Privacy Policy

1. Introduction

MedScribe AI ("we," "us," or "our") is a clinical documentation copilot operated by Dr. Hiram Rodríguez. This Privacy Policy describes how we collect, use, and protect information when you use our web application and services at medscribepr.com (the "Service").

MedScribe AI is designed with HIPAA-conscious principles. While we implement administrative, technical, and physical safeguards to protect health information, we do not claim full HIPAA certification at this stage. We are committed to achieving formal compliance as the product matures.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your full name, email address, username, medical specialty, and a hashed version of your password. We never store plaintext passwords.

2.2 Clinical Input Data

When you use the Service to generate clinical notes, you may provide patient encounter information including dictation text, audio recordings, and clinical context. This data may contain Protected Health Information (PHI) as defined by HIPAA.

2.3 Generated Notes

The Service generates structured clinical notes (drafts) based on your input. These drafts, including all versions, are stored in our database and associated with your account.

2.4 Usage and Technical Data

We collect usage records (note counts, token consumption), audit trail events (actions taken on PHI-related resources), IP addresses associated with requests, and standard web server logs. We do not include PHI in any log output.

2.5 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never store credit card numbers, bank account details, or other payment credentials on our servers.

3. How We Use Your Information

We use your information to provide and operate the Service (note generation, storage, export), authenticate your identity and enforce access controls, enforce usage quotas based on your subscription tier, maintain audit trails as required for HIPAA-conscious operations, process billing through Stripe, and improve the Service's quality and reliability.

We do not use your clinical data to train AI models. Your clinical input is sent to OpenAI's API solely for the purpose of generating your requested note, subject to OpenAI's data usage policies for API customers (which exclude training on API inputs).

4. Third-Party Services

We use the following third-party services to operate MedScribe AI:

OpenAI API — Clinical note generation (GPT-4o) and audio transcription (Whisper). Your clinical text is processed by OpenAI under their API data usage policy, which states that API inputs are not used for model training. OpenAI's API is covered under their Business Associate Agreement (BAA) for HIPAA-eligible customers.

Stripe — Payment processing. Stripe is PCI DSS Level 1 compliant and handles all payment data. We never receive or store your full payment credentials.

PostgreSQL + Redis — Data storage hosted on our infrastructure. Clinical data is stored in an encrypted-at-rest PostgreSQL database. Redis is used for session management and token revocation only.

5. Data Security

We implement the following safeguards: passwords are hashed using Argon2 (industry-standard key derivation function), authentication uses JSON Web Tokens (JWT) with expiration and Redis-backed revocation, all connections are encrypted via TLS 1.2+, every action touching PHI generates an audit event, PHI is stripped from all application logs by a dedicated redaction layer, CORS is restricted to authorized origins only, and rate limiting is enforced on authentication and API endpoints.

6. Data Retention

Your clinical notes and account data are retained for as long as your account is active. Deleted notes are soft-deleted (marked as deleted but retained in the database for audit purposes) for 90 days, after which they may be permanently removed. Audit trail events are retained indefinitely as required for compliance. You may request full account deletion by contacting us at the email below.

7. Your Rights

You have the right to access all clinical notes and data associated with your account, export your notes in multiple formats (text, PDF, MEDITECH), request correction of your account information, request deletion of your account and associated data, and receive a copy of your data in a portable format.

To exercise any of these rights, contact us at privacy@medscribepr.com.

8. Children's Privacy

MedScribe AI is intended for licensed healthcare professionals. We do not knowingly collect information from individuals under 18 years of age.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or concerns, contact: privacy@medscribepr.com

MedScribe AI is operated by Dr. Hiram Rodríguez, based in Puerto Rico.