Privacy Policy

1. Introduction

EHR Note Buddy ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension and related services.

2. Information We Collect

2.1 Patient Information

You may voluntarily enter the following information:

• Patient names
• Evaluation summaries
• Daily clinical notes
• Treatment information

2.2 Account Information

• Email address
• Name
• Billing information (processed securely by Stripe)

2.3 Usage Data

• Extension usage statistics
• Error logs (with PHI removed)
• Feature usage analytics

3. How We Use Your Information

We use your information to:

• Provide AI-powered clinical note generation
• Store patient data locally in your browser
• Process subscription payments
• Send service-related communications
• Improve our services
• Comply with legal obligations

4. HIPAA Compliance & PHI Protection

4.1 Local Storage

All patient data is stored locally in your browser using IndexedDB. We do not store patient names, evaluation summaries, or clinical notes on our servers.

4.2 PHI Scrubbing

Before any text is sent to our AI service for note generation, all Protected Health Information (PHI) is automatically removed using our proprietary scrubbing technology, including:

• Patient names
• Dates of birth
• Phone numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Addresses

4.3 HIPAA Safeguards

• End-to-end encryption for all data transmission
• Secure authentication via Firebase
• No PHI is logged or stored on servers
• Regular security audits

5. Data Sharing & Disclosure

5.1 Third-Party Services

We use the following third-party services:

• Firebase (Google) - Authentication and database (no PHI stored)
• Stripe - Payment processing (PCI-DSS compliant)
• Google Vertex AI with Assured Workloads - HIPAA-compliant AI content generation (only receives de-identified text)
• Google Cloud Platform - Infrastructure hosting

5.2 No Sale of Data

We do not sell, rent, or trade your personal information or patient data to third parties.

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental request, or to protect our rights and safety.

6. Data Retention

• Patient Data: Stored locally until you delete it
• Account Data: Retained while your account is active
• Billing Records: Retained for 7 years for accounting purposes

7. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your account and data
• Export your data
• Opt-out of marketing communications
• Withdraw consent at any time

8. Data Security

We implement industry-standard security measures:

• TLS/SSL encryption for all data in transit
• Encrypted storage for sensitive data
• Regular security updates and patches
• Access controls and authentication
• Regular security audits

9. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect information from children.

10. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through the extension. Continued use after changes constitutes acceptance of the updated policy.

12. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to deletion
• Right to non-discrimination