VitaScribeVitaScribe

Privacy Policy

Last updated: 2025-09-29

At VitaScribe Inc., your privacy and data security are central to our mission. This Privacy Policy describes how we collect, use, store, and protect personal health information (PHI) and user data in compliance with Ontario's Personal Health Information Protection Act (PHIPA) and other applicable laws.

By using VitaScribe.ca, you agree to this Privacy Policy.

1. Who This Policy Applies To

This Policy applies to:

  • Licensed healthcare professionals and their authorized staff;
  • Healthcare organizations using VitaScribe;
  • Patients whose PHI may be processed through the Service.

2. Information We Collect

a) Personal Health Information (PHI)

Captured through audio, transcription, or manual input, including:

  • Clinical conversations, notes, and observations
  • Patient identifiers (if present)
  • Treatment and diagnosis information

b) User Information

  • Names, professional credentials, and contact details
  • Account and billing information
  • Usage and activity logs

c) Technical and Device Data

  • IP addresses, browser types, and device identifiers
  • Performance and security logs

3. Data Hosting and Security

  • All PHI and personal data are stored and processed exclusively within Microsoft Azure Canada datacenters.
  • Microsoft provides compliance with PHIPA, PIPEDA, and ISO 27001, SOC 2, and CSA STAR certifications.
  • VitaScribe employs encryption in transit and at rest, strict access controls, audit logs, and ongoing monitoring to protect data integrity and confidentiality.

4. How We Use the Information

We use data to:

  • Provide and maintain the Service;
  • Generate and improve AI-assisted clinical documentation;
  • Ensure compliance with applicable laws and healthcare standards;
  • Support troubleshooting, auditing, and service analytics.

We never sell or rent PHI or user data to third parties.

5. Consent and Legal Authority

Users are responsible for ensuring they have obtained valid patient consent or legal authority under PHIPA before transmitting PHI to VitaScribe.

6. Retention and Deletion

PHI is retained only as long as necessary to provide the Service or as required by law. Upon account termination or request, VitaScribe will securely delete or de-identify PHI, unless retention is required for compliance.

7. Access, Correction, and Requests

Authorized users and healthcare organizations may request access to or correction of PHI processed by VitaScribe. Please contact us using the details below.

8. Third-Party and Subprocessor Disclosure

We only share data with vetted subprocessors (e.g., Microsoft) under strict confidentiality, security, and PHIPA-compliant agreements. Disclosure to law enforcement or regulators occurs only when legally required.

9. Children's Privacy

The Service is for healthcare professionals and not intended for direct use by individuals under 16. Any PHI involving minors must be handled by authorized healthcare providers.

10. Your Responsibilities

As a user, you must:

  • Ensure compliance with PHIPA and your organization's privacy policies;
  • Maintain secure devices and credentials;
  • Notify us promptly of any suspected breach or unauthorized access.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. Continued use of the Service indicates acceptance of the updated policy.

Data Processing Addendum

Last updated: 2025-10-30

This Data Processing Addendum ("Addendum") forms part of the agreement between VitaScribe Inc. ("Processor" or "VitaScribe") and the healthcare organization or provider ("Covered Entity," "Clinic," or "Controller") that uses VitaScribe's AI documentation platform (the "Service").

This Addendum governs VitaScribe's processing of Personal Health Information (PHI) on behalf of the Clinic in accordance with the Personal Health Information Protection Act, 2004 (Ontario) ("PHIPA") and applicable privacy laws of Canada.

1. Purpose and Scope

VitaScribe provides an AI-assisted documentation platform to help healthcare professionals record, transcribe, and structure clinical notes. In providing this Service, VitaScribe acts as a "health information network provider" or "agent" under PHIPA, processing PHI solely on behalf of the Clinic, which remains the custodian of the information.

2. Definitions

  • "PHI" means Personal Health Information as defined under PHIPA.
  • "Processing" means any operation performed on PHI, including storage, transmission, access, or analysis.
  • "Subprocessor" means a third-party service provider engaged by VitaScribe to support the Service.

3. Roles and Responsibilities

  • The Clinic remains the Health Information Custodian (HIC) under PHIPA.
  • VitaScribe acts as an agent to the HIC, processing PHI only as directed by the Clinic and only for the purposes of providing and improving the Service.
  • VitaScribe does not collect or use PHI for its own purposes.

4. Data Hosting and Security

  • All PHI is stored, processed, and backed up exclusively within Microsoft Azure Canada datacenters.
  • Microsoft acts as a subprocessor under a PHIPA-compliant and SOC 2/ISO-certified data protection framework.
  • VitaScribe implements:
    • Access controls and authentication mechanisms;
    • Logging and monitoring of system activity;
    • Role-based access for authorized personnel only.

5. Subprocessors

VitaScribe may engage subprocessors (e.g., Microsoft Azure, monitoring or analytics providers) to assist in delivering the Service.

  • VitaScribe will notify the Clinic of any material changes to subprocessors.

6. Use and Disclosure

  • VitaScribe will process PHI only for the purposes authorized by the Clinic and as necessary to provide the Service.
  • VitaScribe will not sell, share, or disclose PHI except as required by law.
  • Any legal request (e.g., subpoena or warrant) for PHI will be promptly communicated to the Clinic, unless prohibited by law.

7. Breach Notification

VitaScribe will:

  • Notify the Clinic without undue delay (and in any case within 72 hours) upon becoming aware of any privacy breach involving PHI;
  • Provide details of the breach, the affected data, and mitigation steps;
  • Cooperate fully with the Clinic and regulatory authorities in any investigation or remediation.

8. Access, Correction, and Retention

  • VitaScribe will assist the Clinic in fulfilling access and correction requests from individuals, as required under PHIPA.
  • PHI will be retained only as long as necessary to provide the Service or as directed by the Clinic.
  • Upon termination or written request, VitaScribe will securely delete or de-identify all PHI, unless retention is required by law.

9. Audit and Compliance

  • VitaScribe maintains documentation of its security and privacy controls, available to the Clinic upon reasonable request.
  • The Clinic may, no more than once per year, conduct or commission an audit or compliance review (subject to confidentiality and security obligations).

10. Liability

Each party remains responsible for its own compliance with PHIPA. VitaScribe's total liability for any breach of this Addendum shall not exceed the limits set out in the main Service Agreement, except where prohibited by law.

11. Term and Termination

This Addendum remains in effect as long as VitaScribe processes PHI on behalf of the Clinic. Upon termination, VitaScribe will securely delete or de-identify all PHI unless retention is legally required.

12. Governing Law

This Addendum is governed by and construed in accordance with the laws of Ontario and the laws of Canada applicable therein.

12. Contact Information

For questions, access requests, or complaints, contact:

VitaScribe Inc.

Email: privacy@vitascribe.ca