You agree to defend, indemnify, and hold harmless Transcribe Health and its affiliates from and against any claims, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or relating to:

  • Your violation of this Policy
  • Your violation of applicable laws or regulations
  • Your use of the Services in a manner not authorized by this Policy
  • Any content or data you provide through the Services
  • Your violation of any third-party rights

17.3 Healthcare-Specific Exclusions

We expressly disclaim liability for:

  • Clinical decisions made using our Services
  • Medical malpractice or professional liability claims
  • Accuracy of AI-generated clinical insights
  • Integration failures with third-party systems
  • Compliance with your specific regulatory obligations

18. DISCLAIMERS AND WARRANTIES

18.1 Service Disclaimer

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. WE SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

18.2 Medical Disclaimer

WE DO NOT PROVIDE MEDICAL ADVICE. THE SERVICES ARE TOOLS TO ASSIST HEALTHCARE PROVIDERS AND DO NOT REPLACE PROFESSIONAL MEDICAL JUDGMENT. WE ARE NOT RESPONSIBLE FOR ANY MEDICAL DECISIONS, DIAGNOSES, OR TREATMENTS BASED ON THE USE OF OUR SERVICES.

18.3 Accuracy Disclaimer

WHILE WE STRIVE FOR HIGH ACCURACY, WE DO NOT GUARANTEE 100% ACCURACY IN TRANSCRIPTION OR AI-GENERATED CONTENT. ALL OUTPUT MUST BE REVIEWED AND VALIDATED BY QUALIFIED HEALTHCARE PROFESSIONALS.

19. QUALITY IMPROVEMENT AND HEALTHCARE OPERATIONS

19.1 Quality Improvement Programs

We may use de-identified data for:

  • Improving transcription accuracy
  • Enhancing clinical documentation quality
  • Developing specialty-specific models
  • Benchmarking and performance metrics
  • Population health management
  • Healthcare cost analysis

19.2 Healthcare Operations Support

Our Services support your healthcare operations including:

  • Quality assessment and improvement
  • Patient safety activities
  • Protocol development
  • Case management and care coordination
  • Practice management activities
  • Accreditation and licensing

20. DISPUTE RESOLUTION AND GOVERNING LAW

20.1 Dispute Resolution

Except where prohibited by applicable law, and excluding any claim or right that applicable law makes non-waivable or non-arbitrable (including statutory privacy claims and any right to lodge a complaint with a supervisory or data-protection authority), disputes arising out of or relating to this Policy or the Services may be resolved through binding arbitration administered by the ADR Institute of Canada (for Canadian residents) or the American Arbitration Association (for U.S. residents), seated in Ontario, Canada.

Nothing in this Section prevents you from lodging a complaint with a data-protection or privacy regulator (including the OPC, the Commission d'accès à l'information du Québec, the BC or Alberta OIPC, the CNIL or another EU supervisory authority, the UK ICO, the California Privacy Protection Agency or Attorney General, or HHS/OCR), or from exercising any non-waivable statutory right, regardless of this arbitration provision.

20.2 Class Action Waiver

To the extent permitted by applicable law, you agree to bring claims against us only in your individual capacity. This waiver does not apply to any claim or representative action that applicable law makes non-waivable (including representative actions available under certain consumer-protection statutes).

20.3 Governing Law

This Policy shall be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to its conflict of law principles. For international users, local mandatory consumer protection laws may apply.

20.4 Venue

Exclusive venue for any dispute not subject to arbitration shall be the courts located in Ontario, Canada.

20.5 Time Limitation

You must bring any claim within one (1) year after the cause of action arises, or such claim is forever barred.

21. REGULATORY COMPLIANCE

21.1 United States Compliance

  • HIPAA Privacy, Security, and Breach Notification Rules
  • HITECH Act requirements
  • 42 CFR Part 2 (substance abuse records)
  • State medical records laws
  • CCPA/CPRA (California)
  • Biometric privacy laws (Illinois BIPA, Texas, Washington)
  • State breach notification laws

21.2 Canadian Compliance

  • PIPEDA (federal)
  • Ontario: Personal Health Information Protection Act, 2004 (PHIPA)
  • Quebec: the Act respecting the protection of personal information in the private sector, as amended by the Act to modernize legislative provisions as regards the protection of personal information (Law 25)
  • Alberta: Health Information Act (HIA)
  • British Columbia: Personal Information Protection Act (PIPA BC)
  • Saskatchewan: Health Information Protection Act (HIPA)
  • Manitoba, New Brunswick, Newfoundland and Labrador: Personal Health Information Acts (PHIA)
  • Nova Scotia, PEI, Territories: PIPEDA as applicable federal legislation

