1. Introduction
Brightwood Apps Inc. ("Brightwood Apps," "we," "our," or "us")—doing business as Heardwell—provides a HIPAA‑compliant clinical‑documentation platform (the "Service") that converts live audio into transcripts and structured SOAP notes for licensed clinicians and their clinics ("you" or "your"). This Privacy Policy explains how we collect, use, disclose, and safeguard Personal Information and Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It covers only in‑app experiences—not our marketing website or social media.
2. Scope & Key Definitions
This Policy applies to (i) Personal Information that identifies or can reasonably identify a natural person, and (ii) PHI—oral or recorded information about a patient's health status or treatment.
3. Information We Collect
3.1 Clinician & Account Information
- Name, work email, hashed password.
- Clinic name, NPI (if provided).
- Subscription tier, usage metrics (minutes processed).
- Support tickets and survey responses.
3.2 Patient Information (PHI)
When you record a consultation, we process:
- Raw audio—streamed to our servers and forwarded to Microsoft Azure for real‑time speech‑to‑text; never stored.
- Verbatim transcripts.
- Structured SOAP notes plus any edits.
Transcripts and notes are encrypted at rest and constitute PHI when linkable to a patient.
3.3 Technical & Device Data
- IP address, user‑agent, timestamps, error traces—retained 7 years; contain no PHI.
- Device/OS/app version for diagnostics.
- First‑party cookies/local storage.
3.4 Cookies & Tracking
We set only strictly‑necessary cookies for authentication, session management, and CSRF protection—no advertising cookies.
4. How We Use Information
- Provide, maintain, and improve the Service.
- Authenticate users and secure accounts.
- Offer support and resolve incidents.
- Generate de‑identified metrics for reliability.
- Comply with law and BAAs.
We never sell or train models on PHI without written consent.
5. Legal Basis (EU/UK Users)
- Contractual necessity.
- Legitimate interests (security, improvement).
- Legal obligation.
- Consent.
6. Sharing & Disclosure
6.1 Subprocessors
Each subprocessor signs a BAA before handling PHI:
| Purpose | Subprocessor | Region | HIPAA BAA |
|---|---|---|---|
| Hosting & encrypted DB | Render, Inc. | US‑East | Executed |
| Speech‑to‑text engine* | Microsoft Azure | United States | Executed |
| Error monitoring & logs | Papertrail | United States | N/A (no PHI) |
*Audio is streamed to Azure only after a BAA is in place.
6.2 Legal Requests
We disclose information when required by law and, where permitted, notify affected customers.
6.3 Business Transfers
Information may transfer in a merger or acquisition; we will notify account admins.
7. Cookies
| Name | Purpose | Expiry | Type |
|---|---|---|---|
| hw_session | User session | 12 hours | Strictly‑necessary |
| csrf_token | CSRF protection | Session | Strictly‑necessary |
8. Data Retention & Deletion
- Raw audio—deleted within 5 minutes post‑processing.
- Transcripts/notes—kept until you delete; backups purged within 30 days.
- Error logs—retained 7 years; no PHI.
- Account/billing records—7 years for compliance.
9. Security Measures
- TLS 1.2+ in transit; AES‑256 at rest.
- Zero‑trust architecture; RBAC.
- MFA for admin accounts.
- Continuous vulnerability scanning; weekly patches.
- Annual third‑party pen‑testing.
- HIPAA‑aligned incident‑response plan.
10. Your Rights & Choices
Contact your clinic admin or email admin@brightwoodapps.com to exercise access, correction, deletion, restriction, or portability rights. We respond within 30 days.
10.1 State‑Specific Rights
We do not "sell" Personal Information under state privacy laws.
11. HIPAA Commitments
- Brightwood Apps acts as a Business Associate.
- Executes BAAs with customers and subprocessors.
- Uses PHI only to provide the Service.
- Maintains HIPAA‑required safeguards and logs.
12. International Transfers
All production data resides in the USA. Cross‑border transfers rely on SCCs.
13. Children's Privacy
Not directed to children under 13; pediatric clinics must obtain consents.
14. "Do Not Track"
We do not track users for advertising and therefore ignore DNT signals.
15. Changes to This Policy
Material updates will be emailed to admins and posted in‑app 30 days before effective.
16. Contact Us
Email: admin@brightwoodapps.com
Mail: Brightwood Apps Inc., 228 Park Ave S #81318, New York, NY 10003 USA