Privacy Policy
Effective date: June 23, 2026
1. Introduction
ScrybeX ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the ScrybeX platform, website, and related services (collectively, the "Service").
2. Information We Collect
Account Information
When you register for ScrybeX, we collect your name, email address, professional discipline, and organization name. This information is entered by you at signup.
Clinical Data (Protected Health Information)
ScrybeX processes clinical documentation that may contain Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). This data is entered or recorded by the licensed clinician and includes:
- Patient diagnosis (medical and treatment diagnosis)
- Functional goals
- Session notes and dictation
All PHI is encrypted at rest and in transit.
Audio Recordings
When you use dictation, ScrybeX records audio that you create. This audio is transcribed to text on ScrybeX's own servers and is not sent to any third-party service.
Billing Information
To process subscriptions, we collect your name and email address. Payment card data is entered into and handled directly by Stripe, our payment processor, and is not stored on ScrybeX's servers.
Audit and Usage Data
We collect access and activity logs — including login events, note generation, and document exports — to maintain the audit trail required under HIPAA and to secure the Service.
3. How We Use Your Information
- To generate clinical documentation using artificial intelligence based on your input
- To provide, store, maintain, and improve the Service
- To manage patients and organizations within your account
- To process payments and manage your subscription
- To maintain HIPAA-required audit trails
- To communicate with you about your account and the Service
- To detect, prevent, and respond to security incidents
We do not sell your personal information or PHI, and we do not use it for advertising.
4. HIPAA Compliance
ScrybeX is built on AWS infrastructure under a signed Business Associate Agreement (BAA). We implement administrative, physical, and technical safeguards to protect PHI including:
- Field-level encryption on all PHI database columns using AWS KMS customer-managed keys
- TLS 1.2+ encryption for all data in transit
- S3 server-side encryption (SSE-KMS) for all stored files
- Append-only audit logging for all PHI access events
- Role-based access controls limiting data access to authorized users
- Automatic session timeout after 30 minutes of inactivity
5. Third Parties We Share Data With
We do not sell your personal information or PHI. We share data only with the service providers listed below, each of which is bound by contractual obligations (including a HIPAA Business Associate Agreement where PHI is involved) to provide protections equivalent to those described in this policy.
- Amazon Web Services — Amazon Bedrock (running Anthropic's Claude AI models): receives the patient diagnosis, functional goals, and dictation text in order to generate draft clinical documentation. It does not receive patient names, dates of birth, or medical record numbers. This data is not used to train AI models and is not retained by the provider. Covered by the AWS Business Associate Agreement. See Section 6 (AI Processing) for details.
- Amazon Web Services (hosting and storage): stores your data, encrypted at rest, on AWS infrastructure under the AWS Business Associate Agreement.
- Stripe (payment processing): receives your name and email address for billing. Payment card data is handled directly by Stripe.
- Google Workspace (email delivery): receives a recipient's name and email address to send transactional messages such as invitations and reminders.
Our public marketing website (www.scrybeapp.com) uses Google Analytics 4, the Meta (Facebook) Pixel, and Microsoft Clarity to understand site traffic and measure the effectiveness of our advertising. These tools set cookies and collect standard web-analytics data — such as pages viewed, referring site, approximate location, and device and browser type — which may be shared with Google, Meta, and Microsoft respectively. Microsoft Clarity additionally records anonymized interaction data (such as mouse movement, clicks, and scrolling) to produce heatmaps and session replays, with text you enter masked by default. All of these tools run only on our public marketing pages and never receive PHI or any clinical information. The ScrybeX application itself (app.scrybeapp.com), where your clinical data lives, uses no analytics, advertising, crash-reporting, or third-party tracking services.
We may also disclose information when required by law, subpoena, or legal process, or in connection with a merger, acquisition, or sale of assets.
6. AI Processing
When you generate a note, the clinical information you provide — the patient's diagnosis, functional goals, and your session dictation — is transmitted securely to Amazon Bedrock (AWS), running Anthropic's Claude models, to produce draft documentation. Patient names, dates of birth, and medical record numbers are never transmitted to this service. This data is encrypted in transit, processed under a HIPAA Business Associate Agreement, and is not used to train AI models and not retained by the provider. Audio you record is transcribed on ScrybeX's own servers and is not sent to any third-party service.
7. Data Retention
Clinical documentation and audit logs are retained for a minimum of six (6) years in accordance with Medicare documentation retention requirements. You may request deletion of your account data by contacting us, subject to legal retention obligations.
8. Your Rights
You have the right to:
- Access your personal information and clinical data
- Request correction of inaccurate information
- Request deletion of your account (subject to retention requirements)
- Receive a copy of your data in a portable format
- Opt out of non-essential communications
9. Security
We implement industry-standard security measures to protect your information. No method of electronic transmission or storage is 100% secure, but we strive to use commercially acceptable means to protect your data. All PHI is encrypted at rest and in transit, and we never log PHI to application logs.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
ScrybeX
Email: privacy@scrybeapp.com
Support: scrybeapp.com/support