21.3 International Compliance

  • GDPR (European Union) - applicable when serving EU-based users
  • UK Data Protection Act - applicable when serving UK-based users
  • Other applicable national laws as required by jurisdiction

21.4 Industry Standards

  • HL7 FHIR specifications
  • ONC certification requirements
  • NIST Cybersecurity Framework
  • ISO 27001/27799 standards
  • Cloud Security Alliance guidelines

22. PRIVACY PROGRAM GOVERNANCE

22.1 Privacy by Design

We implement privacy by design principles:

  • Proactive not reactive
  • Privacy as default setting
  • Full functionality with privacy
  • End-to-end security
  • Visibility and transparency
  • Respect for user privacy
  • Privacy embedded into design

22.2 Privacy Impact Assessments

We conduct assessments for:

  • New features and services
  • AI model deployments
  • Third-party integrations
  • International data transfers
  • High-risk processing activities

22.3 Transparency Reporting

We publish annual transparency reports including:

  • Government data requests
  • Law enforcement requests
  • Breach statistics (anonymized)
  • Privacy rights requests
  • Third-party audit results

23. CONTACT INFORMATION

Person Responsible for the Protection of Personal Information (Quebec Law 25 § 3.1)

The person responsible for the protection of personal information at Transcribe Health is Fatih AKTAS, Founder and Security Officer, reachable at privacy@transcribe.health.

Security Officer

For privacy-related inquiries, data subject rights requests, or concerns about our privacy practices:

Security Officer Transcribe Health Corporation Email: privacy@transcribe.health (preferred for data-subject rights, DPIA / PIA requests, and sub-processor enquiries) Email: hello@transcribe.health (general contact) Response Time: Within 48 business hours

Additional Contacts

For comprehensive contact information including security incidents, legal inquiries, compliance matters, and audit support, please visit our Compliance page.

Regulatory Authorities

Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: www.priv.gc.ca

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W., Washington, D.C. 20201 Toll-free: 1-877-696-6775 Website: www.hhs.gov/ocr

European Data Protection Authorities For EU/EEA residents: Contact your local supervisory authority Directory: https://edpb.europa.eu/about-edpb/board/members_en

Information Commissioner's Office (ICO) — United Kingdom For UK residents: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom Helpline: +44 (0)303 123 1113 Website: ico.org.uk

24. CHANGES TO THIS POLICY

24.1 Right to Modify

We may modify this Policy from time to time. For any material change, the change takes effect only after the advance-notice period described in § 24.2. Non-material changes (such as typographical corrections or clarifications that do not reduce your rights or change how we handle your information) may take effect upon posting, with the "Last Updated" date revised accordingly.

24.2 Notice of Material Changes

For material changes, we will:

  • Email notice to registered users
  • In-app notifications
  • Banner notice on website
  • 30-day advance notice for material adverse changes

24.3 Continued Use

For material changes, your continued use of the Services after the 30-day notice period (and any required re-acceptance) constitutes acceptance of the modified Policy. If you disagree with a material change, you must discontinue use before it takes effect.

24.4 Version History

Previous versions available upon written request to hello@transcribe.health. We maintain a complete version history for compliance purposes.

25. SEVERABILITY AND WAIVER

25.1 Severability

If any provision of this Policy is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

25.2 Waiver

No waiver of any term of this Policy shall be deemed a further or continuing waiver of such term or any other term, and our failure to assert any right or provision shall not constitute a waiver of such right or provision.

26. FORCE MAJEURE

We shall not be liable for any failure or delay in performance under this Policy which results from any cause beyond our reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemics, strikes, or shortages of transportation facilities, fuel, energy, labor, or materials.

27. ASSIGNMENT

You may not assign or transfer any rights or obligations under this Policy without our prior written consent. We may assign our rights and obligations without restriction.

28. ENTIRE AGREEMENT

This Policy, together with our Terms of Service and any applicable BAA, constitutes the entire agreement between you and Transcribe Health regarding privacy and data protection, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties.

29. SURVIVAL

Sections relating to limitation of liability, indemnification, disclaimers, dispute resolution, and any other provisions that by their nature should survive, shall survive any termination or expiration of this Policy.

30. ACKNOWLEDGMENT AND ACCEPTANCE

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO BE BOUND BY ALL OF ITS TERMS AND CONDITIONS. IF YOU ARE ACCEPTING ON BEHALF OF AN ORGANIZATION, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ORGANIZATION.


© 2024-2026 Transcribe Health Corporation. All rights reserved.


EFFECTIVE DATE: December 1, 2024 LAST UPDATED: June 19, 2026 VERSION: v2026.06 DOCUMENT ID: POL-PRIV-2024-001