1. Introduction
Heardwell, Inc. ("Heardwell," "we," "our," or "us") provides a HIPAA-compliant clinical documentation platform that converts live audio into transcripts and structured clinical notes for use by licensed clinicians and their affiliated clinics (collectively, "you" or "your"). This Privacy Policy explains how we collect, use, disclose, and safeguard information—including "protected health information" ("PHI") as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")—when you access or use the Heardwell application (the "Service"). It applies only to the Service; it does not cover our public marketing website or any other products.
2. Information We Collect
2.1 Clinician Account Information
- Email address (used for authentication and account recovery).
- Basic usage metrics such as total minutes of audio processed.
- We do not collect payment-card data, precise geolocation, or device analytics.
2.2 Patient Information (PHI)
When you record a session through Heardwell, the following patient data may be processed:
- Raw session audio – held in memory only during real-time processing (average < 5 minutes) and then permanently deleted.
- Transcripts of the session.
- Structured clinical notes you elect to store.
Both transcripts and notes are encrypted at rest and constitute PHI when they can be linked to an individual patient.
3. How We Use Information
We use the information described above solely to:
- Deliver and maintain the Service (e.g., generate transcripts and notes).
- Provide customer support and troubleshoot reported issues.
- Generate non-identifiable operational metrics (e.g., aggregate minutes processed) to ensure system reliability.
We do not:
- Train in-house or third-party machine-learning models on customer data.
- Share data with external vendors for their own model training.
- Sell, rent, or otherwise monetize clinician or patient information.
4. Subprocessors & Data Hosting
| Purpose | Subprocessor | Region | BAA Status |
|---|---|---|---|
| Primary cloud infrastructure & encrypted database | Render | Virginia, USA | Executed |
| (Forthcoming) Large-language-model API* | OpenAI | USA | In progress |
* No PHI is transmitted to OpenAI until a Business Associate Agreement is fully executed and active.
All subprocessors that may handle PHI must sign a BAA with Heardwell prior to receiving any such data.
5. Retention & Deletion
- Raw audio – ephemerally held in RAM and deleted automatically after processing (typically within five minutes).
- Transcripts & structured notes – retained until the clinician deletes them. Deletion can be performed at any time within the app's dashboard; the records are then removed from live storage and scheduled for backup erasure within 30 days.
- Usage metrics – retained as long as needed for internal accounting and service integrity.
Clinicians can export stored transcripts and notes at any time through the in-app export feature.
6. Security Measures
- Encryption in transit: TLS 1.2 or higher.
- Encryption at rest: AES-256.
- Automated vulnerability scanning using Trivy prior to every deployment.
- Principle-of-least-privilege, role-based access controls, and audit logging for all production systems.
- Incident-response procedures aligned with HIPAA breach-notification requirements.
Heardwell has not yet completed third-party audits (e.g., SOC 2 or HITRUST). We continually assess our controls and will update this Policy if certifications are obtained.
7. HIPAA Commitments
- Heardwell acts as a Business Associate to Covered Entities under 45 C.F.R. § 160.103.
- We sign Business Associate Agreements with each Covered Entity and with all downstream subprocessors before any PHI is shared.
- PHI is used only to provide, maintain, and secure the Service or as otherwise permitted by the BAA and HIPAA.
- Patients do not interact directly with Heardwell; all PHI requests must be initiated by the treating clinician or clinic.
8. State-Specific Privacy Rights
Heardwell currently operates only in the United States and does not target residents of the European Economic Area or United Kingdom. If U.S. state privacy laws (e.g., CCPA) grant additional rights to individual patients, those requests should be submitted through the clinician or clinic that controls the records. Heardwell will assist the Covered Entity in responding, consistent with HIPAA and the applicable BAA.
9. Children's Privacy
Heardwell is not directed to individuals under 13 and does not knowingly collect information about children. Clinics serving pediatric patients must ensure proper consents are in place before using the Service.
10. Changes to This Policy
We may revise this Privacy Policy from time to time. If we make material changes, we will notify account administrators via email and post the updated version in the application dashboard. The "Last updated" date at the top of this page will indicate when changes become effective.
11. Contact Us
For any questions about this Privacy Policy or our privacy practices, please contact:
Email: admin@brightwoodapps.com
Heardwell, Inc.