Privacy Policy

This Policy applies to:

• Users of the SOAP-E platform
• Personal information related to user accounts
• Protected Health Information ("PHI") processed on behalf of Covered Entities

Protected Health Information processed under HIPAA is exempt from most state privacy laws, including the California Consumer Privacy Act (CCPA).

State privacy law requirements, where applicable, apply only to:

• Non-PHI account information (e.g., name, email, professional credentials)
• Technical and operational data that does not constitute PHI

When state privacy laws apply to non-PHI data, individuals may have rights to access, correct, or delete such information, subject to legal exceptions and Covered Entity approval where account data is linked to clinical services.

We process limited personal information necessary to create and secure user accounts, including:

• Name and professional contact information
• Professional affiliation and role
• OAuth-based authentication identifiers from providers such as Google or Microsoft
• Account preferences and security settings
• EHR integration credentials — encrypted OAuth access tokens and refresh tokens obtained when a User or account administrator connects an Electronic Health Record system through the Service

OAuth access tokens used for user authentication are encrypted, short-lived, and used solely for authentication. SOAP-E does not access user email content, contacts, or files from authentication OAuth providers.

EHR OAuth credentials are encrypted at rest using dedicated encryption keys, stored separately from PHI, and used solely to authenticate with the connected EHR system for the purposes described in this Policy. EHR credentials are never exposed to users through the Service interface.

SOAP-E processes PHI solely on behalf of Covered Entities for the purpose of providing clinical documentation services.

PHI processed by the Service may include:

• Audio recordings of clinical encounters
• Transcripts generated from audio recordings via AI-powered speech-to-text services
• Clinical notes, observations, assessments, and AI-generated documentation
• Patient demographic information used in documentation (e.g., date of birth)
• Consent records documenting patient authorization for recording and processing
• Patient demographic data retrieved from connected EHR systems during patient search and linking (e.g., name, date of birth, medical record number, gender) — used solely to match patients between the Service and the EHR and to facilitate document submission

We process limited operational and technical data to maintain service reliability and security, including:

• Device and browser metadata
• IP address and coarse geographic information
• System performance metrics
• Security and access audit records

Operational logs are designed to exclude PHI.

We use information solely to:

• Provide AI-assisted clinical documentation services
• Transmit clinical documentation to connected EHR systems at the direction of authorized Users
• Retrieve patient demographic information from connected EHR systems to facilitate patient matching and document submission
• Authenticate users and enforce access controls
• Secure the Service and prevent misuse
• Provide customer support
• Meet legal and contractual obligations

SOAP-E may analyze aggregated, de-identified operational metadata to:

• Monitor performance and availability
• Detect errors and security threats
• Improve reliability and usability

Such analysis does not involve the use of PHI or Customer Content to train or fine-tune general-purpose AI or foundation models.

SOAP-E does not sell or rent personal information or PHI.

SOAP-E uses the following infrastructure and service providers under executed Business Associate Agreements:

• Amazon Web Services, Inc. (AWS) — Cloud hosting, infrastructure, and database services

AWS does not use PHI processed through its services to train foundation models or general-purpose AI models.

Any subcontractor that may process PHI is contractually bound to:

• Comply with HIPAA Security Rule requirements
• Use PHI only as permitted by our BAA obligations
• Implement appropriate technical and organizational safeguards
• Not use PHI for their own purposes or to train AI models

The Service allows authorized Users to transmit clinical documentation (e.g., SOAP notes) to Electronic Health Record ("EHR") systems connected by the User or their account administrator. When a User initiates an EHR submission:

• PHI is transmitted directly from SOAP-E to the designated EHR system at the User's explicit direction
• The transmission is authenticated using encrypted OAuth credentials specific to the connected EHR
• SOAP-E acts as a conduit, transmitting PHI back to the Covered Entity's own EHR infrastructure — this is a return of PHI to the Covered Entity, not a disclosure to a third party
• EHR systems are not subprocessors or subcontractors of SOAP-E and are not covered under SOAP-E's Business Associate Agreement

To facilitate EHR submissions, the Service may also retrieve limited patient demographic information from the connected EHR system (e.g., name, date of birth, medical record number) for the sole purpose of matching a patient in the Service to the corresponding patient record in the EHR.

