Privacy Policy

Scribeable Medical Documentation Platform

Last Updated: March 9, 2026

Effective Date: March 9, 2026

---

INTRODUCTION

Scribeable, Inc. ("Scribeable," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our medical documentation platform, including our mobile applications, web portal, browser extension, and related services (collectively, the "Platform").

This Policy applies to:

• Healthcare providers and clinicians who use our Platform
• Practice staff and authorized users
• Website visitors
• Anyone who interacts with our services

Important Healthcare Privacy Notice: We are a "Business Associate" under the Health Insurance Portability and Accountability Act (HIPAA). When you use our Platform to process Protected Health Information (PHI), our collection and use of that information is governed by both this Privacy Policy and our Business Associate Agreement (BAA), which healthcare providers must execute before using the Platform for PHI.

By using our Platform, you agree to the collection and use of information in accordance with this Privacy Policy.

---

1. INFORMATION WE COLLECT

1.1 Information You Provide to Us

(a) Account Information: When you register for an account, we collect:

• Full name
• Email address
• Professional credentials (medical license, NPI number)
• Practice or facility name and address
• Professional specialties
• Phone number (optional)
• Billing information (processed securely through Apple or payment processors)

(b) Profile Information:

• Professional preferences and settings
• AI model preferences
• Transcription service preferences
• Specialty-specific templates and configurations
• Signature and attestation settings

(c) Protected Health Information (PHI):

• Patient demographics (name, DOB, MRN, gender, etc.)
• Clinical notes and consultation documentation
• Voice recordings of clinical encounters
• Medical histories and examination findings
• Diagnoses, assessments, and treatment plans
• Vital signs, lab results, and other clinical data
• Any other health information you input into the Platform

(d) EHR Integration Data:

• EHR system credentials (encrypted and stored securely)
• Patient lists and appointment schedules
• Clinical data synchronized from your EHR
• Field mappings and configuration settings

(e) Support Communications:

• Messages you send to our support team
• Attachments and screenshots (which may contain PHI)
• Feedback and feature requests
• Error reports and bug submissions

(f) Payment Information:

• For direct billing: Payment card information (processed by Apple or secure payment processors; we do not store full card numbers)
• Billing address
• Transaction history
• Subscription plan and usage information

1.2 Information We Collect Automatically

(a) Device and Usage Information:

• Device type, model, and operating system version
• IP address and general location (city/state level)
• Browser type and version
• App version and build number
• Screen resolution and device identifiers
• Crash reports and performance data

(b) Platform Usage Data:

• Features used and frequency of use
• Time spent in the Platform
• Navigation patterns and user flows
• AI model usage and API calls
• Transcription usage (duration, not content)
• Number of patients, consultations, and summaries
• Error logs and debugging information

(c) Browser Extension Data:

• EHR system type and version detected
• Field mappings and configurations
• Patient context matching data
• Insertion success/failure statistics
• Browser and extension version information

(d) Authentication and Security Data:

• Login timestamps and locations
• Authentication method used
• Session duration and activity
• Security events (failed login attempts, suspicious activity)
• Access control logs

1.3 Information from Third Parties

(a) AI Service Providers:

• Processing confirmations from Anthropic (Claude API)
• Transcription metadata from Deepgram
• Usage statistics and error reports

(b) EHR Systems:

• Patient demographic data
• Appointment schedules and patient lists
• Clinical data (when you authorize synchronization)
• System capabilities and version information

(c) Payment Processors:

• Transaction confirmations
• Subscription status
• Payment success/failure notifications

(d) Analytics Services:

• Aggregated usage statistics
• Performance metrics
• Error tracking data

(e) Biometric Data: We collect voice recordings during clinical encounters as part of the transcription process. Voice recordings may constitute biometric identifiers under certain state laws, including the Illinois Biometric Information Privacy Act (BIPA). We obtain your informed consent before collecting voice recordings. Voice recordings are retained only for the duration of the transcription process and are deleted after transcription is complete, unless you explicitly choose to save them. We do not sell, lease, or trade biometric data. We implement reasonable security measures to protect biometric data consistent with our treatment of PHI.

