Privacy Policy | NovaScribe

1. What NovaScribe Does

NovaScribe is a medical documentation assistant for healthcare providers. You record patient encounters using our iPhone or Android app, and our AI generates clinical notes automatically.

The basics:

You dictate during or after a patient visit
Your audio is securely transmitted to our servers
AI transcribes and generates a clinical note
You review, edit if needed, and use the note in your workflow
The original audio is deleted

NovaScribe is designed to save you time on documentation while maintaining the accuracy and quality your patients deserve.

2. Your HIPAA Compliance

NovaScribe is designed and operated to comply with HIPAA requirements for protecting health information.

What this means for you:

BAAs available: NovaScribe will execute a Business Associate Agreement (BAA) with your practice upon request. This legally binds us to protect patient information under the same rules you follow. For practices purchasing subscriptions at volume, we can establish a BAA covering all users in your organization.
We implement required safeguards: Administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
Our infrastructure partners have BAAs: We maintain Business Associate Agreements with our cloud providers (AWS, Azure, Google Cloud).
Breaches are reported: If a breach occurs, we will notify you as required by HIPAA and applicable state laws.

To request your BAA: Email hipaa@novascribe.us or contact us through the app.

Important clarification: NovaScribe is a Business Associate, not a Covered Entity. We process Protected Health Information (PHI) on your behalf. Patient rights requests (access, amendment, accounting of disclosures) should be directed to you as the treating provider. We will assist you in responding to such requests.

3. Information We Collect

Information You Provide

Data Type	Examples	Why We Need It
Account information	Email, password, name	To create and secure your account
Professional information	Medical specialty	To customize note formats
Audio recordings	Patient encounter dictations	To generate clinical notes
Payment information	Processed by Stripe	To manage your subscription

Information Generated Through Use

Data Type	Examples	Why We Need It
Clinical notes	AI-generated documentation	The service you're paying for
Medical codes	E/M levels, CPT codes	To assist with billing
Session metadata	Timestamps, duration	To organize your sessions

Information Collected Automatically

Data Type	Examples	Why We Need It
Device information	iPhone model + iOS version, or Android device model + Android version	To ensure compatibility and fix bugs
Push notification tokens	Apple-provided identifier (iOS) or Firebase Cloud Messaging token (Android)	To notify you when notes are ready
Crash reports	Error logs (no PHI)	To fix bugs and improve reliability

Biometric Data (iOS only)

The NovaScribe iOS app supports Face ID and Touch ID for convenient authentication. This biometric data never leaves your device - it's processed entirely by iOS and is not transmitted to or stored on NovaScribe servers. The NovaScribe Android app does not use biometric authentication; sign-in is via username and password.

Mobile App Permissions

When you use the NovaScribe iOS app, we request the following device permissions:

Permission	Why We Need It	What Happens If You Decline
Microphone	To record patient encounter dictations	The app cannot record -- this is required for core functionality
Push Notifications	To notify you when your clinical note is ready	You can check note status manually in the app

When you use the NovaScribe Android app, we request the following runtime permissions:

Permission	Why We Need It	What Happens If You Decline
Microphone (`RECORD_AUDIO`)	To record patient encounter dictations	The app cannot record -- this is required for core functionality
Notifications (`POST_NOTIFICATIONS`, Android 13+)	To notify you when your clinical note is ready, and to show the ongoing recording notification mandated by Android 14+ for microphone access in the background	You can check note status manually in the app; recording itself remains available

The Android app additionally declares the following install-time permissions (no runtime prompt): INTERNET and ACCESS_NETWORK_STATE (API calls to NovaScribe + network availability checks for the upload queue), FOREGROUND_SERVICE and FOREGROUND_SERVICE_MICROPHONE (required by Android 14+ to record while the app is backgrounded), and WAKE_LOCK (prevents the CPU from sleeping during an active recording).

Your audio is recorded locally on your device and transmitted to our servers only when you tap "Generate Note." We do not access your microphone at any other time.