We may disclose information when required to do so by law, regulation, or valid legal process, including disclosures to health oversight authorities.

In the event of a merger, acquisition, or asset sale, information will remain subject to equivalent privacy protections and applicable legal restrictions.

To the extent SOAP-E maintains PHI in a Designated Record Set on behalf of a Covered Entity, SOAP-E will support Covered Entity obligations related to:

• Access requests
• Amendments
• Accounting of disclosures

Requests regarding patient rights should generally be directed to the Covered Entity.

Data retention is governed by the following hierarchy of controlling documents:

• For PHI: The executed Business Associate Agreement controls all retention, deletion, and return obligations
• For non-PHI personal information: This Privacy Policy governs retention periods
• For all data: Applicable federal and state legal requirements, including medical record retention laws, may mandate minimum retention periods

SOAP-E retains information only as necessary to provide the Service, meet contractual obligations, and comply with applicable law.

Retention periods may vary based on:

• Covered Entity configuration and contractual requirements
• Applicable state medical record retention laws
• Legal hold, litigation, or regulatory investigation requirements
• Backup and disaster recovery schedules

SOAP-E does not independently determine medical record retention obligations — such determinations remain the responsibility of the Covered Entity.

Audio recordings of clinical encounters are promptly deleted after processing. Transcripts and AI-generated documentation derived from audio recordings are retained as PHI and governed by the BAA retention policy.

Consent records documenting patient authorization for recording and processing are retained for audit and compliance purposes for the duration of the service relationship and as required by applicable law.

Upon termination of services, PHI will be handled in accordance with BAA requirements:

• Returned to Covered Entity in a usable format, if feasible
• Destroyed in accordance with NIST 800-88 or equivalent standards, if feasible
• Retained under continued protections if return or destruction is infeasible, with limited use and disclosure as required by law

Users may submit requests to delete specific patient data through the Service, including audio recordings, transcripts, generated notes, or all data associated with a patient. Deletion requests are reviewed and processed in accordance with the BAA and applicable law.

Deletion may be delayed or limited by applicable federal or state medical record retention requirements, legal hold or litigation requirements, or regulatory investigation obligations. Users will be notified of the status and completion of deletion requests through the Service.

The Service provides tools for documenting patient consent to audio recording and AI processing. Users may review consent records for their patients through the Service. Consent records are maintained as part of the compliance audit trail and are not subject to routine deletion.

The Service uses only cookies that are strictly necessary for its operation. No cookies are used for analytics, advertising, or tracking purposes. The following cookies may be set:

• Authentication cookie — A secure, HTTP-only session cookie that keeps you signed in. It is automatically removed when you sign out.
• Authentication OAuth state cookie — A secure, HTTP-only cookie used during the sign-in process to prevent cross-site request forgery. It is single-use and short-lived.
• EHR OAuth state cookie — A secure, HTTP-only cookie used during the EHR connection process to prevent cross-site request forgery when authenticating with an external EHR system. It is single-use, expires after ten minutes, and is automatically deleted after the connection flow completes regardless of outcome.

Because these cookies are strictly necessary to provide the Service you have requested, they do not require separate consent under applicable privacy laws, including the EU ePrivacy Directive.

SOAP-E does not use third-party cookies, cross-site tracking, behavioral advertising, browser fingerprinting, or local storage for any purpose. No data is sent to third-party analytics or advertising services.

In the event of a Breach of Unsecured PHI, SOAP-E will notify affected Covered Entities without unreasonable delay and in accordance with HIPAA Breach Notification Rule requirements.

Questions or concerns may be directed to: