Privacy Policy

Last updated: April 2, 2026

This Privacy Policy describes how SmartScribe Corp (doing business as JotPsych) ("SmartScribe," "Company," "we," "us," or "our") collects, uses, discloses, and protects information when you use our websites, applications, browser extensions, and related services (collectively, the "Services"). It also describes your privacy rights and the protections available to you under applicable law.

By accessing or using the Services, you acknowledge that you have read this Privacy Policy and agree to the collection and use of information in accordance with its terms. If you do not agree, you must discontinue use of the Services immediately.

Definitions

• Client (also "you" or "your") means the individual or legal entity accessing or using the Services.
• Patient means any individual whose health information is created, received, maintained, or transmitted through a Client's use of the Services. Patients are not direct users of SmartScribe accounts.
• Protected Health Information (PHI) means individually identifiable health information as defined under the Health Insurance Portability and Accountability Act (HIPAA).
• Personal Data means any information that relates to an identified or identifiable individual.
• Service Provider means any third-party company or individual engaged by SmartScribe to facilitate, perform, or assist in the delivery of the Services.
• Usage Data means data collected automatically through the operation of the Services, including but not limited to page views, session duration, device identifiers, and IP addresses.

Audio Recording and Transcription

The Services enable clinicians to record clinical sessions using their device's microphone. Audio is uploaded to our cloud infrastructure in encrypted chunks during or immediately following the session. The audio is then transmitted to third-party transcription providers for conversion to text.

Raw audio is permanently deleted after transcription is complete. SmartScribe does not retain audio recordings beyond the time required to produce a transcript. The resulting transcription is retained as part of the encounter record and is subject to the data retention periods described below.

AI Processing of Clinical Data

SmartScribe uses artificial intelligence, including third-party large language model providers, to process clinical data in the following ways:

• Generating clinical notes from transcriptions
• Generating clinical documents, including referral letters, prior authorization requests, and treatment plans
• Recommending laboratory tests based on note content
• Auditing notes for compliance and coding accuracy
• Providing documentation coaching and feedback to clinicians
• Extracting medication information from notes into patient records
• Mapping note sections to Electronic Health Record (EHR) fields via the Chrome Extension
• Generating forms from user-provided descriptions
• Parsing and extracting data from uploaded documents

The Services employ per-user learning, meaning user preferences and correction patterns are retained to improve the quality of future outputs for that specific user. This is not foundational model training.

SmartScribe does not use client clinical data to train foundational AI models. Clinical data processed through the Services is used solely to deliver and improve the Services for the applicable Client.

By default, personally identifiable information (PII) is removed from clinical content before it is sent to third-party AI providers. This default behavior is configurable by the Client at the account level. SmartScribe is not responsible for any increased risk resulting from a Client's decision to disable PII removal.

Patient Data (Protected Health Information)

Through Client use of the Services, SmartScribe may collect, process, and store the following categories of patient data:

• Demographics: Name, date of birth, gender identity, sex, pronouns, race/ethnicity, contact information, and employment details
• Insurance: Payer information, policy and group numbers, and subscriber details
• Clinical: Medications, diagnoses (ICD-10 codes), allergies, treatment plans, and clinical notes
• Emergency contacts
• Patient consent records

All patient data is treated as PHI and handled in accordance with HIPAA and the terms of any applicable Business Associate Agreement (BAA) between SmartScribe and the Client.

Financial and Billing Data

The Services support insurance claims generation and submission through third-party clearinghouse partners. Claim data includes CPT codes, ICD-10 codes, dates of service, billed amounts, and related encounter information. Provider billing identity data -- including National Provider Identifier (NPI), Tax Identification Number (TIN), and taxonomy codes -- is collected and stored to facilitate claims submission.

Patient payments are processed through a third-party payment processor. SmartScribe does not store credit card numbers, bank account numbers, or other direct financial instrument data. Such data is collected and managed exclusively by our payment processing provider in accordance with PCI DSS standards.

Remittance and payment data received from insurers is stored as part of the billing record.

E-Prescribing

Electronic prescriptions are processed through a third-party e-prescribing platform. To use e-prescribing features, clinicians must register with the e-prescribing platform, which requires the following information: full legal name, date of birth, NPI, and DEA number.

For identity proofing purposes, the e-prescribing platform may require additional verification data, including Social Security Number, credit card verification, and photo identification. This identity proofing data is submitted directly to the third-party e-prescribing platform and is never transmitted to, stored by, or accessible to SmartScribe.

The Services support prescribing of controlled substances (Schedules II through V) with enhanced authentication as required by federal and state law. Prescription records are managed within the third-party e-prescribing platform.

Credentialing Data

For clinicians who use credentialing features, SmartScribe collects and stores:

• Social Security Number (encrypted on write; never returned via API; never displayed in the application)
• Malpractice insurance details
• Professional licenses, board certifications, and DEA certificates
• Disclosure attestations, including any history of license actions, malpractice claims, criminal history, and Medicare/Medicaid sanctions
• Tax identification (Employer Identification Number)
• Photo identification

Credentialing data is stored with enhanced encryption and access controls and is retained for the duration of the provider's relationship with SmartScribe.

Telehealth

The Services include telehealth functionality powered by a third-party video infrastructure provider. Video and audio streams are processed by the video infrastructure provider during the session.

Chat messages exchanged during telehealth sessions are transmitted in real time and are not persisted or stored by SmartScribe or the video infrastructure provider after the session ends.

Patient-Facing Interactions

Patients are not users of SmartScribe and do not create accounts. However, the Services facilitate certain interactions with patients on behalf of Clients, including:

• Delivery of intake forms via SMS or email, which patients complete without creating an account or logging in
• Payment requests sent via SMS, with payments collected by a third-party payment processor
• Appointment confirmations via SMS or email, which may include telehealth session join links
• Delivery of clinical documents via SMS or email (date-of-birth verification required to access)
• Delivery of lab orders to patients
• Follow-up messages sent via SMS or email on behalf of the Client

SmartScribe acts as a conduit for these communications on behalf of the Client. The Client is responsible for obtaining any required patient consent for these communications.

Chrome Extension (JotPsych Note Shuttle)

The JotPsych Note Shuttle Chrome Extension helps clinicians transfer clinical notes from JotPsych to their EHR systems. The Extension collects only the data necessary to provide this functionality.

Data Collected by the Extension

Information you provide:

• Authentication credentials (stored in local browser storage as tokens only)
• User profile information, including email and name (stored in local browser storage)

Information collected automatically:

• Current page URL, to identify the active EHR system (stored in local browser memory, not persisted)
• EHR page structure (DOM), to identify form fields for note insertion (temporarily in memory; sent to JotPsych API for field mapping)
• Form field metadata, to create and store mappings between JotPsych note sections and EHR fields (stored in local browser storage)

The Extension reads page content only when you explicitly initiate a scrape or mapping action. It does not passively monitor browsing activity.

Medical Information

When transferring notes to your EHR, medical note content is retrieved from your JotPsych account via secure API calls. Note content passes through the Extension for insertion into your EHR but is not stored persistently by the Extension. All data transmission uses HTTPS encryption.

Extension Data Storage

• Authentication tokens (encrypted by Chrome's storage API)
• User profile information
• EHR template mappings

Uninstalling the Extension

You may uninstall the Extension at any time. Uninstalling removes all locally stored data (tokens, mappings, preferences) and revokes the Extension's access to your browser. It does not affect your JotPsych account or data stored on our servers.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and store certain information. Tracking technologies used include beacons, tags, and scripts to collect and track information and to improve and analyze our Services.

Cookies or Browser Cookies. A cookie is a small file placed on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our Services.

Web Beacons. Certain sections of our Services and our emails may contain small electronic files known as web beacons that permit the Company to count users who have visited those pages or opened an email and for other related website statistics.

We use both session cookies (deleted when you close your browser) and persistent cookies (remain until expiration or deletion) for the following purposes:

• Essential Cookies (Session) -- Required to provide core Services functionality and enable features.
• Acceptance Cookies (Persistent) -- Record whether users have accepted the use of cookies on the Services.
• Functionality Cookies (Persistent) -- Remember choices you make, such as login details or language preferences.

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products and services. Website usage data is captured using first- and third-party cookies and other tracking technologies. We use this information for site optimization, fraud and security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Use of Your Personal Data

We do not sell Personal Data. We do not share Personal Data with third parties for their own marketing or cross-context behavioral advertising purposes.

We may use Personal Data for the following purposes:

• Providing, operating, and maintaining the Services
• Managing your account and verifying your identity
• Processing transactions and sending related information
• Communicating with you by email, telephone, SMS, or push notifications
• Providing news, offers, or information about the Services, unless you have opted out
• Responding to your requests, inquiries, and support needs
• Analyzing usage to improve the Services
• Detecting, preventing, and addressing technical issues, fraud, or security concerns
• Complying with legal obligations

We may share your information with Service Providers acting as data processors, affiliates, or as part of a business transfer (such as a merger, acquisition, or asset sale), always in accordance with this Privacy Policy and applicable law.

