🔒 Privacy Policy

Last Updated: November 17, 2025

Effective Date: November 17, 2025

1. Introduction

The Hearing Lab Store Ltd ("we," "us," "our") operates HearScribe, an AI-powered clinical documentation platform for hearing healthcare professionals. This Privacy Policy explains how we collect, use, protect, and share information in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

By using HearScribe, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our service.

2. Data Controller Information

Data Controller: The Hearing Lab Store Ltd
Company Number: 13464826
VAT Number: GB384197168
Contact: contact@hearscribe.com

For data protection inquiries, contact us at contact@hearscribe.com with "Data Protection" in the subject line.

3. Zero Patient Data Storage Architecture

3.1 What This Means for Patient Privacy

When you use HearScribe:

• Patient names and identifiers: Never leave your device
• Audio recordings: Processed locally in your browser only
• Transcriptions: Generated in your browser, never sent to servers
• Clinical notes: Created and stored locally on your device
• Clinical images: Temporarily processed by AI, never stored

3.2 Data Controller Roles

Under this architecture:

• YOU are the data controller for all patient-identifiable information
• WE are the data controller only for your account and organization information
• No data processing agreements are required for patient data (we never process it)

4. Global Healthcare Privacy Compliance

4.1 Regulations We Comply With

HearScribe's zero patient data storage architecture ensures automatic compliance with:

• United Kingdom: UK GDPR & Data Protection Act 2018 - Full compliance with European data protection standards
• United States: HIPAA (Health Insurance Portability and Accountability Act) - No Protected Health Information (PHI) stored means no HIPAA compliance burden
• Australia: Privacy Act 1988 & Australian Privacy Principles (APPs) - Automatic compliance through data minimization
• Canada: PIPEDA (Personal Information Protection and Electronic Documents Act) - No personal health information stored
• European Union: EU GDPR - Compatible with UK GDPR standards

4.2 Why This Matters for International Practices

If you practice across multiple jurisdictions or treat patients from different countries:

• No complex data residency requirements
• No need for separate compliance assessments per jurisdiction
• No cross-border data transfer concerns for patient information
• Simplified Business Associate Agreements (HIPAA) - not required for patient data
• Reduced legal and compliance overhead

4.3 Competitive Advantage

Most healthcare SaaS platforms struggle with multi-jurisdiction compliance. HearScribe eliminates this complexity entirely by never storing the regulated data in the first place. You maintain complete control and ownership of patient records while we handle only your non-clinical account information.

5. Information We Collect

5.1 Account Information (We DO Collect)

When you create a HearScribe account, we collect:

• Personal Information: Name, email address
• Organization Information: Clinic name, professional credentials, contact details
• Account Settings: AI preferences, customization options
• Subscription Data: Plan type, billing status, payment method (via Stripe)

5.2 Usage Metadata (We DO Collect)

We collect limited metadata about platform usage:

• Consultation Counts: Number of consultations recorded (NOT content)
• Timestamps: When consultations were created
• Login Activity: Last login date, account access patterns
• Feature Usage: Which features are used (NOT what they contain)

5.3 Patient Data (We DO NOT Collect)

5.4 Technical Data

Standard web hosting and security data:

• IP Addresses: For security and fraud prevention
• Browser Information: Browser type, version for compatibility
• Device Information: Device type for responsive design
• Cookies: Essential cookies only (see Cookie Policy)

6. How We Use Your Information

6.1 Account Information Usage

We use your account information to:

• Provide and maintain your HearScribe account
• Process subscription payments and billing
• Send service-related communications
• Provide customer support
• Improve and personalize your experience
• Comply with legal obligations

6.2 AI Processing

When you generate clinical notes:

• Your transcription text is temporarily sent to Google Gemini API
• Clinical images (if pasted) are temporarily sent to Google Gemini Vision API
• AI-generated notes are returned to your browser only
• NO data is retained by us or Google after generation
• Processing is temporary - data exists only during API call

6.3 Communications

We may contact you via email for:

• Service Updates: Important changes to HearScribe
• Security Notices: Account security alerts
• Billing: Payment receipts and subscription updates
• Support: Responses to your inquiries

You can opt out of non-essential communications through your account settings.

7. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Data Type	Legal Basis	Purpose
Account Information	Contract Performance	Provide HearScribe service
Payment Data	Contract Performance	Process subscription payments
Usage Metadata	Legitimate Interest	Improve service, prevent abuse
Marketing Communications	Consent	Send promotional emails (opt-in)
Security Logs	Legitimate Interest	Fraud prevention, security

8. Third-Party Services

HearScribe integrates with the following third-party services:

8.1 Supabase (Database & Authentication)

• Data Stored: Account information, organization settings, subscription metadata
• Location: EU/UK data centers
• Purpose: User authentication and account management
• Privacy Policy: supabase.com/privacy

8.2 Stripe (Payment Processing)

• Data Stored: Payment method, billing address, transaction history
• Location: Global (GDPR compliant)
• Purpose: Subscription billing and payment processing
• Privacy Policy: stripe.com/privacy

8.3 Google Gemini API (AI Generation)

• Data Sent: Transcription text and clinical images (temporarily)
• Data Retention: None - processed in real-time, not stored
• Purpose: AI-powered clinical note generation
• Privacy Policy: policies.google.com/privacy

8.4 Netlify (Hosting)

• Data Stored: Server logs, IP addresses
• Location: Global CDN (GDPR compliant)
• Purpose: Website hosting and performance
• Privacy Policy: netlify.com/privacy

9. Data Retention

9.1 Active Accounts

• Account Information: Retained while your account is active
• Consultation Metadata: Retained for subscription management
• Billing Records: Retained for 7 years (UK tax law requirement)

9.2 Cancelled Accounts

• First 90 days: Account data retained for reactivation
• After 90 days: Account data permanently deleted
• Billing records: Retained for 7 years (legal requirement)

9.3 Patient Data

Since patient data never reaches our servers, we cannot and do not retain it. YOU are responsible for backing up and retaining your clinical records according to your professional and legal obligations.

10. Your Data Protection Rights (GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

10.1 Right of Access

You can request a copy of all personal data we hold about you. Contact contact@hearscribe.com to request your data.

10.2 Right to Rectification

You can update your account information at any time through your account settings or by contacting us.

10.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. Note: Billing records must be retained for 7 years per UK tax law.

10.4 Right to Data Portability

You can request your account data in a machine-readable format. Contact us to initiate a data export.

10.5 Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

10.6 Right to Restrict Processing

You can request restriction of processing in certain circumstances. Contact us to discuss your specific situation.

10.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

ICO: ico.org.uk
Phone: 0303 123 1113

11. Data Security

11.1 Technical Security Measures

• Encryption in Transit: All data transmitted via HTTPS/TLS
• Encryption at Rest: Database encryption for stored account data
• Access Controls: Role-based access with multi-factor authentication
• Regular Updates: Security patches and vulnerability monitoring
• Supabase RLS: Row-level security policies on all database tables

11.2 Organizational Security Measures

• Limited employee access to systems containing personal data
• Regular security training for staff
• Incident response procedures
• Regular security audits and assessments

11.3 Zero Patient Data Storage

Our most significant security measure is architectural: by never storing patient data, we eliminate the risk of patient data breaches entirely. Patient information cannot be compromised because it never exists on our servers.

12. Data Breach Notification

In the unlikely event of a data breach affecting your account information:

• We will notify you within 72 hours of discovering the breach
• We will notify the ICO as required by UK GDPR
• We will provide details of the breach, data affected, and remedial actions
• We will take immediate steps to contain and remediate the breach

Note: Patient data breaches cannot occur in HearScribe because we never store patient data.

13. International Data Transfers

Your account data is stored within the UK/EU through Supabase. Some third-party services (Stripe, Google Gemini) may process data internationally. These services are:

• Certified under appropriate data transfer mechanisms
• Subject to GDPR-equivalent data protection standards
• Bound by Standard Contractual Clauses where applicable

14. Children's Privacy

HearScribe is designed for professional healthcare use only. We do not knowingly collect information from individuals under 18 years of age. If you believe we have inadvertently collected such information, contact us immediately for deletion.

15. Cookies and Tracking

HearScribe uses minimal cookies essential for platform functionality. We do NOT use:

• Advertising cookies
• Third-party tracking cookies
• Social media cookies
• Analytics cookies (beyond basic hosting analytics)

For complete cookie information, see our Cookie Policy.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be:

• Posted on this page with an updated "Last Updated" date
• Emailed to registered users for material changes
• Effective 30 days after posting (or immediately for legal requirements)

Your continued use of HearScribe after changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

For privacy-related inquiries, data access requests, or to exercise your GDPR rights:

Email: contact@hearscribe.com
Subject Line: "Data Protection Request"

The Hearing Lab Store Ltd
Company Registration Number: 13464826
VAT Number: GB384197168

We will respond to all requests within 30 days as required by UK GDPR.

← Back to Account