Privacy Policy

At Mediscribe AI, we are committed to protecting the privacy, confidentiality, and security of patient information and clinical documentation. We understand the highly sensitive nature of healthcare data.

Our platform, operations, and information security policies are strictly engineered to comply with the UK Data Protection Act 2018 (incorporating UK GDPR), the NHS Data Security and Protection Toolkit (DSPT), and theU.S. Health Insurance Portability and Accountability Act (HIPAA).

This Privacy Policy explains how we collect, process, secure, and delete data when you access our ambient scribing services.

Under UK GDPR and European data protection laws, it is important to distinguish the roles of data controller and data processor in the clinical environment:

• Data Controller: The Clinician, Private Practice, Hospital, or NHS Trust contracting our services is the Data Controller. You own, control, and retain full authority over all patient consultation audio, transcripts, and finalized clinical notes.
• Data Processor: Mediscribe AI Ltd acts strictly as a Data Processor. We process consultation audio and draft transcripts solely on behalf of, and under the strict documented instructions of, the Data Controller (the healthcare provider).

We only process the minimum necessary information to provide the ambient clinical notes service:

• Clinician Account Data: Name, professional email address, healthcare role, workplace/Trust info, and billing credentials (to manage active subscriptions).
• Ambient Consultation Audio: Captured ambient voices of clinicians and consenting patients during the consultation. This audio is captured dynamically on your device.
• Draft Transcripts & Structured Notes: The text representations generated from the audio recordings, structured into SOAP formats or custom clinical templates.

To maintain absolute privacy and protect patient confidentiality, Mediscribe AI operates a strict, customizable Zero-Retention Policy for patient consultation audio:

• Immediate Audio Erasure: Unless otherwise requested by a custom enterprise contract, ambient audio recordings are fully and permanently deleted from our temporary processing memory immediately after the AI finishes transcribing and generating the clinical notes.
• No Voice Databank: We do not store, archive, or database patient voices.
• Flexible Draft Storage: Generated draft clinical notes and transcripts are retained temporarily in your secure clinician dashboard so you can review and sign them off. You have the right to delete or export these notes to your EHR at any point, which triggers immediate removal from our systems.

We employ state-of-the-art administrative, technical, and physical security measures designed to safeguard clinical data:

• Encryption In Transit:All communication, audio streams, and clinical data transmitted between the clinician's device and our platform are encrypted using modern Transport Layer Security (TLS 1.3 / HTTPS).
• Encryption At Rest: Any data held temporarily in our database is encrypted utilizing advanced 256-bit Advanced Encryption Standard (AES-256) standards.
• Secure Sovereign Hosting: To comply with sovereign health data residency policies, our servers supporting UK NHS Trusts and clinics are hosted within secure, high-compliance cloud facilities located entirely within the United Kingdom.

Our Ultimate Commitment to Clinical Data Integrity:

• NO Patient Data Sales: Mediscribe AI has NEVER sold, and will NEVER sell, lease, or monetize any patient consultation data, audio, transcripts, or clinician information.
• NO Public AI Training: Your clinical consultations and generated medical records are strictly isolated. We NEVER use, share, or release patient data to train public models or third-party commercial large language models.
• Secure subprocessors: Any infrastructure subprocessors (e.g., cloud hosting) we employ are bound by rigorous, legally-enforced Business Associate Agreements (BAAs) or Data Processing Addendums (DPAs) matching NHS DSPT security standards.

Under UK GDPR, clinicians (and their patients through their respective healthcare providers) possess comprehensive data subject rights. This includes:

• The right to access, rectify, or download any draft notes stored in the clinician account.
• The right to request immediate, complete deletion of clinician profile data and temporary clinical notes.
• The right to withdraw recording consent at any point during a consultation.

Mediscribe AI has appointed a dedicated Data Protection Officer to supervise all healthcare compliance, HIPAA, NHS DSPT toolkits, and data processing safety regulations.

If you, your healthcare clinic, or your NHS Trust DPO have any technical queries, security reviews, or requests, please get in touch with us at:

Email: dpo@mediscribe.co.uk
Subject: Attention: Data Protection Officer (DPO)
Mediscribe AI Ltd, Security Compliance Division, London, United Kingdom.