Data Retention

• Audio recordings: Permanently deleted after transcription is complete
• Signed clinical notes: Retained for a minimum of seven (7) years, consistent with healthcare records retention standards
• Unsigned notes: Subject to configurable auto-deletion (30 to 365 days, as set by the Client)
• Usage data: Retained for analysis and service improvement purposes
• Credentialing data: Retained for the duration of the provider's relationship with SmartScribe
• Financial and billing data: Retained as required by applicable law and regulation

When data is no longer required for any of the above purposes and no legal retention obligation applies, it will be securely deleted or de-identified.

Data Security

• All data is encrypted in transit (TLS) and at rest
• Infrastructure is hosted on ISO 27001-certified, SOC 2 Type II compliant cloud infrastructure
• PII is removed from clinical content before AI processing by default (configurable by Client)
• SmartScribe is HIPAA compliant and executes Business Associate Agreements (BAAs) with Clients who are Covered Entities or Business Associates
• Regular security assessments and penetration testing are conducted
• Access to PHI is limited to authenticated, authorized users with role-based access controls
• Audit logs are maintained as required by HIPAA

While we employ commercially reasonable safeguards, no method of electronic transmission or storage is completely secure. SmartScribe cannot guarantee absolute security of your data.

Third-Party Service Providers

SmartScribe engages the following categories of third-party Service Providers to deliver the Services. All Service Providers are contractually obligated to protect data in accordance with applicable law, and where applicable, Business Associate Agreements are in place:

• Cloud infrastructure providers
• Audio transcription providers
• AI and machine learning model providers
• E-prescribing platform provider
• Insurance clearinghouse provider
• Payment processing provider
• Video and telehealth infrastructure provider
• Authentication and identity provider
• Analytics and feature management providers

We do not disclose the specific identity of our Service Providers in this Privacy Policy. Clients subject to BAAs may request a current list of sub-processors by contacting us at info@smartscribe.health.

Your Rights

Subject to applicable law, you have the right to:

• Access the Personal Data we hold about you
• Correct inaccurate or incomplete Personal Data
• Delete your Personal Data, subject to legal retention obligations
• Data portability -- request your data in a structured, machine-readable format
• Opt out of marketing communications at any time
• Withdraw consent where processing is based on consent (withdrawal may limit Service functionality)

To exercise any of these rights, contact us at info@smartscribe.health. We will respond within the timeframe required by applicable law.

Note regarding patient data: Patients whose data is processed through the Services should direct access, correction, or deletion requests to their healthcare provider (our Client). SmartScribe processes patient data on behalf of Clients and will comply with Client instructions regarding such requests.

State-Specific Privacy Rights

California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including:

• The right to know what Personal Data we collect, use, disclose, and sell
• The right to delete Personal Data we hold about you
• The right to opt out of the sale or sharing of Personal Data (SmartScribe does not sell Personal Data)
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate Personal Data
• The right to limit use and disclosure of sensitive Personal Data

Other States

Residents of other states with applicable consumer privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, and Texas) may have similar rights. To exercise any state-specific privacy rights, contact us at info@smartscribe.health.

Mobile Messaging (SMS/MMS/RCS)

If you opt in to receive messages from JotPsych, we collect your phone number, consent status, messaging preferences, and message logs to operate the messaging program. Messages may include onboarding information, reminders, support communications, or promotional content if you have separately consented.

Carriers and messaging infrastructure providers process messages as our Service Providers and are contractually prohibited from using your data for their own purposes.

You may opt out at any time by texting STOP; a confirmation message will be sent. Message frequency varies. Message and data rates may apply.

We retain opt-in and opt-out records for at least six months after opt-out. No mobile information collected for SMS messaging will be shared with or sold to third parties, business partners, or affiliates for marketing or promotional purposes.

Children's Privacy

The Services are not directed at children under the age of 13. SmartScribe does not knowingly collect Personal Data from children under 13. Account creation requires that the user be at least 18 years of age. If we become aware that we have collected Personal Data from a child under 13, we will take steps to delete that information promptly.

Transfer of Your Personal Data

Your information may be transferred to and processed on servers located outside of your state, province, or country. By using the Services, you consent to this transfer. SmartScribe will take all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy and applicable law.

Disclosure of Your Personal Data

Your data may be disclosed in the following circumstances:

• Business transactions: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.
• Legal obligations: When required by law, regulation, legal process, or enforceable governmental request.
• Protection of rights: To protect and defend the rights, property, or safety of SmartScribe, our Clients, or others.

Links to Other Websites

Our Services may contain links to third-party websites or services not operated by SmartScribe. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by posting the revised version on this page and updating the "Last updated" date above. For material changes, we may provide additional notice via email or through the Services. Your continued use of the Services after any changes become effective constitutes acceptance of the revised Privacy Policy.

Contact Us

For privacy-related questions, data requests, or concerns about this Privacy Policy:

info@smartscribe.health

For general product support:

contact@jotpsych.com

SmartScribe Corp
Wilmington, Delaware, USA