Privacy Policy | NovaScribe

1. What NovaScribe Does

NovaScribe is a medical documentation assistant for healthcare providers. You record patient encounters using our iPhone app, and our AI generates clinical notes automatically.

The basics:

You dictate during or after a patient visit
Your audio is securely transmitted to our servers
AI transcribes and generates a clinical note
You review, edit if needed, and use the note in your workflow
The original audio is deleted

NovaScribe is designed to save you time on documentation while maintaining the accuracy and quality your patients deserve.

2. Your HIPAA Compliance

NovaScribe is designed and operated to comply with HIPAA requirements for protecting health information.

What this means for you:

We sign a BAA: NovaScribe will execute a Business Associate Agreement with your practice upon request. This legally binds us to protect patient information under the same rules you follow.
We implement required safeguards: Administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
Our infrastructure partners have BAAs: We maintain Business Associate Agreements with our cloud providers (AWS, Azure, Google Cloud).
Breaches are reported: If a breach occurs, we will notify you as required by HIPAA and applicable state laws.

To request your BAA: Email hipaa@novascribe.us or contact us through the app.

Important clarification: NovaScribe is a Business Associate, not a Covered Entity. We process Protected Health Information (PHI) on your behalf. Patient rights requests (access, amendment, accounting of disclosures) should be directed to you as the treating provider. We will assist you in responding to such requests.

3. Information We Collect

Information You Provide

Data Type	Examples	Why We Need It
Account information	Email, password, name	To create and secure your account
Professional information	Medical specialty	To customize note formats
Audio recordings	Patient encounter dictations	To generate clinical notes
Payment information	Processed by Stripe	To manage your subscription

Information Generated Through Use

Data Type	Examples	Why We Need It
Clinical notes	AI-generated documentation	The service you're paying for
Medical codes	E/M levels, CPT codes	To assist with billing
Session metadata	Timestamps, duration	To organize your sessions

Information Collected Automatically

Data Type	Examples	Why We Need It
Device information	iPhone model, iOS version	To ensure compatibility and fix bugs
Push notification tokens	Apple-provided identifier	To notify you when notes are ready
Crash reports	Error logs (no PHI)	To fix bugs and improve reliability

Biometric Data

NovaScribe supports Face ID and Touch ID for convenient authentication. This biometric data never leaves your device - it's processed entirely by iOS and is not transmitted to or stored on NovaScribe servers.

4. How Your Data Flows

Here's exactly what happens when you record a patient encounter:

1

You record on your iPhone → Audio encrypted on your device

2

You tap "Generate Note" → Encrypted audio transmitted (TLS 1.2/1.3)

3

Speech-to-text processing → AI converts audio to text

4

Note generation → AI creates clinical documentation

5

Note delivered to you → Stored in your secure account

6

Audio deleted → Permanently removed within 24 hours

Your clinical notes remain until YOU choose to delete them.

Data location: Your data is processed and stored on servers in the United States (Amazon Web Services, US-East-2 region).

5. AI Processing Partners

We use established AI providers to transcribe and generate your clinical notes. Here's who processes your data and why:

Primary Partners

Provider	What They Do	Data They Receive
OpenAI	Speech-to-text transcription	Audio recordings (temporarily)
Anthropic	Clinical note generation	Text transcript

Additional Partners (for quality and reliability)

Provider	Purpose
Azure OpenAI	Backup transcription and analysis
Google AI	Backup processing
Deepseek	Clinical analysis

How We Protect Your Data with AI Partners

All AI providers operate under agreements that:

Prohibit training on your data - Your dictations are not used to improve their AI models
Require deletion after processing - Data is not retained beyond what's needed to complete your request
Meet security standards appropriate for healthcare data

                Our commitment: We regularly review AI provider agreements and data handling practices. If a provider's terms change in ways that affect your privacy, we will notify you and update this policy.
            

6. How We Protect Your Information

Encryption

In transit: All data transmitted between your device and our servers uses TLS 1.2 or TLS 1.3 encryption - the same protection used by banks.
At rest: Audio files on your device are protected by iOS hardware encryption. Data on our servers is encrypted using industry-standard methods.

