Privacy Policy

    Last updated: May 24, 2026

    At ScribeEase Health (“we,” “our,” or “us”) provides AI-assisted clinical documentation and virtual assistant services to healthcare providers. We are committed to protecting personal and health information in accordance with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial health privacy laws such as Personal Health Information Protection Act (PHIPA), and, where applicable, the Health Insurance Portability and Accountability Act (HIPAA).

    This Privacy Policy explains how we handle information in connection with our services.

    How we Protect Data

    ScribeEase Health is designed to minimize exposure of patient data while supporting real- time clinical workflows.

    • • De-identification is performed prior to AI-assisted processing.
    • • AI and transcription systems operate in a stateless manner.
    • • No long-term storage of identifiable patient data.
    • • Temporary, de-identified data is retained for quality assurance and permanently deleted within 72 hours.
    • • Access is controlled, session-based, and role-restricted

    Our systems are built with safeguards aligned to healthcare privacy requirements.

    1. Our Services

    ScribeEase Health provides Virtual Physician Assistant (VPA) and Virtual Medical Office Assistant (VMOA) services, along with AI-assisted documentation tools, to support healthcare providers with clinical and administrative workflows, including documentation, prescriptions, referrals, and scheduling.

    Our services may involve interaction with personal and personal health information within systems controlled by the healthcare provider.

    2. System Design and Data Handling

    ScribeEase Health is designed to minimize the collection, exposure, and retention of personal health information.

    • • De-identification is performed prior to AI-assisted processing as part of a controlled workflow.
    • • Personal health information primarily remains within the healthcare provider’s Electronic Health Record (EHR) or authorized systems.
    • • De-identified transcripts and documentation outputs may be temporarily stored in a secure internal database strictly for quality assurance purposes.
    • • This data does not contain direct patient identifiers and is automatically and permanently deleted within 72 hours. No soft deletion is used.

    3. Information We Handle

    3.1 Personal Health Information (PHI)

    • • Accessed only as necessary to deliver contracted services.
    • • Handled within provider-controlled systems wherever possible.
    • • De-identified prior to AI-assisted processing.
    • • Not retained in identifiable form within ScribeEase Health systems.

    3.2 Business and Contact Information

    We may collect business-related information through our website or onboarding processes, including:

    • • Name, clinic/organization, role, specialty (optional).
    • • Work email and phone number.
    • • Service preferences and scheduling information.

      • This information is used solely for communication, onboarding, and service delivery.

    4. Purpose of Use

    Information is used only for:

    • • Delivering contracted services.
    • • Supporting clinical documentation workflows.
    • • Communication and onboarding.
    • • Meeting legal and regulatory obligations.

    We do not use information for unrelated purposes.

    5. Compliance with Canadian Privacy Principles

    We align our practices with the principles set out under the Personal Information Protection and Electronic Documents Act (PIPEDA), including:

    • • Accountability.
    • • Identifying purposes.
    • • Limiting collection.
    • • Limiting use, disclosure, and retention.
    • • Safeguards.
    • • Openness and transparency.
    • • Individual access rights where applicable.

    6. Data Security and Safeguards

    We implement appropriate administrative, technical, and organizational safeguards, including:

    • • Encryption in transit and at rest.
    • • Role-based and least-privilege access controls.
    • • Multi-factor authentication.
    • • Session-based access per patient encounter.
    • • Workforce confidentiality agreements and training.
    • • Audit logging and monitoring.
    • • Defined incident response and breach notification procedures.
    • • Automatic data deletion policies, including hard deletion of temporary data.

    7. Information Sharing and Disclosure

    We do not sell, rent, or trade personal information.

    Information may be disclosed only:

    • • To deliver contracted services.
    • • With authorization from the healthcare provider.
    • • As required by law or legal process.
    • • To prevent serious and imminent risk to health or safety.
    • • As otherwise permitted under applicable healthcare privacy laws.

    8. Third-Party Service Providers

    We use carefully selected third-party service providers to support service delivery, including speech recognition services, AI processing services, and secure infrastructure providers.

    These providers:

    • • Operate under strict contractual confidentiality and security obligations.
    • • Are configured for stateless processing.
    • • Do not retain, store, or use data for independent purposes.

    9. Data Retention

    • • Personal health information is not retained in identifiable form within ScribeEase Health systems.
    • • De-identified operational data used for quality assurance is retained for a limited period (up to 72 hours) and then permanently deleted.
    • • Business information is retained only as long as necessary for communication and service delivery.

    10. International Access

    Our workforce may operate from multiple jurisdictions.

    • • Access is strictly controlled and role-based.
    • • All personnel are bound by confidentiality obligations.
    • • Data handling practices remain aligned with applicable privacy laws regardless of access location.

    11. Your Rights

    Subject to applicable laws such as PIPEDA and PHIPA, individuals may:

    • • Request access to their personal information
    • • Request corrections where appropriate
    • • Withdraw consent where applicable.
    • • File a complaint with a relevant regulatory authority

    Requests may be submitted to: info@scribeeasehealth.com

    12. Data Protection Agreements

    ScribeEase Health can support Data Processing Agreements (DPAs) and, where applicable, Business Associate Agreements (BAAs). These agreements may be made available upon request to define roles, responsibilities, and safeguards related to data handling.

    13. Cookies and Website Tracking

    • We may use cookies or similar technologies for website functionality and analytics.
    • Users may manage cookie preferences through their browser settings.
    • We do not provide personal information to third parties for independent marketing purposes.

    14. Changes to This Policy

    We may update this Privacy Policy to reflect changes in services, operations, or legal requirements. Updates will be posted with a revised “Last Updated” date.

    15. Contact

    • ScribeEase Health Private Limited
    • Registered entity in India
    • Email: info@scribeeasehealth.com