Privacy Policy

How we collect, use, and protect your information

Privacy Policy

Last Updated: September 15, 2025

HealingFactor, Inc. ("HealingFactor," "we," "us," or "our") is committed to protecting your privacy and the confidentiality of your health information. This Privacy Policy explains how we collect, use, share, and protect information when you use our HIPAA-compliant medical transcription and note-taking platform (the "Platform").

IMPORTANT: This Privacy Policy applies to our general business practices. For Protected Health Information (PHI) handling, please also review our Business Associate Agreement (BAA), which governs PHI processing under HIPAA.

1. Information We Collect

1.1 Account and Authentication Information

When you create an account, we collect:

  • Email address (used for secure authentication)
  • Name and professional credentials (for account identification and organization setup)
  • Password (encrypted and stored securely)
  • Multi-factor authentication data (when enabled for enhanced security)
  • Organization information (practice name, specialty, organizational structure)

1.2 Platform Usage and Session Data

We automatically collect technical information to provide and improve our Platform:

  • Session activity logs (login/logout times, session duration, inactivity detection)
  • IP addresses (for security monitoring and geographic compliance)
  • Device information (browser type, operating system, device identifiers)
  • Platform usage data (features accessed, pages visited, time spent on different functions)
  • Performance metrics (page load times, error rates, system performance data)

1.3 Audio and Medical Content (PHI)

When you use our transcription services, we process:

  • Audio recordings of patient encounters (temporarily stored during processing)
  • Voice identification profiles ("Voice ID") created from your voice recordings
  • Transcribed text from audio content
  • Generated medical notes (SOAP notes, progress notes, clinical summaries)
  • Patient identifiers associated with medical encounters (when provided)
  • Clinical documentation created using our Platform
  • EHR system data accessed through authorized integrations
  • Learned Output (medical documentation marked for AI training)
  • Speaker attribution data for multi-speaker encounters

HIPAA Notice: All medical content containing PHI is handled according to our Business Associate Agreement and HIPAA Security and Privacy Rules.

1.4 Billing and Payment Information

For subscription management:

  • Payment method details (processed securely by third-party payment processors)
  • Billing address and contact information
  • Subscription plan and usage limits
  • Payment history and transaction records

1.5 Security and Compliance Data

For HIPAA compliance and security monitoring:

  • Access logs (who accessed what PHI and when)
  • Audit trail data (all Platform activities involving PHI)
  • Security incident logs (failed login attempts, suspicious activity)
  • Workforce access justifications (documented reasons for PHI access)
  • Business Associate Agreement acceptance (BAA signing records)

1.6 Communications and Support

When you contact us:

  • Support request details (including any technical issues or questions)
  • Email communications with our support team
  • Feedback and suggestions about Platform functionality
  • Training and onboarding interaction data
  • EHR integration support requests and troubleshooting data
  • Browser extension usage and error reports

2. How We Use Your Information

2.1 Platform Services

We use your information to:

  • Provide medical transcription and note-taking services
  • Generate AI-powered clinical documentation (SOAP notes, summaries)
  • Create and maintain Voice ID profiles for speaker recognition
  • Integrate with and access your EHR systems as authorized
  • Automatically transfer medical documentation to your EHR systems
  • Maintain secure user accounts and authentication
  • Enable organization-level data isolation and access controls
  • Process audio recordings into accurate medical transcriptions
  • Train AI/ML models to improve Platform accuracy (when implemented, with your opt-in consent)

2.2 Security and HIPAA Compliance

We use data for compliance and security purposes:

  • Access control enforcement (role-based permissions, workforce supervision)
  • Audit logging (comprehensive tracking of all PHI access)
  • Security monitoring (detecting unauthorized access attempts)
  • Incident response (investigating and responding to security incidents)
  • Compliance reporting (demonstrating HIPAA adherence)

2.3 Platform Improvement

We use aggregated, de-identified data to:

