Medical privacy

DictaFlow Medical Privacy Policy

Last updated: May 19, 2026. This page is a public summary and does not replace any signed customer agreement or BAA.

HIPAA note: DictaFlow Medical is intended to support HIPAA-regulated workflows only when used under the required agreements and operational safeguards. Covered entity and business associate customers should execute a Business Associate Agreement before using DictaFlow Medical with PHI.

1. Information we collect

We collect account information such as name, email address, authentication provider, subscription status, usage counters, device/platform metadata, and settings needed to operate DictaFlow Medical.

When you dictate or use editing features, audio and text may be transmitted to the DictaFlow Medical backend and approved subprocessors for transcription, formatting, and related service functionality. DictaFlow Medical is designed not to permanently store raw audio or transcript text on the backend unless a specific support, security, legal, or customer-requested workflow requires retention.

2. Clinical data and PHI

DictaFlow Medical treats clinical dictation content, selected text, prompts, dictionary entries, snippets, cached credentials, and retry audio as potentially sensitive. Medical desktop builds use a separate local storage namespace and include local encryption controls for PHI-bearing app data where supported.

3. How we use information

Authenticate users and maintain sessions.
Provide transcription, formatting, usage tracking, subscription, referral, and support features.
Maintain audit and disclosure metadata for HIPAA-oriented operations without intentionally storing raw PHI in those audit records.
Detect abuse, debug reliability issues, and operate the service.

4. Subprocessors

DictaFlow Medical may use cloud hosting, authentication, database, payment, email, and AI transcription/model providers. Providers that receive PHI-bearing audio or text must be enabled only after required BAA coverage and retention/training settings are confirmed. Payment processors should receive payment data only; do not include patient information in billing metadata. See the current Medical subprocessor list.

5. Support handling

Do not send patient identifiers, transcript text, screenshots containing PHI, or raw local data files through ordinary email or unapproved support channels. If support review of PHI is necessary, it must follow the support process in the applicable BAA or written customer instructions.

6. Retention and deletion

Account, subscription, usage, audit, and security records may be retained as needed to provide the service, meet legal obligations, investigate incidents, and maintain HIPAA documentation. Customers may request account deletion or export through supported app and support workflows. Customer-specific return, destruction, and retention terms should be defined in the applicable BAA or written agreement.

7. Security

DictaFlow Medical uses HTTPS transport, authenticated backend requests, PHI-oriented logging restrictions, provider allowlist controls, and local encryption for Medical app data where supported. No internet service can guarantee absolute security.

8. Contact

For privacy, security, BAA, or support requests, contact ryan@dictaflow.io.