Privacy

Legal

‍

1. Introduction

Welcome to Clinix LLC ("Clinix AI," "we," "us," or "our"). We provide AI-powered clinical documentation services (the "Services") to healthcare providers ("Clients" or "Covered Entities"). This Privacy Policy explains how we collect, use, disclose, and safeguard information, including Protected Health Information (PHI), when you use our Services or visit our website www.tryclinixai.com (the "Site").

We are committed to protecting the privacy and security of all information we process. As a "Business Associate" to our healthcare provider clients under the Health Insurance Portability and Accountability Act (HIPAA), we are legally bound to protect the confidentiality and integrity of PHI. This policy outlines our data handling practices in compliance with HIPAA, the General Data Protection Regulation (GDPR), and other applicable privacy laws. 

‍

By using our Services or accessing our Site, you acknowledge that your information will be handled as described in this Privacy Policy.

‍

2. The Information We Collect

We collect information to provide and improve our Services. The types of information we collect depend on your interaction with us.

• Protected Health Information (PHI) and Personal Data: On behalf of our Clients, we process PHI as defined under HIPAA. This is the core of our service and may include:
  
  

• Clinical Encounter Data: Audio recordings of patient encounters, which are processed to generate clinical notes.
  
  
• Transcripts and Notes: Text transcripts of audio recordings and the structured clinical notes (e.g., SOAP, BIRP, DAP) generated from them. This information is created by our service on behalf of the Covered Entity. ⁷
  
  
• Patient Demographics: Information that identifies an individual, as provided by the Covered Entity.
  
  

• Client Account Information: When a healthcare provider registers for our Services, we collect professional contact information such as name, email address, phone number, job title, and practice details.
• Usage Data: We automatically collect technical information about your interaction with our Site and Services, including IP address, browser type, operating system, and usage patterns. This is used for service improvement, security monitoring, and analytics.
• Cookies and Tracking Technologies: We use cookies and similar technologies on our Site to enhance user experience, analyze usage, and support our marketing efforts. These tools do not process PHI.

‍

3. How We Use Your Information

Our use of information, particularly PHI, is strictly limited by our agreements with Clients (the Covered Entities) and by law. 

‍

We use the information we collect to:

• Provide and Maintain Our Services: Our primary use of PHI is to perform our AI-powered clinical documentation services for our Clients, as specified in our Service Agreements. This includes generating ambient notes to reduce charting time for providers.
  
  
• Support and Communication: To respond to inquiries, provide customer support, and send service-related updates to our Clients.
• Service Improvement: We may use de-identified data to improve our AI models and services. This data has been stripped of all personal identifiers in accordance with HIPAA standards and cannot be linked back to an individual. Under our Business Associate Agreements with cloud vendors, your PHI is never used for their model training.
  
  
• Legal and Administrative Purposes: For the proper management and administration of our business, and to carry out our legal responsibilities, including meeting our compliance and regulatory obligations.
  
  
• Security and Compliance: To monitor for security incidents, prevent fraud, and ensure compliance with our HIPAA, GDPR, and SOC 2 obligations.
  
  

4. Sharing and Disclosure of Information

We do not sell personal information or PHI. We only disclose information under specific circumstances and with robust safeguards in place.

• With Service Providers (Sub-processors): We utilize a controlled, on-shore supply chain for our core services. ¹⁷ We may share information with the following key vendors who are bound by Business Associate Agreements (BAAs) with us:
  
  

• Google Cloud (Primary): Used for primary cloud infrastructure. Our BAA with Google ensures data-residency controls and top-tier encryption (AES-256 at rest, TLS 1.3 in transit).
  
  
• OpenAI (Secure Inference Only): Used for specific AI processing tasks. Our BAA with OpenAI contractually prohibits them from training models on your PHI and requires that data is not retained for more than 30 days.
  
  

• For Legal Reasons: We may disclose information if Required By Law or in response to a valid legal process, such as a court order or government request.
  
  
• In Connection With a Business Transfer: If Clinix AI is involved in a merger, acquisition, or asset sale, your information may be transferred. We will ensure that the receiving party agrees to privacy and security commitments consistent with this policy and applicable law.
• At the Direction of the Covered Entity: We will share PHI as directed by the Covered Entity (our Client) in order to fulfill their obligations to patients.
  
  

5. Data Security and Compliance

We implement comprehensive administrative, technical, and physical safeguards to protect all information, especially PHI, from unauthorized access, use, or disclosure. 

‍

Our security program includes:

• Regulatory Alignment: Our architecture and policies are designed for compliance with the HIPAA Security, Privacy, and Breach Notification Rules; GDPR; and state privacy statutes.
  
  
• SOC 2 Type 1 & 2: We are undergoing a SOC 2 audit. Key controls already in place include:
  
  

• Continuous vulnerability scanning and monthly external penetration tests.
  
  
• Strict role-based access control (RBAC) tied to HR automation.
  
  
• Immutable audit logs with a 10-year retention period.
  
  
• A robust disaster recovery plan with an RPO of ≤ 5 minutes and an RTO of ≤ 30 minutes.
  
  

• Encryption: All PHI, including audio, transcripts, and notes, is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is gated by short-lived, least-privilege OAuth2 tokens.
  
  
• On-Shore Team: All research, development, and infrastructure management is performed by our Atlanta-based team to ensure a closed and secure supply chain.
  
  

6. Data Retention

We retain information for as long as necessary to fulfill the purposes outlined in this policy and our service agreements, and to comply with legal obligations.

• PHI: We retain PHI on behalf of our Clients for the duration of our Service Agreement. Upon termination of the agreement, we will return or destroy all PHI as directed by the Client.
  
  
• OpenAI Processing: Data processed by OpenAI is subject to zero data retention and is deleted after 30 days.
  
  
• Audit Logs: Immutable audit logs are retained for 10 years to meet compliance requirements.
  
  

7. Your Rights and Choices (for Patients/Individuals)

As a patient of a healthcare provider that uses Clinix AI, your privacy rights regarding your PHI are managed by your provider (the Covered Entity). We are committed to helping our Clients meet their obligations to you.

Your rights under HIPAA include:

• Access, Amendment, and Accounting of Disclosures: You have the right to request access to your PHI, ask for corrections, and request an accounting of certain disclosures. These requests should be made directly to your healthcare provider. We will assist your provider in responding to your requests within the timeframes specified in our BAA (typically 5-10 business days).
  
  
• Consent: Our service is used as part of your clinical care. We recommend that our Clients obtain verbal consent before using our recording technology with any patient for the first time. If a patient declines to be recorded, the clinician can use manual note-taking to respect patient preference.
  
  

8. International Data Transfers

Our services are operated from the United States by an onshore team. Our primary cloud infrastructure maintains data residency within the U.S. While our services can support over 90 languages, all processing and storage is handled within our secure, U.S.-based environment.

‍

9. Children's Privacy

Our services are not directed to children. We process the PHI of minors only as a Business Associate to healthcare providers who are legally authorized to provide care to them. We do not knowingly collect personal information directly from children.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or to comply with applicable laws and regulations. Any changes will be posted on this page with an updated "Effective Date." We encourage you to review this policy regularly.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

‍

Clinix LLC Attn: Privacy Officer

‍

Address: 3455 Peachtree Rd NE, Suite 500, Atlanta, GA 30326 

‍

Email: hello@tryclinixai.com 

‍