4. How Your Data Flows

Here's exactly what happens when you record a patient encounter:

1

You record on your iPhone or Android device → Audio encrypted on your device

2

You tap "Generate Note" → Encrypted audio transmitted (TLS 1.2/1.3)

3

Speech-to-text processing → Secure AI service converts audio to text

4

Note generation → AI creates clinical documentation

5

Note delivered to you → Stored in your secure account

6

Audio deleted → Permanently removed within 6 hours

Your clinical notes remain until YOU choose to delete them.

Data location: Your data is processed and stored on servers in the United States (Amazon Web Services, US-East-2 region).

5. AI Processing Services

We use secure, established AI cloud services to transcribe and generate your clinical notes. Here's how your data is processed:

How It Works

Processing Step	What Happens	Data Involved	Data Residency
Speech-to-text	Your audio is converted to a text transcript	Audio recordings (temporarily)	United States
Note generation	AI creates clinical documentation from the transcript	Text transcript	United States
Clinical analysis	AI assists with E/M classification and billing codes	Text transcript	Primarily United States; some supplemental analysis may be processed internationally

How We Protect Your Data with AI Services

All AI service providers we use operate under agreements that:

Prohibit training on your data - Your dictations are not used to improve their AI models
Require deletion after processing - Data is not retained beyond what's needed to complete your request
Include Business Associate Agreements (BAAs) or equivalent contractual protections appropriate for healthcare data

                Our commitment: We regularly review AI provider agreements and data handling practices. If a provider's terms change in ways that affect your privacy, we will notify you and update this policy.
            

Regarding international processing: All primary transcription and note generation occurs within the United States. Some supplemental clinical analysis may be processed outside the United States. Only text transcripts (not audio or direct patient identifiers) are sent for this analysis, and no data is retained by the provider beyond the processing session. If you wish to opt out of international processing, contact privacy@novascribe.us.

6. How We Protect Your Information

Encryption

In transit: All data transmitted between your device and our servers uses TLS 1.2 or TLS 1.3 encryption - the same protection used by banks.
At rest: Audio files on your device are protected by iOS hardware encryption (on iPhone) or Android file-based encryption (on Android). On Android we additionally disable Auto Backup (android:allowBackup="false") and exclude all recording and queue data from device-to-device transfer and ADB extraction (via dataExtractionRules) so unfinished recordings cannot leave the device through Google's backup channels. Data on our servers is encrypted using industry-standard methods.

Authentication Security

Your password is hashed using bcrypt before storage - we cannot see your actual password
Authentication tokens are stored in your device's Keychain (hardware-backed security)
Sessions expire and require re-authentication for security

Access Controls

Your clinical notes are accessible only through your authenticated account
NovaScribe staff do not access your recordings or notes in ordinary operations
Administrative access for system maintenance is logged and audited
Access may occur only: (a) with your explicit consent for support requests, (b) as required by law, or (c) to protect safety or security

Infrastructure

Hosted on Amazon Web Services with enterprise security
Business Associate Agreements in place with all cloud providers
Regular security assessments
Audit logging for compliance

7. Data Retention

Data Type	How Long We Keep It	How It's Deleted
Audio recordings	Deleted within 6 hours of processing	Automatic, permanent deletion
Clinical notes	Until you delete them or close your account	You control this
Account information	While active + 30 days after closure	Upon account deletion request
Billing records	7 years (legal/tax requirements)	Automatic after retention period
Audit logs	90 days	Automatic rotation
In-app Help Chatbot conversations	12 months (see below)	Automatic deletion after 12 months

Help Chatbot conversations

When you ask a question in the in-app Help Chatbot (the “Interactive Help” assistant), the question you typed and the assistant’s answer are saved so the NovaScribe team can review them for quality improvement — finding gaps in our help content, fixing answers that were confusing, and identifying topics that should be added.