1.4 Cookies and Tracking Technologies

We use the following technologies:

(a) Essential Cookies:

• Authentication and session management
• Security and fraud prevention
• Platform functionality

(b) Functional Cookies:

• User preferences and settings
• Language and region preferences
• Accessibility settings

(c) Analytics Cookies:

• We use analytics services with privacy-preserving configurations
• Usage patterns and feature adoption
• Performance monitoring

(d) Marketing Cookies (Marketing Website Only):

• Google Tag Manager, Google Ads, Meta Pixel, LinkedIn Insight Tag, and Microsoft UET
• Loaded only after explicit cookie consent
• Never present on authenticated clinical pages
• Used solely for measuring marketing campaign effectiveness

(e) Local Storage:

• Browser extension field mappings
• Offline data caching
• Preferences and configurations

Cookie Management: You can control cookies through your browser settings. Note that disabling essential cookies may limit Platform functionality.

1.5 Sensitive Personal Information (CPRA)

Under the California Privacy Rights Act (CPRA), we may collect the following categories of sensitive personal information:

• Health Data: Clinical notes, diagnoses, treatment plans, and other PHI processed through the Platform
• Biometric Data: Voice recordings used for transcription (see Section 1.3(e))
• Precise Geolocation: Device location data when you enable location services (used for session security and audit logging)
• Financial Data: Payment card and billing information (processed by third-party payment processors)
• Account Log-In Credentials: Email and password or authentication tokens used to access the Platform
• Professional Information: Medical license numbers, NPI numbers, and professional credentials

We use sensitive personal information only as necessary to provide and improve our Platform services, for security and fraud prevention, and as otherwise permitted under applicable law. You have the right to limit our use of sensitive personal information to purposes authorized by the CPRA. To exercise this right, contact [email protected].

---

2. HOW WE USE YOUR INFORMATION

2.1 Primary Uses

We use collected information to:

(a) Provide and Operate the Platform:

• Authenticate users and manage accounts
• Generate AI-powered clinical summaries
• Transcribe voice recordings
• Synchronize data with EHR systems
• Store and retrieve clinical documentation
• Process patient information and consultations
• Provide clinical decision support
• Enable secure web export of summaries

(b) AI Processing:

• Send clinical text to Claude API for summary generation
• Send audio to Deepgram for medical transcription
• Generate structured data from unstructured notes
• Provide diagnostic suggestions and ICD-10 codes
• Generate treatment plans and recommendations
• Analyze clinical completeness and safety

(c) EHR Integration:

• Match patient context between Scribeable and your EHR
• Detect and map EHR fields for documentation insertion
• Synchronize patient lists and schedules
• Pull clinical data from your EHR
• Push clinical notes to your EHR
• Maintain bidirectional data consistency

2.2 Service Improvement

We use information to:

• Analyze usage patterns to improve features
• Identify and fix bugs and technical issues
• Optimize AI model performance
• Improve transcription accuracy
• Enhance EHR compatibility
• Develop new features and functionality
• Conduct internal research and development

2.3 Security and Compliance

We use information to:

• Prevent fraud and unauthorized access
• Detect and respond to security incidents
• Monitor for abuse and policy violations
• Conduct security audits and assessments
• Maintain HIPAA audit trails
• Comply with legal and regulatory requirements
• Respond to law enforcement requests

2.4 Communications

We use information to:

• Send service announcements and updates
• Provide customer support responses
• Send usage alerts and notifications
• Notify you of security issues
• Provide subscription and billing information
• Send product updates and new features (with consent)

2.5 AI Model Training Prohibition

Your clinical data, including transcriptions and notes, is never used to train AI models. Our AI processing partners (Anthropic, Deepgram) are bound by Business Associate Agreements (BAAs) that contractually prohibit the use of your data for model training or improvement. Clinical data sent to AI services is processed solely to generate your requested output (e.g., clinical notes, transcriptions) and is not retained by those services beyond the duration of the processing request.