  • Improve transcription accuracy and AI model performance
  • Enhance Platform functionality and user experience
  • Optimize system performance and reliability
  • Develop new features and capabilities
  • Conduct research and analytics (with all PHI removed)
  • Train AI models using Learned Output (when implemented, with explicit opt-in consent)
  • Customize Platform behavior based on your usage patterns
  • Improve EHR integration compatibility and functionality
  • Enhance voice recognition and speaker attribution accuracy

2.4 Business Operations

We use information for:

  • Account management (subscription billing, renewals, cancellations)
  • Customer support (responding to inquiries and technical issues)
  • Legal compliance (meeting regulatory requirements beyond HIPAA)
  • Business communications (service updates, security notifications)

3. Information Sharing and Disclosure

3.1 General Principle

We do not sell, rent, or trade your personal information. We only share information as described in this policy.

3.2 Service Providers and Subcontractors

We may share information with trusted third parties who help us operate our Platform:

  • Cloud infrastructure providers - Secure hosting and data processing services
  • Audio transcription services - Speech-to-text processing with HIPAA compliance
  • EHR integration services - Electronic health record system connectivity and data synchronization
  • AI/ML training services - Machine learning model training and optimization
  • Payment processors - Subscription billing and payment processing (Stripe)
  • Security vendors - Additional security monitoring and incident response
  • Customer support tools - Help desk and communication platforms

All service providers are required to:

  • Sign Business Associate Agreements (BAAs) when handling PHI
  • Maintain appropriate security safeguards
  • Use information only for specified purposes
  • Comply with applicable privacy and security laws

3.3 Legal Requirements

We may disclose information when required by law:

  • Subpoenas or court orders (we will notify you unless legally prohibited)
  • Regulatory investigations (FDA, HHS, state health departments)
  • Law enforcement requests (with appropriate legal process)
  • Public health requirements (reporting communicable diseases as required)

3.4 Business Transfers

If HealingFactor is acquired or merged:

  • Your information may be transferred to the new entity
  • The new entity must honor this Privacy Policy
  • We will notify you of any ownership changes
  • PHI transfers will comply with HIPAA requirements

3.5 Emergency Situations

We may disclose PHI without authorization in emergencies:

  • Immediate threat to health or safety (patient or public danger)
  • Required public health reporting (disease outbreaks, adverse events)
  • Child or elder abuse reporting (as required by state law)

4. Data Security and Protection

4.1 Technical Safeguards

We implement enterprise-grade security measures:

  • Encryption at rest (AES-256 encryption for all stored data)
  • Encryption in transit (TLS 1.3 for all data transmission)
  • Access controls (multi-factor authentication, role-based permissions)
  • Audit logging (comprehensive activity tracking)
  • Network security (isolated networks, firewalls, secure access controls)

4.2 Physical Safeguards

Our infrastructure is protected by:

  • Certified data centers (SOC 1/2/3 certified, 24/7 physical security)
  • Environmental controls (temperature, humidity, power management)
  • Access restrictions (biometric controls, security personnel)
  • Media disposal (secure destruction of storage devices)

4.3 Administrative Safeguards

We maintain organizational security through:

  • Security officer designation (HIPAA Security Officer oversight)
  • Workforce training (regular HIPAA and security awareness training)
  • Access management (documented procedures for granting/revoking access)
  • Incident response (documented procedures for security breaches)
  • Risk assessments (regular security evaluations and updates)

4.4 Session Management

For user session security:

  • Automatic timeout (15-minute inactivity timeout for HIPAA compliance)
  • Extended sessions (60-minute timeout during active recording sessions)
  • Activity monitoring (tracking user activity for timeout management)
  • Secure logout (proper session termination and token invalidation)

5. Data Retention and Deletion

5.1 Standard Retention Periods

We retain different types of data for varying periods:

  • PHI: Duration of subscription or as specified by your organization
  • Voice ID data: Until manually deleted by you
  • Learned Output: Until manually deleted by you
  • EHR integration data: Same retention settings as your other PHI data
  • Audit logs: 2 years for security monitoring
  • Account information: Duration of subscription plus 1 year for legal compliance
  • Billing records: 3 years for tax and financial compliance
  • Session logs: 90 days for security monitoring
  • Database backups: 15 days for production systems

5.2 Data Deletion Process

When you terminate your account:

