Privacy Policy

Your privacy and data security are paramount. This policy explains how Encounter Medicine LLC (“we,” “us,” “our”) collects, uses, and protects information through our website (encountermedicine.com), web application (app.encountermedicine.com), mobile applications, and related services (collectively, the “Services”).

If you handle Protected Health Information (PHI) through our Services, the Business Associate Agreement in our Terms of Service governs PHI. If there is a conflict between this Privacy Policy and the BAA regarding PHI, the BAA controls.

By using our Services, you agree to this Privacy Policy and our Terms of Service.

Information We Collect

Information you provide: Account registration details (name, email), content you upload or paste (including clinical text if you choose to handle PHI), support requests, and payment information processed through Stripe.

Information collected automatically: IP address, device and browser type, operating system, pages and screens viewed, actions taken, timestamps, and error or crash data. This helps us operate, secure, and improve the Services.

Device permissions: Our apps may request access to device features you choose to use, such as microphone access for dictation. What we access depends on your device settings and the permissions you grant.

How We Use Your Information

We use collected information to:

• Provide, operate, and improve the Services
• Authenticate users and authorize access
• Process payments
• Customize your experience
• Provide support and respond to inquiries
• Meet legal and regulatory obligations
• Prevent fraud, abuse, and security incidents
• Perform internal analytics on service performance

We do not sell personal information. We do not sell PHI.

Use of Artificial Intelligence

Our Services use third-party AI providers to assist with documentation generation, language processing, and clinical workflow automation. Some outputs you receive are generated by large language models based on your input. These outputs are not individualized clinical advice.

Our policy requires zero-retention or equivalent no-logging configurations for PHI processed by AI providers and prohibits providers from using your data for model training. These requirements will be contractually established as BAAs are finalized with each provider. We do not use your data to train or fine-tune any AI or machine learning models. BAA Pending

HIPAA Compliance and PHI

We act as a Business Associate when you transmit, store, or process PHI through our Services. Our Business Associate Agreement, incorporated into our Terms of Service, governs PHI and takes effect on the earlier of your acceptance of the Terms or when we first handle PHI on your behalf.

Our obligations include:

• Using PHI only as necessary to provide the Services and as permitted by the BAA and law
• Implementing administrative, technical, and physical safeguards to protect PHI
• Reporting breaches of unsecured PHI in accordance with HIPAA requirements
• Making PHI available for access, amendment, and accounting as required
• Ensuring subcontractors who handle PHI are bound by agreements no less protective than the BAA

Security standards: We maintain encryption in transit (TLS 1.2+), encryption at rest (AES-256), strict access controls, audit logging, and vulnerability management.

AI processing: When PHI is routed to AI providers at your direction, we use providers and configurations designed to prevent retention and training. If a provider cannot meet those requirements for a given feature, we will not route PHI to that provider for that feature.

Breach notification: If we determine a breach of unsecured PHI occurred, we will notify you without unreasonable delay and no later than 30 calendar days after discovery, with an initial incident notice generally within 10 business days.

Retention and deletion: Return, destruction, and retention of PHI are governed by the BAA. On your instruction we will return or destroy PHI, except where retention is required for legal obligations, in which case we continue to safeguard PHI under the BAA.

Your responsibilities: You are responsible for obtaining any required authorizations and consents, ensuring you have a legal right to share PHI with us, and meeting your own HIPAA obligations.

Third-Party Services

Our Services integrate with third-party providers for hosting, AI inference, authentication, analytics, and payments. These may include Google Cloud Platform, Stripe, and similar vendors, each with their own privacy practices. Where a provider handles PHI, we are in the process of executing BAAs and requiring appropriate safeguards. BAA Pending A current list of subprocessors is available upon request at hipaa@encountermedicine.com.

Data Security

We protect personal information using commercially reasonable safeguards appropriate to the data we process. No method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your credentials.

Data Retention

We retain personal information only as long as necessary to provide the Services, meet legal obligations, resolve disputes, and enforce agreements. PHI retention is governed by the BAA. When information is no longer needed, we delete or de-identify it consistent with applicable law.

Cookies

We use cookies and similar technologies to provide core functionality, remember settings, and measure performance. You can control cookies through your browser settings. Some features may not function without certain cookies.

Children's Privacy

Our Services are not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child provided personal information, contact us and we will delete it.

Third-Party Disclosure

We may disclose personal information to service providers who help us operate the Services, professional advisors, law enforcement or regulators as required by law, or an entity that acquires all or substantially all of our assets. When we disclose PHI, we do so only as permitted under the BAA and bind recipients to appropriate confidentiality and security obligations.

California Residents

If you are a California resident, you have the right to request details about the personal information we collect, the sources and purposes of collection, and the third parties with whom we share it. You may also request deletion of your personal information. We do not sell personal information or share it for cross-context behavioral advertising. To exercise these rights, contact us using the details below.

Your Rights

You may request access to, correction of, or deletion of your personal information by contacting us. If you delete your account, we will delete your personal information within 7 days, except where retention is required by law or the BAA. We will not discriminate against you for exercising your privacy rights.

Business Transfers

If we or our assets are acquired, or in the unlikely event we go out of business, your information may be transferred as part of that transaction in compliance with applicable law and the BAA.

Changes to This Policy

We may update this policy to reflect changes to our practices or legal requirements. We will post the updated policy on this page with a revised effective date.

Contact Us

• Privacy: privacy@encountermedicine.com
• HIPAA Compliance: hipaa@encountermedicine.com
• Security: security@encountermedicine.com

You may also reach us through the contact form on our website.