2.6 Analytics and Business Operations

We use aggregated, de-identified information to:

• Generate usage statistics and reports
• Analyze market trends and opportunities
• Evaluate product performance
• Support business planning and development
• Create anonymized datasets for research

Important: We do NOT use your PHI to:

• Train AI models
• Share with third parties for their marketing
• Sell to data brokers or advertisers
• Create publicly available datasets
• Use for any purpose other than providing you our services

---

3. HOW WE SHARE YOUR INFORMATION

3.1 Service Providers (Subprocessors)

We share information with trusted service providers who assist in operating the Platform:

(a) AI and Machine Learning:

• Anthropic PBC - Claude API for clinical documentation (BAA in place)

(b) Transcription Services:

• Deepgram, Inc. - Medical voice transcription (BAA in place)

(c) Cloud Infrastructure:

• Google LLC - Firebase Authentication, Firestore, Cloud Storage (BAA in place)

(d) Payment Processing:

• Apple Inc. - In-App Purchase processing (for iOS subscriptions)
• Stripe, Inc. - Payment processing (for web subscriptions; no PHI processed)

(e) Analytics and Monitoring:

• Google Analytics - Anonymized usage analytics
• Sentry - Error tracking and monitoring

(f) Marketing and Advertising (Marketing Website Only):

• Google Tag Manager - Tag management and analytics orchestration (marketing site only; no PHI)
• Google Ads - Advertising conversion tracking (marketing site only; no PHI)
• Meta Pixel - Marketing analytics and conversion tracking (marketing site only; no PHI)
• LinkedIn Insight Tag - B2B marketing analytics (marketing site only; no PHI)
• Microsoft UET - Advertising conversion tracking (marketing site only; no PHI)

These marketing tools are never loaded on authenticated clinical pages. They are restricted to the unauthenticated public marketing website (scribeable.ai) and require explicit cookie consent before activation. No PHI, clinical data, or authenticated user data is transmitted to any marketing service.

(g) Communication Services:

• SendGrid - Transactional email delivery
• Twilio - SMS notifications (if enabled)

All service providers:

• Are contractually obligated to protect your data
• Have executed Business Associate Agreements (where required for PHI)
• Are prohibited from using your data for their own purposes
• Must comply with HIPAA, GDPR, and other applicable laws

A complete, current list of Subprocessors is available in our Subprocessor List document.

3.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

3.3 Legal Requirements

We may disclose information when required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to valid subpoenas, court orders, or government requests
• Enforce our Terms of Use and other agreements
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Prevent fraud, security breaches, or illegal activity
• Respond to emergencies involving danger of death or serious physical injury

3.4 With Your Consent

We may share information with third parties when you explicitly authorize us to do so, such as:

• Exporting summaries to your institutional computer
• Integrating with third-party services you select
• Sharing specific data with colleagues or consultants
• Participating in research studies (with de-identified data)

3.5 Aggregated or De-Identified Information

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you or your patients. Such information is not subject to this Privacy Policy.

3.6 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal information or PHI to third parties for monetary consideration or any other benefit.

---

4. DATA SECURITY AND PROTECTION

4.1 Security Measures

We implement comprehensive security safeguards including:

(a) Encryption:

• In Transit: TLS 1.3 for all data transmission
• At Rest: AES-256 encryption for stored data
• End-to-End: Client-side encryption for web export feature
• Database: Encrypted database connections and storage

(b) Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• Unique user identifiers
• Least privilege access principles
• Automatic session timeout (15 minutes of inactivity)
• Strong password requirements

(c) Network Security:

• Web Application Firewall (WAF)
• DDoS protection
• Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)
• Regular vulnerability scanning
• Annual penetration testing

(d) Audit and Monitoring:

• Comprehensive audit logging
• Real-time security monitoring
• Automated threat detection
• SIEM integration
• 24/7 security operations

(e) Data Integrity:

• Checksums and validation
• Version control
• Regular backups (encrypted)
• Disaster recovery procedures
• Business continuity planning

(f) Physical Security:

• Data centers with physical access controls
• 24/7 surveillance and monitoring
• Environmental controls
• Redundant power and connectivity

(g) Workforce Security:

• Background checks for employees with PHI access
• Regular security training
• Confidentiality agreements
• Termination procedures
• Incident response training

4.2 HIPAA Compliance

Our security program is designed to meet HIPAA Security Rule requirements including:

• Administrative Safeguards (45 C.F.R. § 164.308)
• Physical Safeguards (45 C.F.R. § 164.310)
• Technical Safeguards (45 C.F.R. § 164.312)
• Organizational Requirements (45 C.F.R. § 164.314)
• Policies and Procedures (45 C.F.R. § 164.316)