Storage: in NovaScribe’s HIPAA-covered AWS infrastructure (Amazon S3 in us-east-2), encrypted at rest with a dedicated encryption key, and accessible only to authenticated NovaScribe administrators.
Retention: 12 months, then automatic deletion.
Patient information: the Help Chatbot is not for patient information. The chat interface reminds you of this on every conversation. The assistant is instructed never to repeat patient details back. We strongly recommend keeping patient names, dates of birth, MRNs, and similar identifiers out of Help Chatbot questions.
Disabling: the chatbot can be turned off entirely by your organization’s administrator. When off, no conversations are stored.

Account Deletion

To delete your account and all associated data:

In the app: Settings → Privacy → Delete My Account
By email: Contact privacy@novascribe.us

Upon deletion request:

Your clinical notes are permanently deleted
Your account information is removed
Deletion is completed within 30 days
Some data may persist in encrypted backups temporarily before being purged

Note: We cannot delete data that we're legally required to retain (such as billing records for tax purposes).

8. What We Don't Do

We believe in being clear about what we don't do with your data:

We don't sell your data - Not to data brokers, advertisers, or anyone else
We don't show you ads - NovaScribe is ad-free
We don't share with insurance companies - Unless you explicitly direct us to
We don't train our own AI models on your data - Your dictations are processed, not learned from
We don't keep audio recordings long-term - Deleted within 6 hours
We don't access your notes without reason - Only for support you request, legal requirements, or security
We don't track you across apps or websites - We do not participate in cross-app tracking or use advertising identifiers
We don't use health data for advertising - Website analytics track only non-PHI account events (signup, subscription)

9. Your Rights and Choices

You have control over your data:

Access Your Data

Request a copy of the personal information we hold about you.
→ Email privacy@novascribe.us

Correct Your Data

Update inaccurate account information anytime in the app, or contact us for assistance.
→ Settings → Account in the app

Delete Your Data

Remove individual notes anytime, or delete your entire account.
→ Settings → Privacy → Delete My Account

Export Your Data

Download your clinical notes in standard formats.
→ Contact privacy@novascribe.us

Opt Out of Communications

Unsubscribe from marketing emails (you'll still receive essential service communications).
→ Link in any marketing email

Manage Push Notifications

Control what notifications you receive.
→ Settings → Notifications in the app

                Response time: We respond to privacy requests within 30 days (or sooner if required by law).
            

10. California Privacy Rights

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights

Right to Know: Request what personal information we've collected, used, and shared
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising
Right to Non-Discrimination: We won't treat you differently for exercising your rights

Categories of Information We Collect

In the past 12 months, we have collected:

Identifiers (name, email, device identifiers)
Professional information (medical specialty)
Commercial information (subscription history)
Audio/visual information (dictation recordings)
Health information (clinical documentation)
Internet activity (usage logs)

How to Exercise Your Rights

Email: privacy@novascribe.us
In-app: Settings → Privacy

We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.

                HIPAA Exception: Health information processed under a Business Associate Agreement is exempt from CCPA under the HIPAA exemption.
            

11. Children's Privacy

NovaScribe is designed for licensed healthcare professionals. The service is not intended for use by individuals under 18 years of age.

We do not knowingly collect personal information from children under 13 (or other applicable age threshold). If we learn that we have collected personal information from a child, we will delete it promptly.

If you believe a child has provided us with personal information, please contact us at privacy@novascribe.us.

12. Important Disclaimers

NovaScribe is a Documentation Tool, Not Medical Advice

NovaScribe generates clinical documentation to assist healthcare providers. NovaScribe is NOT:

A substitute for professional medical judgment
A source of medical advice for patients
An FDA-regulated medical device
A replacement for reviewing documentation

AI-Generated Content Requires Your Review

The clinical notes, billing codes, and other content generated by NovaScribe are suggestions only. As a healthcare provider, you are responsible for:

Reviewing all AI-generated content for accuracy
Making clinical decisions independent of AI suggestions
Ensuring documentation reflects the actual encounter
Verifying billing codes are appropriate and supported
Maintaining compliance with professional and legal standards

                Limitation of Liability: Our full Terms of Service contain important limitations on liability. While we work hard to provide accurate, reliable service, we cannot guarantee AI-generated content will be error-free. You remain responsible for the clinical care you provide and the documentation you sign.
            

