Privacy Policy

Last Updated: November 8, 2025

e-MedScribe ("we," "us," or "our") is committed to protecting your privacy and the privacy of the data you process. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome Extension and associated services (collectively, the "Service").

Your use of the Service is also governed by our Terms of Service and a legally binding Business Associate Agreement (BAA).

1. HIPAA and Protected Health Information (PHI)

Our Service is designed for healthcare professionals and involves the processing of Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act ("HIPAA").

Business Associate Agreement (BAA) Required

Your use of the Service is strictly contingent upon you or your organization executing a BAA with us. This BAA is a separate, legally binding contract that governs how we handle and protect PHI. Do not use this service to process PHI until a BAA is in place.

Business Associate: We act as a "Business Associate" to you or your organization, which is the "Covered Entity" (or another Business Associate).
Our Responsibilities: We are obligated under HIPAA and our BAA to implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.

2. Information We Collect

A. Information You Provide

Account Information: When you register and authenticate, we collect personal information, such as your name and email address, provided via our authentication provider (Microsoft Azure Entra).
Payment Information: When you purchase credits, our third-party payment processor (Stripe) will collect your payment information. We do not store your full payment card details; we only receive confirmation of payment.

B. Information We Process on Your Behalf (PHI)

To provide its core function, the Service requires access to read data from your active Electronic Health Record (EHR) webpage (i.e., PointClickCare).

This access is user-initiated. The extension does not access or read any data until you explicitly click a button to begin the note generation process. At that moment, the extension uses your active EHR session to securely access the necessary clinical data. This includes both reading information directly from the active webpage and making background requests to other EHR endpoints (i.e., PointClickCare APIs) using your session to gather a complete clinical picture. This data may include:

Patient identifiers (Name, MRN, etc.)
Allergies
Medications
Diagnoses
Vitals
Lab Results
Orders
Therapy Documents and Clinical Notes
Dietary Information
Code Status

This data is securely transmitted to our backend for the sole purpose of generating your clinical note. We do not store this raw, accessed data. Only the final generated note is stored as part of your account, as described in our retention policy.

3. How We Use Your Information

We use the information we collect and process for the following purposes:

To Provide the Service: To process the PHI you provide (by initiating the data access) and generate the AI-based clinical notes you request.
To Manage Your Account: To authenticate you, manage your credit balance, and maintain your note history.
To Process Payments: To bill you for credit packages through our payment processor.
To Communicate with You: To respond to support requests, send service-related announcements, and manage note reporting.
To Comply with Legal Obligations: To fulfill our legal and regulatory requirements, including our obligations under HIPAA and our BAA.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Information or PHI.

We may share information with the following third-party service providers (our "sub-associates") who help us operate our Service and are bound by their own BAAs with us:

Microsoft Azure: For secure cloud hosting, database storage, and AI processing (GPT models). All PHI is processed within Azure's HIPAA-compliant environment.
Stripe, Inc.: For secure payment processing.

We may also disclose information if required by law, such as in response to a subpoena or court order, or as permitted by our BAA to report a HIPAA violation.

5. Data Security, Storage, and Retention

Security

We use administrative, technical, and physical security measures to protect PHI and personal data. This includes HTTPS encryption for all data in transit, encryption for data at rest, and leveraging the secure, HIPAA-compliant infrastructure of Microsoft Azure.

Storage

Generated Notes & User Data: Your account information, your generated notes (`generated_note` and `updated_note`), and your note history are stored securely in our encrypted database.
Uploaded Documents: Documents you upload for analysis are stored in our secure, encrypted Azure Blob Storage.

Retention

We retain your generated notes and associated processed data for 60 days from the date of creation. This allows you to access your note history and provides a window for reporting any issues with a note. After this 60-day period, this data may be securely and permanently deleted from our systems. Your user account information will be retained as long as your account is active.

6. User Rights and Controls

You may review, update, or correct your account information (name, email) through your authentication provider. You can access your generated note history through the Service. For requests regarding the deletion of your account or specific data, please contact us, subject to the terms of our BAA.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

8. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

support@emedscribe.com