Authentication Security

Your password is hashed using bcrypt before storage - we cannot see your actual password
Authentication tokens are stored in your device's Keychain (hardware-backed security)
Sessions expire and require re-authentication for security

Access Controls

Your clinical notes are accessible only through your authenticated account
NovaScribe staff do not access your recordings or notes in ordinary operations
Administrative access for system maintenance is logged and audited
Access may occur only: (a) with your explicit consent for support requests, (b) as required by law, or (c) to protect safety or security

Infrastructure

Hosted on Amazon Web Services with enterprise security
Business Associate Agreements in place with all cloud providers
Regular security assessments
Audit logging for compliance

7. Data Retention

Data Type	How Long We Keep It	How It's Deleted
Audio recordings	Deleted within 24 hours of processing	Automatic, permanent deletion
Clinical notes	Until you delete them or close your account	You control this
Account information	While active + 30 days after closure	Upon account deletion request
Billing records	7 years (legal/tax requirements)	Automatic after retention period
Audit logs	90 days	Automatic rotation

Account Deletion

To delete your account and all associated data:

In the app: Settings → Privacy → Delete My Account
By email: Contact privacy@novascribe.us

Upon deletion request:

Your clinical notes are permanently deleted
Your account information is removed
Deletion is completed within 30 days
Some data may persist in encrypted backups temporarily before being purged

Note: We cannot delete data that we're legally required to retain (such as billing records for tax purposes).

8. What We Don't Do

We believe in being clear about what we don't do with your data:

We don't sell your data - Not to data brokers, advertisers, or anyone else
We don't show you ads - NovaScribe is ad-free
We don't share with insurance companies - Unless you explicitly direct us to
We don't train our own AI models on your data - Your dictations are processed, not learned from
We don't keep audio recordings long-term - Deleted within 24 hours
We don't access your notes without reason - Only for support you request, legal requirements, or security

9. Your Rights and Choices

You have control over your data:

Access Your Data

Request a copy of the personal information we hold about you.
→ Email privacy@novascribe.us

Correct Your Data

Update inaccurate account information anytime in the app, or contact us for assistance.
→ Settings → Account in the app

Delete Your Data

Remove individual notes anytime, or delete your entire account.
→ Settings → Privacy → Delete My Account

Export Your Data

Download your clinical notes in standard formats.
→ Contact privacy@novascribe.us

Opt Out of Communications

Unsubscribe from marketing emails (you'll still receive essential service communications).
→ Link in any marketing email

Manage Push Notifications

Control what notifications you receive.
→ Settings → Notifications in the app

                Response time: We respond to privacy requests within 30 days (or sooner if required by law).
            

10. California Privacy Rights

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights

Right to Know: Request what personal information we've collected, used, and shared
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising
Right to Non-Discrimination: We won't treat you differently for exercising your rights

Categories of Information We Collect

In the past 12 months, we have collected:

Identifiers (name, email, device identifiers)
Professional information (medical specialty)
Commercial information (subscription history)
Audio/visual information (dictation recordings)
Health information (clinical documentation)
Internet activity (usage logs)

How to Exercise Your Rights

Email: privacy@novascribe.us
In-app: Settings → Privacy

We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.

                HIPAA Exception: Health information processed under a Business Associate Agreement is exempt from CCPA under the HIPAA exemption.
            

11. Children's Privacy

NovaScribe is designed for licensed healthcare professionals. The service is not intended for use by individuals under 18 years of age.

We do not knowingly collect personal information from children under 13 (or other applicable age threshold). If we learn that we have collected personal information from a child, we will delete it promptly.

If you believe a child has provided us with personal information, please contact us at privacy@novascribe.us.

12. Important Disclaimers

NovaScribe is a Documentation Tool, Not Medical Advice

NovaScribe generates clinical documentation to assist healthcare providers. NovaScribe is NOT:

A substitute for professional medical judgment
A source of medical advice for patients
An FDA-regulated medical device
A replacement for reviewing documentation

AI-Generated Content Requires Your Review

The clinical notes, billing codes, and other content generated by NovaScribe are suggestions only. As a healthcare provider, you are responsible for:

Reviewing all AI-generated content for accuracy
Making clinical decisions independent of AI suggestions
Ensuring documentation reflects the actual encounter
Verifying billing codes are appropriate and supported
Maintaining compliance with professional and legal standards

                Limitation of Liability: Our full Terms of Service contain important limitations on liability. While we work hard to provide accurate, reliable service, we cannot guarantee AI-generated content will be error-free. You remain responsible for the clinical care you provide and the documentation you sign.
            

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will post the updated policy with a new "Last Updated" date
We will notify you by email and/or in-app notification at least 30 days before material changes take effect
We will maintain a changelog of significant updates

Your continued use of NovaScribe after changes take effect constitutes acceptance of the updated policy.

Previous versions: Contact privacy@novascribe.us to request previous versions of this policy.

14. Contact Us

We're here to answer your privacy questions.

General Privacy

privacy@novascribe.us

HIPAA & BAA Requests

hipaa@novascribe.us

Security Concerns

security@novascribe.us

General Support

support@novascribe.us

Mailing Address

Proctor Medical Consulting, LLC
5636 Lake Trace Drive
Hoover, AL 35244

Response Time: We aim to respond to all inquiries within a few business days.

The Short Version