4.3 Breach Notification

In the event of a breach of unsecured PHI:

• We will investigate and contain the breach
• We will notify affected covered entities without unreasonable delay
• We will provide information required for breach notification
• We will cooperate fully with breach response activities
• We will take steps to prevent future breaches

4.4 Data Minimization

We implement data minimization principles:

• Collect only necessary information
• Limit PHI to minimum necessary for services
• Encourage de-identification where appropriate
• Regular review and purging of unnecessary data
• Shortest feasible retention periods

4.5 Security Limitations

While we implement strong security measures, you acknowledge that:

• No system is 100% secure
• Internet transmission carries inherent risks
• You are responsible for your account security
• You must use strong passwords and protect your devices
• You should report suspicious activity immediately

---

5. DATA RETENTION AND DELETION

5.1 Retention Periods

We retain information for the following periods:

(a) Active Account Data:

• PHI/Clinical Data: Retained for a minimum of 7 years per HIPAA §164.530(j), beginning from the date of creation or last effective date
• Account Information: Retained while your account is active
• Usage Logs: 6 years (HIPAA audit requirement)
• Security Logs: 6 years minimum

(b) After Account Termination:

• PHI: Minimum 7 years after account closure per HIPAA §164.530(j)
• Non-PHI Personal Data: Deleted within 30 days of a verified deletion request
• Billing Records: 7 years (IRS requirement)
• Audit Logs: 6 years minimum (HIPAA requirement)
• De-identified Data: May be retained indefinitely

(c) Specific Data Types:

• Voice Recordings: Deleted after transcription unless you save them
• Web Export Tokens: Deleted after use or 1 hour expiration
• Backup Data: Purged within 90 days of the applicable deletion event
• Cache Data: Automatically deleted after 24 hours

5.2 Account Deletion

When you delete your account:

• We will delete or de-identify your personal information
• PHI will be retained for the minimum required retention period
• Audit logs will be retained as required by law
• Backups will be purged according to backup retention schedules
• De-identified data may be retained for analytics

5.3 Individual Data Deletion

You may request deletion of specific data subject to:

• Legal and regulatory retention requirements
• Ongoing legal obligations or disputes
• Fraud prevention and security needs
• Technical limitations

We will respond to deletion requests within 30 days and complete deletion within 90 days when legally permitted.

5.4 Data Portability

Upon request, we will provide:

• Your account information in machine-readable format
• Your clinical documentation and data
• Data needed to transfer to another service
• Export in common formats (PDF, JSON, CSV)

---

6. YOUR RIGHTS AND CHOICES

6.1 Access Rights

You have the right to:

• Access your personal information
• Receive a copy of your data
• Review your account information
• Request an accounting of disclosures

How to exercise: Email [email protected] or use in-app export features.

6.2 Correction Rights

You have the right to:

• Correct inaccurate personal information
• Update your account details
• Amend PHI (subject to medical record requirements)
• Request corrections to your data

How to exercise: Update through app settings or email [email protected].

6.3 Deletion Rights

You have the right to:

• Request deletion of your personal information
• Delete your account
• Request deletion of specific data

Limitations: We may retain data required by law or for legitimate business purposes.

How to exercise: Account Settings > Delete Account, or email [email protected].

6.4 Restriction Rights

You have the right to:

• Restrict processing of your data
• Object to certain uses
• Limit sharing with specific service providers
• Opt out of optional features

How to exercise: Account Settings or email [email protected].

6.5 Portability Rights

You have the right to:

• Receive your data in structured, machine-readable format
• Transmit your data to another service
• Export clinical documentation and records

How to exercise: Use in-app export features or email [email protected].

6.6 Objection Rights

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing communications
• Automated decision-making
• Profiling

How to exercise: Email [email protected] or use opt-out links in communications.

6.7 Communication Preferences

You can control:

• Marketing emails (opt-out available)
• Product updates and newsletters
• Educational content
• Non-essential notifications

Note: You cannot opt out of essential service communications (security alerts, billing notices, Terms updates).