  1. Immediate access termination (Platform access disabled)
  2. 30-day export period (you can export your data)
  3. Secure deletion (permanent removal from active systems)
  4. Backup purging (removal from backup systems within 7 days)
  5. Certification (documentation of complete data destruction)

5.3 User-Initiated Deletion

You can request deletion of specific data:

  • Individual recordings (immediate deletion from active storage)
  • Voice ID profiles (permanent removal of voice identification data)
  • Learned Output (deletion of AI training examples)
  • EHR integration data (removal of EHR-sourced information)
  • Specific notes or documents (permanent removal with audit trail)
  • Account closure (complete data removal following retention policies)

6. Your Privacy Rights

6.1 Access Rights

You have the right to:

  • View your personal information that we have collected
  • Access your PHI (within 30 days of written request)
  • Receive copies of your data in portable formats
  • Review audit logs showing who accessed your PHI

6.2 Correction Rights

You can request to:

  • Correct inaccurate personal information
  • Amend PHI (following HIPAA amendment procedures)
  • Update account details (name, email, organization information)

6.3 Deletion Rights

You may request:

  • Account deletion (complete removal of all personal information)
  • Specific data deletion (removal of particular records or files)
  • PHI destruction (secure deletion of medical information)

6.4 Portability Rights

You can request:

  • Data export (download your information in common formats)
  • Transfer assistance (help moving data to another platform)
  • API access (for automated data export where available)

6.5 Restriction Rights

You may request to:

  • Limit data processing (restrict how we use your information)
  • Opt out of communications (marketing emails, non-essential notifications)
  • Restrict access (limit which workforce members can view your PHI)

7. State-Specific Privacy Rights

7.1 California Residents (CCPA/CPRA)

California residents have rights under the CCPA including:

  • Right to know what personal information we collect and how it's used
  • Right to delete personal information (subject to legal retention requirements)
  • Right to opt-out of sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

Note: Most data we process is Protected Health Information exempt under HIPAA business associate relationships. For CCPA requests, contact: support@healingfactor.tech

7.2 European Union Residents (GDPR)

EU residents have rights under GDPR:

  • Lawful basis for processing (legitimate business interests, legal compliance)
  • Data portability (receive data in machine-readable format)
  • Right to object to processing for direct marketing
  • Right to lodge complaints with supervisory authorities

7.3 Other State Laws

We comply with privacy laws in all states where we operate, including:

  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)

8. International Data Transfers

8.1 Data Location

Your data is primarily stored and processed in:

  • United States (secure data centers in multiple regions)
  • HIPAA-compliant facilities (SOC certified data centers)
  • Geographically distributed (for redundancy and disaster recovery)

8.2 Cross-Border Transfers

If you access our Platform from outside the United States:

  • Data may be transferred to and processed in the United States
  • Privacy laws may differ from those in your jurisdiction
  • We maintain appropriate safeguards for international transfers
  • GDPR adequacy decisions and Standard Contractual Clauses apply where relevant

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use necessary cookies for Platform functionality:

  • Authentication cookies (maintaining login sessions)
  • Security cookies (CSRF protection, security monitoring)
  • Preference cookies (user interface settings, language preferences)

9.2 Analytics and Performance

We use analytics tools to improve our Platform:

  • Usage analytics (feature adoption, user flows, performance metrics)
  • Error tracking (identifying and fixing technical issues)
  • Security monitoring (detecting suspicious activity)

9.3 Cookie Management

You can control cookies through:

  • Browser settings (disable or delete cookies)
  • Platform preferences (opt out of non-essential tracking)
  • Third-party opt-outs (analytics provider settings)

Note: Disabling essential cookies may affect Platform functionality.

