Last Updated: May 9, 2026

Privacy Policy

Paley European Institute ("we," "our," or "us") provides the Paley Scribe application — a HIPAA-compliant mobile application designed to assist physicians with medical visit documentation through AI-powered audio transcription and report generation. This Privacy Policy describes how we collect, use, store, and protect your information.

By using the Paley Scribe application ("App"), you acknowledge that you have read, understood, and agree to this Privacy Policy.

1. Information We Collect

1.1 Account Information

When your account is created, we collect your name, email address, medical specialty, clinic name, clinic address, and clinic logo (if provided). We also store your subscription status to manage access to App features.

1.2 Audio Recordings

The App records audio of medical visits when you initiate a recording session. A timestamp of patient consent confirmation is stored with each recording. Recordings are temporarily stored for processing and are retained in accordance with our data retention policy described in Section 5.

1.3 Transcriptions and Medical Reports

Audio recordings are processed by artificial intelligence to generate text transcriptions and structured medical reports. These documents may contain Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

1.4 Usage Data

We collect operational audit logs necessary to ensure security and compliance, including authentication events and data access records. We do not include any PHI in operational logs.

1.5 Report Delivery Information

If you configure email delivery for reports, we collect the email address(es) to which reports are sent.

2. How We Use Your Information

2.1 Core Service Delivery

  • Audio recordings are transmitted to our AI processing service for transcription and report generation.
  • Transcriptions and reports are generated using AI models and presented to you for review, editing, and approval.
  • Approved reports are converted to password-protected PDF format and, if configured, delivered to your designated email address.

2.2 Account Management

  • Account information is used to personalize your experience, manage your subscription, and brand generated reports with your clinic information.

2.3 Service Improvement

  • Anonymized, de-identified usage metrics may be used to improve App performance and reliability. PHI is never used for service improvement purposes.

3. Third-Party Service Providers

We use the following third-party services to operate the App. Each provider processes data only as necessary to perform their designated function:

3.1 AssemblyAI

  • Purpose: Audio transcription (speech-to-text processing).
  • Data shared: Audio recordings for transcription.
  • AssemblyAI processes audio securely and does not use customer data for model training.
  • A Business Associate Agreement (BAA) is in place with AssemblyAI.

3.2 Amazon Bedrock

  • Purpose: AI-powered medical report generation from transcription text.
  • Data shared: Transcription text for structured report generation.
  • Amazon Bedrock does not use customer data to train models. All processing occurs within our AWS infrastructure.
  • Covered under our existing Business Associate Agreement (BAA) with AWS.

3.3 Supabase

  • Purpose: Database hosting, user authentication, and file storage.
  • Data shared: Account information, transcriptions, reports, and audio files.
  • Supabase is self-hosted on our AWS infrastructure. We maintain full control over all data.

3.4 Amazon Web Services (AWS)

  • Purpose: Application hosting and infrastructure.
  • Data shared: All application data transits through AWS infrastructure.
  • AWS provides HIPAA-eligible services and encryption at rest and in transit.
  • A Business Associate Agreement (BAA) is in place with AWS.

3.5 Amazon Web Services Simple Email Service (AWS SES)

  • Purpose: Transactional email delivery for report distribution.
  • Data shared: Recipient email addresses and PDF report attachments.

Business Associate Agreements (BAAs) are in place with all external third-party providers that handle Protected Health Information (AssemblyAI, AWS). Supabase is self-hosted on our own AWS infrastructure under our direct control.

3.6 Data Location

All data is processed and stored on servers located within the United States. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.

4. Data Security

4.1 Encryption

  • All data is encrypted in transit using TLS 1.2 or higher.
  • All data is encrypted at rest using AES-256 encryption.

4.2 Access Controls

  • Row-Level Security (RLS) is enforced at the database level, ensuring that each physician can only access their own data.
  • Authentication is managed through secure session tokens.
  • The App enforces automatic logout after 15 minutes of inactivity.

4.3 Audit Logging

  • All data access and modification operations are logged for compliance and security monitoring purposes.

4.4 Error and Diagnostic Reports

The App generates internal crash and diagnostic reports to help us detect bugs and improve reliability. Reports are submitted to our own backend service hosted on AWS infrastructure covered by our Business Associate Agreement with Amazon Web Services. We do not use third-party error monitoring services such as Sentry, Bugsnag, or Crashlytics.

A diagnostic report contains:

  • The error type, message, and technical stack trace.
  • The App version and build number.
  • Your device model and operating system version.
  • A short sequence of recent in-app actions ("breadcrumbs") drawn from a fixed allowlist limited to navigation events, audio recording state changes, network connectivity changes, and authentication state changes.
  • An anonymous correlation identifier.

A diagnostic report does not contain:

  • Patient names, dates of birth, identifiers, or any other Protected Health Information.
  • The audio of any visit recording.
  • The text of any transcription.
  • The content of any generated medical report.
  • Any clinical, financial, or personal correspondence.

Diagnostic data is scrubbed on your device against patterns resembling email addresses, phone numbers, social-security numbers, and dates of birth before the report leaves your device. Reports are stored in our HIPAA-compliant database and accessed only by authorized engineering staff bound by HIPAA workforce-training requirements.

5. Data Retention

5.1 Retention Period

Medical records, including transcriptions and reports, are retained for a minimum of ten (10) years in accordance with HIPAA requirements and applicable state medical record retention laws. You are independently responsible for ensuring compliance with the specific retention requirements of your state.

5.2 Soft Deletion

When you delete a record, it is soft-deleted (marked as inactive) rather than permanently erased. This ensures compliance with medical record retention requirements. Soft-deleted records are not accessible through the App but are retained in our systems for the mandatory retention period.

5.3 Account Termination

Upon account termination, your data is retained for the applicable retention period. After the retention period expires, data is permanently and irreversibly deleted.

6. Your Rights

6.1 Access

You have the right to access your personal information and medical documentation stored in the App at any time.

6.2 Correction

You have the right to request correction of inaccurate personal information. Medical reports can be edited and updated directly within the App prior to approval.

6.3 Data Export

You may export your reports as PDF documents at any time through the App.

6.4 Account Deletion

You may request account deletion by contacting us. Data will be retained for the mandatory retention period as described in Section 5.

7. HIPAA Compliance

Paley Scribe is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule.

We implement administrative, physical, and technical safeguards to protect PHI.

Business Associate Agreements (BAAs) are required before production use with all third-party service providers that handle PHI.

In the event of a data breach involving unsecured PHI, we will notify affected individuals within sixty (60) days and the U.S. Department of Health and Human Services in accordance with the Breach Notification Rule. We will also comply with applicable state breach notification laws.

8. Children's Privacy

The App is intended for use by licensed physicians and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the App and updating the "Last Updated" date. Your continued use of the App after changes are posted constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Paley European Institute
Al. Rzeczypospolitej 1
02-972 Warszawa, Poland

REGON: 380240540
NIP: 5223125965
KRS: 0000731870

Email: support@paleyscribe.com