6.8 Cookie Preferences

You can manage cookies through:

• Browser settings (block/delete cookies)
• Extension settings (disable telemetry)
• Opt-out tools for analytics services
• Platform cookie preference center

6.9 HIPAA Rights

As a Business Associate, we support the following rights that covered entities must honor under HIPAA:

• Right of Access: You may request access to PHI we maintain on behalf of your covered entity
• Right to Amend: You may request amendments to PHI
• Right to an Accounting of Disclosures: You may request an accounting of disclosures of your PHI
• Right to Request Restrictions: You may request restrictions on certain uses and disclosures
• Right to Confidential Communications: You may request alternative means of receiving communications
• Right to a Copy of the Notice: You may request a paper copy of the applicable Notice of Privacy Practices

If you believe your HIPAA privacy rights have been violated, you may file a complaint with:

• The U.S. Department of Health & Human Services, Office for Civil Rights (OCR): Website: https://www.hhs.gov/hipaa/filing-a-complaint/index.html Toll-Free: 1-800-368-1019 TDD: 1-800-537-7697
• Scribeable, Inc.: Email [email protected]

You will not be retaliated against for filing a complaint.

---

7. INTERNATIONAL DATA TRANSFERS

7.1 Data Location

Your data is primarily stored and processed in the United States. By using our Platform, you consent to the transfer of your information to the United States.

7.2 Transfers from the EEA/UK

For users in the European Economic Area (EEA) or United Kingdom:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• We implement supplementary measures to protect data
• We conduct transfer impact assessments
• We maintain compliance with GDPR requirements

7.3 Transfers from Other Jurisdictions

We comply with applicable cross-border transfer requirements, including:

• Canadian PIPEDA requirements
• Australian Privacy Principles
• Other national privacy laws

7.4 Third-Country Processing

Some of our service providers may process data outside the United States. We ensure appropriate safeguards through:

• SCCs or equivalent transfer mechanisms
• Data Processing Addenda
• Privacy Shield successor frameworks (when available)
• Adequacy decisions (where applicable)

7.5 Substance Abuse Records (42 CFR Part 2)

If the Platform is used in connection with a federally assisted substance use disorder treatment program, records of the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research that is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States are protected by 42 CFR Part 2. Such records may only be disclosed with the written consent of the patient or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. Violations of 42 CFR Part 2 are subject to criminal penalties.

---

8. CHILDREN'S PRIVACY

8.1 Age Restrictions

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (or 16 in the EEA).

8.2 Patient Data

While the Platform may be used to document care for pediatric patients, such information:

• Is entered by licensed healthcare providers
• Is part of the provider's medical documentation
• Is not "collected from children" within the meaning of COPPA
• Is subject to HIPAA, not COPPA

8.3 Inadvertent Collection

If we learn we have collected information from a child under 13 without parental consent, we will delete it promptly.

8.4 Parental Rights

Parents or legal guardians who believe their child's information has been collected may contact [email protected] to request access or deletion.

8.5 Data Protection Impact Assessments (DPIAs)

Scribeable conducts Data Protection Impact Assessments as required under GDPR Article 35 and as a best practice for high-risk data processing activities. DPIAs are performed when we introduce new processing activities involving PHI, biometric data, or large-scale profiling, or when processing is likely to result in a high risk to individuals' rights and freedoms. DPIA results inform our data protection measures and are reviewed and updated regularly. Summaries of relevant DPIA findings are available upon request to [email protected].

---

9. REGIONAL PRIVACY RIGHTS

9.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

(a) Right to Know:

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of third parties with whom we share
• Specific pieces of personal information we hold

(b) Right to Delete:

• Request deletion of your personal information
• Subject to exceptions for legal obligations

(c) Right to Opt-Out:

• We do not sell personal information
• We do not share for cross-context behavioral advertising

(d) Right to Non-Discrimination:

• We will not discriminate against you for exercising your rights

(e) Right to Limit Use of Sensitive Personal Information:

• Sensitive information is used only for providing services
• You can request limitations on uses beyond service provision

(f) Authorized Agents:

• You may designate an authorized agent to make requests on your behalf

How to exercise California rights: Email [email protected]. We will establish a toll-free number for California residents. In the interim, you may submit requests via email or our online portal at https://scribeable.ai/privacy-request.