13. Mobile Apps (iOS and Android)

Apple App Store Privacy Information

In accordance with Apple's App Privacy requirements, the following data may be linked to your identity for the iOS app:

Contact information (email address)
Health and fitness data (clinical notes generated from your dictations)
Identifiers (user ID, device ID for push notifications)
Usage data (app interactions, crash data)

Google Play Data Safety Information

In accordance with Google Play's Data Safety requirements, the NovaScribe Android app collects, processes, or stores the following categories of data; all are linked to your identity (your NovaScribe account):

Data type	Collected	Shared	Purpose
Email address	Yes	No	Account creation, sign-in, password reset, email verification
User IDs	Yes	No	Identify your NovaScribe account on the server
Audio recordings	Yes	With our HIPAA-compliant speech-to-text subprocessors only	Generate transcripts; deleted within 6 hours of processing
Health information (clinical notes)	Yes	With our HIPAA-compliant AI subprocessors only	Generate and store your clinical notes
Device or other IDs (FCM push token)	Yes	No	Send "your note is ready" push notifications
App interactions	Yes	No	Diagnose bugs, identify reliability issues
Crash logs	Yes	No	Diagnose crashes (no PHI included)

All transit is encrypted with TLS 1.2+ and certificate pinning to novascribe.us. Audio storage is local-only until you tap "Generate Note." None of the data above is sold or used for advertising.

Data Not Collected (both platforms)

We do not collect data for third-party advertising
We do not track you across apps and websites owned by other companies
We do not use the Apple advertising identifier (IDFA) on iOS or the Google Advertising ID (AAID) on Android
We do not request App Tracking Transparency permission on iOS because we do not engage in tracking
The Android app does not declare the AD_ID permission

Subscription Information

NovaScribe subscriptions are managed through our website (novascribe.us) via Stripe. The iOS app supports both web-managed subscriptions and Apple In-App Purchases (StoreKit 2); the Android app opens the Stripe checkout and customer portal pages in a Chrome Custom Tab so management, billing, and cancellation happen on novascribe.us/settings. The Android app does not currently use Google Play Billing for in-app purchases of NovaScribe subscriptions.

14. Website Analytics

We use Google Ads conversion tracking on our website (novascribe.us) to measure the effectiveness of our advertising. This tracking:

Fires only on specific account events (signup completion, subscription activation)
Does not collect or transmit any health information or PHI
Uses cookies subject to Google's privacy policy
Can be blocked by disabling cookies in your browser

Google Ads conversion tracking is used on the website only, not within the iOS or Android apps. The mobile apps do not embed third-party analytics SDKs. The only third-party SDK integrated into the Android app is Firebase Cloud Messaging (FCM), which is used solely to receive push notifications when your clinical note is ready -- no analytics events are sent to Firebase.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will post the updated policy with a new "Last Updated" date
We will notify you by email and/or in-app notification at least 30 days before material changes take effect
We will maintain a changelog of significant updates

Your continued use of NovaScribe after changes take effect constitutes acceptance of the updated policy.

Previous versions: Contact privacy@novascribe.us to request previous versions of this policy.

16. Contact Us

We're here to answer your privacy questions.

General Privacy

privacy@novascribe.us

HIPAA & BAA Requests

hipaa@novascribe.us

Security Concerns

security@novascribe.us

General Support

support@novascribe.us

Mailing Address

Proctor Medical Consulting, LLC
5636 Lake Trace Drive
Hoover, AL 35244

Response Time: We aim to respond to all inquiries within a few business days.

The Short Version