Privacy Policy for Therapy Scribe

Last Updated: 7th September 2025

1. Introduction

LEFT EQUALS RIGHT PTY. LTD. ("Therapy Scribe","we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at (https://therapyscribe.app) (the "Platform") and use our services (collectively, the "Services"). Please read this policy carefully to understand our views and practices regarding your personal data.

This Privacy Policy takes into account:

The requirements of the Privacy Act 1988 (Cth) for Australian users;
The General Data Protection Regulation 2016/679 (GDPR) for users in the European Union and European Economic Area;
The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) for users in the United Kingdom;
The Personal Information Protection and Electronic Documents Act (PIPEDA) for users in Canada;
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, for US users handling Protected Health Information (PHI).

Therapy Scribe acts as a data processor for personal and health information processed on behalf of healthcare professionals, who are the data controllers. In limited cases (such as user authentication or billing data), Therapy Scribe may act as a data controller. For US users processing PHI, we act as a Business Associate under HIPAA, and all PHI handling is governed by our Business Associate Agreement (BAA), incorporated by reference and available at https://therapyscribe.app/legal/baa. The BAA overrides this Privacy Policy in the event of any conflict regarding PHI.

For APP compliance, we adhere to Principle 1 by managing personal information in an open and transparent manner, as detailed herein.

Your rights under these regulations include access to your personal data, correction of inaccurate data, and data portability. To exercise any of these rights, please contact us at hello@therapyscribe.app.

Definitions

“Personal Data” means any information relating to an identified or identifiable individual;
“Processing” means any operation performed on personal data, including collection, use, storage, or disclosure;
“Data Controller” means the entity that determines the purposes and means of processing personal data;
“Data Processor” means the entity that processes personal data on behalf of the data controller;
“Protected Health Information” or “PHI” means individually identifiable health information as defined under HIPAA (45 CFR § 160.103).

2. Information We Collect

We may collect the following personal and non-personal information from you when you use our services:

Clinician Data (Personal Data)

Name, email address, and authentication data;
Usage data, including interactions with the platform;
Preferences and communication settings;
Credit balance and audio usage activity;

Patient Data (Sensitive Personal Data), as part of your use of Therapy Scribe, you may input or upload personal health information relating to your patients, including:

Patient names or initials;
Session dates and durations;
Clinical information;
Other identifiable health-related information as part of session notes;

You, as the healthcare professional, are responsible for ensuring appropriate consent has been obtained before inputting any patient information into our Platform. We do not store audio recordings and delete session data after 30 days.

Non-Personal Data

Automatically Collected Data: When you access the Platform, we may automatically collect device information (e.g., IP address, browser type, operating system), usage logs, and location data (if enabled).

Cookies and Similar Technologies:

Essential cookies for authentication and security;
Analytics cookies for understanding user behavior;
Functional cookies for remembering your preferences;
Performance cookies to improve our service;

We only set non-essential cookies (analytics, functional, and performance) after obtaining your explicit consent through our cookie banner.

Sensitive Data:

Clinical or health-related information included in session documentation, as provided by healthcare professionals;
Information relating to patient identity or treatment context, where applicable. We do not use it for AI training or other unauthorized purposes.

3. Purpose of Data Collection

We collect your data for the following purposes:

Strictly limited to fulfilling our TOS obligations, such as generating documentation via AI processing, managing credit-based audio usage with indefinite credit validity, and enhancing platform stability;
Process orders and manage payment transactions;
Provide you with drafted clinical documentation, reports, referrals, and emails from therapy sessions;
Provide and improve our AI-assisted clinical documentation;
Personalize your experience;
Communicate with you about our services;
Comply with legal obligations;
Improve our website and products;
Manage and track usage of credit-based payments for audio recordings.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

Consent: For the use of non-essential cookies and processing certain user-submitted data;
Contractual Necessity: To fulfill our obligations to you under our Terms of Service;
Legal Obligation: To comply with applicable laws and regulations;
Legitimate Interests: To understand how our services are used and improve them, provided such interests are not overridden by your data protection rights.

4. Data Sharing and Third Parties

We do not sell your personal information. We may share your data with:

Service providers who assist in our operations (e.g., cloud storage providers);
Legal authorities when required by law, such as in response to a court order or other legal process;

Examples of these service providers include:

Authentication providers (e.g., for secure login and session management)
Cloud infrastructure and storage providers;
Speech-to-text and AI processing platforms;
Analytics providers to understand usage and improve our services;
Monitoring and debugging tools to maintain app stability and security;
Payment processors.

All third parties are contractually bound to maintain the confidentiality and security of your information only for the purposes we specify.

5. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers.

Audio data may be temporarily processed by our transcription service providers in the United States before being deleted. All transfers are performed using secure protocols and in accordance with applicable data protection regulations, including Standard Contractual Clauses (SCCs) where required.