Verification: We will verify your identity before responding to requests.

9.2 European Privacy Rights (GDPR)

If you are in the EEA or UK, you have rights under the General Data Protection Regulation:

(a) Legal Bases for Processing: We process your information based on:

• Contract Performance: To provide services under our Terms
• Legitimate Interests: Security, fraud prevention, improvement
• Legal Obligation: Compliance with laws and regulations
• Consent: For optional features and communications (withdrawn at any time)

(b) Data Controller: For Platform services, Scribeable is the data controller. For PHI processing, we are typically a data processor on behalf of the covered entity.

(c) EU Representative and Scope: We do not currently offer services specifically targeted to EU/EEA residents. If you are in the EU/EEA and use our services, contact [email protected] for data protection inquiries. An EU representative will be designated if required based on processing volume and scope of activities.

(d) Data Protection Officer: Email: [email protected]

(e) Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

(f) Additional Rights:

• Right to object to processing
• Right to restrict processing
• Right to data portability
• Right to withdraw consent
• Right not to be subject to automated decision-making

9.3 Other U.S. State Privacy Laws

We comply with privacy laws in states including:

• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)

Residents of these states have rights similar to California residents. Contact [email protected] to exercise your rights.

9.4 Health Privacy Laws

In addition to HIPAA, we comply with state health privacy laws, including:

• State medical records laws
• State breach notification laws
• State consent requirements
• Professional licensing board requirements

---

10. CHANGES TO THIS PRIVACY POLICY

10.1 Updates

We may update this Privacy Policy to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• Security improvements
• User feedback

10.2 Notification

We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notification to your registered email address
• Displaying an in-app notification
• Providing at least 30 days' notice before material changes take effect

10.3 Continued Use

Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy.

10.4 Objection to Changes

If you do not agree to changes, you may:

• Stop using the Platform
• Terminate your account
• Request deletion of your data (subject to retention requirements)

---

11. CONTACT US

11.1 Privacy Questions

For questions about this Privacy Policy or our privacy practices:

Email: [email protected] Mail: Scribeable, Inc. Attention: Privacy Officer 600 Boulevard South SW Suite 104J Huntsville, AL 35802

11.2 Rights Requests

To exercise your privacy rights:

Email: [email protected] Subject Line: "Privacy Rights Request - [Your Name]"

Include in your request:

• Your full name and account email
• The specific right you wish to exercise
• Sufficient information to verify your identity
• Preferred method of response

Response Time: We will respond within 30 days (or as required by applicable law).

11.3 HIPAA/BAA Questions

For HIPAA-related questions or BAA requests:

Email: [email protected] Include: Your organization name, contact information, and description of your needs

11.4 Security Incidents

To report security issues or suspected breaches:

Email: [email protected]

Available: 24/7 email-based monitoring. Our security team monitors [email protected] around the clock. All reports are triaged and acknowledged within 1 hour.

11.5 Data Protection Officer

For GDPR-related inquiries:

Email: [email protected]

---

12. ADDITIONAL INFORMATION

12.1 Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12.2 Do Not Track

Our Platform does not respond to Do Not Track (DNT) signals because there is no accepted DNT standard.

12.3 Accessibility

We are committed to making this Privacy Policy accessible. If you need this policy in an alternative format, please contact [email protected].

12.4 Language

This Privacy Policy is provided in English. Translations may be available, but the English version controls in case of conflict.

---

SUMMARY OF KEY POINTS

What information do we collect? Account information, PHI, usage data, device information

How do we use it? To provide Platform services, generate AI summaries, transcribe audio, integrate with EHRs, and improve our services

Do we share it? Only with service providers under BAAs, as required by law, or with your consent. We never sell your data.

How do we protect it? TLS 1.3, AES-256 encryption, access controls, audit logging, HIPAA-compliant security measures

How long do we keep it? 7 years for PHI (HIPAA requirement), 6 years for audit logs, shorter for other data

What are your rights? Access, correction, deletion, portability, restriction, and objection rights

How do you contact us? [email protected] for all privacy questions

---

Last Updated: February 5, 2026 Version: 2.1

© 2026 Scribeable, Inc. All rights reserved.