10. EHR Integration and Voice Processing

10.1 EHR System Integration

When you authorize EHR integration:

  • Data collection: We collect PHI from your EHR systems to improve Platform services
  • Automatic transfers: We transfer generated medical documentation to your EHR systems
  • System scanning: Our browser extension scans and reads your EHR webpage structure
  • Access logging: All EHR interactions are logged for security and compliance
  • Vendor compliance: We work within EHR vendor terms and technical limitations

10.2 Voice ID Processing

With your opt-in consent:

  • Voice recording: We record voice samples to create your Voice ID profile
  • Speaker recognition: Voice ID enables automatic speaker attribution in transcriptions
  • Data linking: Voice ID is linked to your customer account for personalized recognition
  • Retention control: You can delete Voice ID data at any time through Platform settings
  • Training improvement: Voice data may be used to improve voice recognition accuracy

10.3 AI Model Training

When AI model training features are implemented, and with your explicit opt-in consent:

  • Implementation notification: You will be notified when AI training features become available
  • Opt-in requirement: Explicit consent will be required before any AI training features are activated
  • Personalized training: Your data may be used to train AI models specific to your practice
  • Learned Output: Documentation you mark as examples is used for Platform customization
  • Accuracy improvement: Training helps improve transcription and note generation quality
  • Full control: You maintain complete control over participation and can opt-out at any time
  • Data protection: All training data maintains the same security and privacy protections

11. Third-Party Services

11.1 Cloud Infrastructure

We use cloud infrastructure services for:

  • Computing and hosting (secure server infrastructure)
  • Data storage (encrypted database and file storage)
  • Security services (encryption, access controls, audit logging)
  • Compliance features (HIPAA-eligible services under executed BAA)
  • EHR integration hosting (secure connectivity and data processing)
  • AI/ML processing (machine learning model training and inference)

11.2 Authentication Services

We use secure authentication services for:

  • User account management (registration, login, password reset)
  • Multi-factor authentication (enhanced security options)
  • Secure session management (token-based authentication)
  • EHR system authentication (secure access to integrated systems)

11.3 Payment Processing

We use third-party payment processors:

  • Stripe (credit card processing with PCI DSS compliance)
  • Secure tokenization (payment details not stored on our servers)
  • Fraud prevention (transaction monitoring and verification)

11.4 Analytics and Monitoring

We may use analytics services:

  • Application performance monitoring (error tracking, performance optimization)
  • Security information and event management (SIEM) (security monitoring)
  • Business intelligence (usage analytics, platform optimization)
  • EHR integration monitoring (connectivity and performance tracking)
  • Voice processing analytics (speech recognition accuracy and performance)

12. Children's Privacy

11.1 Age Restrictions

Our Platform is designed for healthcare professionals and is not intended for:

  • Children under 18 (no accounts for minors)
  • Personal health records (not a patient-facing application)
  • Consumer health tracking (professional medical use only)

11.2 Parental Consent

If we discover we have collected information from a child under 18:

  • Immediate notification to parents/guardians
  • Prompt deletion of the child's information
  • Account termination if created by a minor

13. Changes to This Privacy Policy

12.1 Updates and Notifications

We may update this Privacy Policy to:

  • Reflect changes in our practices (new features, services)
  • Comply with new laws (updated privacy regulations)
  • Improve transparency (clearer explanations of our practices)

12.2 Notice of Changes

We will notify you of material changes by:

  • Email notification (to your registered email address)
  • Platform notification (in-app alerts when you log in)
  • Website posting (updated policy with effective date)

12.3 Continued Use

Your continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy.

14. Contact Information

13.1 Privacy Questions

For privacy-related inquiries, contact our Privacy Officer:

13.2 HIPAA Matters

For HIPAA-related questions or to exercise PHI rights:

13.3 Security Incidents

To report security concerns or potential breaches:

13.4 Data Subject Requests

To exercise your privacy rights:

15. Regulatory Information

14.1 HIPAA Compliance

This Privacy Policy is supplemented by our Business Associate Agreement for PHI handling. For healthcare-related privacy matters, HIPAA requirements take precedence.

14.2 Governing Law

This Privacy Policy is governed by:

  • Federal laws (HIPAA, HITECH Act)
  • State privacy laws (where applicable)
  • Delaware law (for general privacy matters)

14.3 Dispute Resolution

Privacy disputes are subject to the dispute resolution procedures outlined in our Terms of Service.

By using HealingFactor, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

Copyright © 2024 HealingFactor, Inc. All rights reserved.

Back to Home