Privacy Policy

Last Updated: December 2024

1. Introduction

Bloomence AI Scribe ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered therapy documentation platform (the "Service").

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, password, name, professional license information, practice details
• Session Data: Audio recordings, transcripts, clinical notes, session metadata (client names, dates, session types)
• Profile Information: Professional credentials, practice settings, preferences
• Communication Data: Messages, feedback, support requests

2.2 Information Collected Automatically

• Usage Data: How you interact with our Service, features used, time spent
• Device Information: Browser type, operating system, IP address, device identifiers
• Technical Data: Log files, error reports, performance metrics
• Cookies and Tracking: Session cookies, authentication tokens, analytics data

2.3 Third-Party Data

• Authentication Data: Information from Supabase for user authentication
• AI Processing Data: Data sent to Deepgram for transcription and OpenAI for note generation
• Analytics Data: Usage statistics and performance metrics

3. How We Use Your Information

3.1 Primary Uses

• Service Delivery: Provide transcription, note generation, and documentation features
• Account Management: Create and maintain your account, authenticate users
• AI Processing: Convert audio to text and generate clinical notes
• Data Storage: Securely store your sessions and notes

3.2 Secondary Uses

• Service Improvement: Analyze usage patterns to enhance features and performance
• Support: Provide customer support and technical assistance
• Security: Monitor for fraud, abuse, and security threats
• Legal Compliance: Meet regulatory requirements and legal obligations

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share information with trusted third-party providers who assist in delivering our Service:

• Supabase: Database and authentication services
• Deepgram: Audio transcription services
• OpenAI: AI-powered note generation
• Vercel: Web hosting and content delivery

4.2 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal processes or government requests
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Enforce our Terms of Service

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction.

5. Data Security

5.1 Security Measures

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring
• Regular Audits: Security assessments and vulnerability testing

5.2 Data Breach Response

In the event of a data breach, we will:

• Notify affected users within 72 hours
• Report to relevant authorities as required by law
• Implement immediate containment measures
• Provide credit monitoring if necessary

6. Data Retention

6.1 Retention Periods

• Account Data: Retained while account is active plus 30 days after deletion
• Session Data: Retained for 7 years (legal requirement for healthcare records)
• Audio Recordings: Retained for 7 years or until manually deleted
• Logs and Analytics: Retained for 1 year for security and performance monitoring

6.2 Data Deletion

You may request deletion of your data at any time. We will:

• Delete data within 30 days of request
• Provide confirmation of deletion
• Retain data required for legal compliance

7. Your Rights and Choices

7.1 Access and Control

• Access: View and download your data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your data
• Portability: Export your data in a standard format

7.2 Communication Preferences

• Opt out of marketing communications
• Manage notification settings
• Control data sharing preferences

8. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by relevant authorities
• Certification schemes and codes of conduct

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying prominent notices in our Service

11. Contact Information

12. Regional Privacy Rights

12.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete personal information, and the right to opt-out of the sale of personal information.

12.2 European Union Residents (GDPR)

If you are in the European Union, you have additional rights under the General Data Protection Regulation, including the right to access, rectification, erasure, portability, and objection to processing of your personal data.

12.3 Canadian Residents (PIPEDA)

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act, including the right to access your personal information and the right to challenge the accuracy and completeness of your information.

This Privacy Policy is effective as of the date listed above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.