We implement the following safeguards to ensure your data remains protected:

Contracts with third parties that include Standard Contractual Clauses (SCCs) approved by the European Commission
Security and privacy due diligence on all vendors
Use of reputable service providers that comply with applicable privacy frameworks

6. Your Rights and Choices

You have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you;
Rectification: Request correction of inaccurate or incomplete data;
Erasure: Request deletion of your data ("right to be forgotten");
Restriction: Request restriction of data processing in certain circumstances;
Portability: Receive your data in a structured, machine-readable format;
Objection: Object to certain types of processing, such as direct marketing;
Withdraw Consent: Withdraw your consent at any time, where processing is based on consent;
Erasure requests will result in deletion from all systems, including backups, within 30 days, unless retention is required for legal purposes (e.g., audit trails under HIPAA); portability provided in JSON/CSV formats.

7. Data Protection

Voice Recordings and Audio Data

Voice session recordings are processed solely for the purpose of generating clinical notes. Audio data may be handled temporarily via secure, encrypted transmission but is not stored or retained beyond immediate processing. These files are processed in real-time and are immediately deleted after processing is complete. No voice recordings are stored on our servers or infrastructure at any point.

Commitment to Privacy

Your privacy is our utmost priority. We handle all data with care and in strict compliance with applicable laws and regulations. We are committed to maintaining the confidentiality and security of all information processed through our service.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period, we consider:

The amount, nature, and sensitivity of the personal data;
The potential risk of harm from unauthorized use or disclosure;
The purposes for which we process the data;
Whether we can achieve those purposes through other means;
Applicable legal, regulatory, tax, accounting, or other requirements.

Session-related content, including drafted documentation, transcriptions, referrals, reports, and emails, is automatically deleted 30 days after creation. This helps minimize data exposure and maintain compliance with data minimization principles.

9. Data Security

We implement industry-standard security measures to protect your data, including:

Encryption of data in transit (TLS 1.3) and at rest AES-256 encryption;
Access controls and authentication measures;
Rate limiting to prevent abuse.

In some circumstances, we may anonymize your personal data so that it can no longer be associated with you, in which case we may use this information indefinitely without further notice to you.

We detail more on our security measures in at Privacy & security

10. Children's Privacy

Therapy Scribe is not directed to or intended for individuals under 18. Healthcare professionals using our service act as data controllers for any minor patient data they input. It is their responsibility to ensure proper consent has been obtained in compliance with applicable laws and regulations.

For patients under 13:
- We do not knowingly collect personal information directly from children under 13;
- Any information about patients under 13 should be provided by the healthcare professional with appropriate parental or guardian consent, as required by applicable laws and professional standards.
For patients between 13 and 18:
- Information about these patients may be processed as part of the healthcare professional's use of our service.
- Healthcare professionals are responsible for obtaining any necessary consents and complying with all applicable laws and regulations regarding the processing of minors' data.

If you believe we have inadvertently collected personal information from a child without appropriate consent, please contact us immediately at hello@therapyscribe.app, and we will take steps to delete such information promptly.

11. Regional Privacy Disclosures

PHIPA Compliance (Ontario, Canada):

If you are a Health Information Custodian (HIC) as defined under Ontario's Personal Health Information Protection Act, 2004 (“PHIPA”), you acknowledge and agree that by using Therapy Scribe to process or store personal health information on your behalf, Therapy Scribe is acting as your agent under PHIPA.

You further agree to the terms of our PHIPA Agent Agreement, which governs our obligations as your agent in accordance with PHIPA.

It is your responsibility to ensure you have obtained all necessary consents from individuals whose personal health information is collected or processed using our services. Therapy Scribe provides tools to help support compliance, but the ultimate responsibility for consent and lawful use lies with you as the Custodian.

Do Not Track (DNT) Signals: We do not currently respond to browser "Do Not Track" signals, as there is no industry standard for compliance. Third-party trackers (e.g., analytics) may collect data over time and across sites.

California Residents (CCPA/CPRA): If you are a California resident, you have rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), including to know, delete, and opt-out of sales/sharing of personal information. We do not "sell" or "share" data as defined under CCPA. To exercise rights, contact us at hello@therapyscribe.app.

12. Updates to the Privacy Policy

We reserve the right to update this Privacy Policy from time to time without prior notice with an effective date. Any updates will be posted on the Platform or notified to you through other reasonable means. Continued use of our services after the effective date of any changes constitutes acceptance of those changes. If you do not accept the updated Privacy Policy, your only recourse is to cease using the Platform.

Complaints

If you have concerns about how we handle your personal data, please contact us first at hello@therapyscribe.app. We take all privacy concerns seriously and will address them promptly and confidentially. If you're not satisfied with our response, you may lodge a complaint with your local data protection authority:

Australia: Office of the Australian Information Commissioner (OAIC)
European Union: Your local Data Protection Authority
United Kingdom: Information Commissioner's Office (ICO)
Canada: Office of the Privacy Commissioner of Canada (OPC)
US (HIPAA-related): US Department of Health and Human Services Office for Civil Rights (OCR)

Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy, you can contact us at:

Email: hello@therapyscribe.app

For all other inquiries, please visit our FAQs page on the Website (https://therapyscribe.app).

By using Therapy Scribe, you consent to the terms of this Privacy Policy.

Thank you for using Therapy Scribe.