Determa Privacy Policy

Introduction

Determa LLC ("Determa," "we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our web application, mobile applications, and API (collectively, the "Service").

Determa enables healthcare professionals to record, transcribe, and process medical audio for clinical documentation purposes. We implement appropriate technical and organizational measures to protect your information.

Information We Collect

Account Information

• Email address
• Name and organization affiliation
• Password (encrypted and securely stored)

Content You Provide

• Audio recordings
• Transcripts of your recordings
• AI-generated clinical notes
• Recording metadata (date, time, duration)
• User preferences and settings

Technical Information

• Device type and operating system
• Application version
• Usage logs and error reports
• IP address and network information

How We Use Your Information

We use your information to:

• Provide, maintain, and improve our services
• Store and manage your recordings and data
• Authenticate your identity and maintain secure sessions
• Process and fulfill your requests
• Send you technical notices and support messages
• Monitor and analyze usage to improve service quality
• Detect and prevent security issues and abuse
• Comply with legal obligations

AI and Machine Learning

We use artificial intelligence and machine learning services to:

• Transcribe your audio recordings into text
• Generate clinical notes based on your transcripts
• Improve naming and formatting of your content

Your recordings and transcripts may be processed by third-party AI service providers. These providers are contractually obligated to protect your information.

Third-Party Services

Determa uses the following third-party services that have signed Business Associate Agreements (BAAs) and may process Protected Health Information (PHI):

Mobile Application

The Determa mobile app (iOS and Apple Watch) is a companion to the Determa web platform:

Mobile App Functions

• Secure audio recording of patient encounters
• Encrypted upload to Determa cloud platform
• Automatic sync with web platform
• Face ID/Touch ID authentication

Processing Location

Transcription and AI note generation occur on the Determa cloud platform, not on your mobile device. All processing uses HIPAA-compliant services with Business Associate Agreements.

HIPAA Compliance and Protected Health Information (PHI)

Our Commitment to HIPAA

Determa is designed to be used by healthcare providers and their business associates in a manner compliant with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and their implementing regulations.

As a service that processes Protected Health Information (PHI) on behalf of healthcare providers, we act as a "Business Associate" under HIPAA. We implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI in accordance with HIPAA requirements.

What is Protected Health Information (PHI)?

PHI includes any individually identifiable health information that is created, received, maintained, or transmitted by healthcare providers. When you use Determa to record patient encounters, your recordings and transcripts may contain PHI, including:

• Patient names, dates of birth, and other demographic information
• Medical diagnoses, symptoms, and treatment information
• Medication and prescription information
• Lab results and medical test data
• Billing and insurance information

Business Associate Agreement (BAA)

Before using Determa to process PHI, you must accept our Business Associate Agreement ("BAA"). The BAA is a legal contract required by HIPAA that:

• Defines how we may use and disclose PHI
• Outlines our obligations to safeguard PHI
• Establishes breach notification procedures
• Requires compliance with applicable HIPAA rules

User-Level BAA: Individual users accept our BAA via electronic clickwrap acceptance when they register for an account or when prompted to accept an updated version. This acceptance is legally binding under the Electronic Signatures in Global and National Commerce Act (ESIGN Act).

Organization-Level BAA: Organizations may execute a formal BAA through electronic signature services (such as SignWell or DocuSign) or via traditional paper signature. Contact us at legal@determa.co for organization-level BAA execution.

Your Responsibilities as a Covered Entity

If you are a healthcare provider or work for a healthcare organization ("Covered Entity"), you are responsible for:

• Obtaining patient consent before recording patient encounters, as required by applicable laws
• Using Determa only for purposes permitted under HIPAA
• Maintaining appropriate safeguards on your devices and network
• Training your staff on HIPAA compliance and proper use of Determa
• Reporting any suspected breach of PHI to your organization's Privacy Officer
• Maintaining compliance with state privacy laws and professional regulations

How We Protect PHI

We implement comprehensive security measures to protect PHI, including:

• Access Controls: Role-based permissions and authentication
• Encryption: AES-256 encryption for data at rest and TLS 1.2+ for data in transit
• Audit Logging: Audit logging of cross-user PHI access and modifications
• Security Monitoring: Application logging and infrastructure monitoring
• Workforce Training: HIPAA compliance training for employees with PHI access
• Vendor Management: BAAs with all subcontractors that process PHI
• Incident Response: Breach notification and remediation procedures per HIPAA requirements

Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify affected Covered Entities without unreasonable delay and no later than 60 days following discovery
• Provide information about the nature of the breach, affected individuals, and mitigation steps
• Cooperate with Covered Entities in their breach notification obligations to patients and regulators
• Document the breach and remediation actions taken

Third-Party Service Providers (Subcontractors)

We may use third-party service providers to process PHI on our behalf, including:

• Cloud infrastructure providers (e.g., Google Cloud Platform)
• Transcription services (e.g., Google Speech-to-Text, Deepgram)
• AI/LLM services for clinical note generation (e.g., Google Vertex AI)

All subcontractors that have access to PHI are required to enter into Business Associate Agreements with us and comply with applicable HIPAA requirements. We remain responsible for their compliance.

De-identification and Research

We do not use PHI for research purposes. We may use de-identified data (data from which all HIPAA identifiers have been removed) for service improvement, analytics, and research. De-identified data is not subject to HIPAA restrictions.

Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption in Transit

• All data transmitted between mobile apps and servers uses TLS 1.2 or higher
• No unencrypted data transmission

Encryption at Rest

• File storage: AES-256 encryption with customer-managed encryption keys
• Database: Encrypted at rest using Google Cloud SQL's encryption
• Encryption keys for file storage managed by Google Cloud Platform Key Management Service

Mobile Device Security

• Biometric authentication (Face ID/Touch ID) available
• Local data encrypted using iOS platform encryption
• Secure Keychain storage for credentials

Additional Security Measures

• Secure authentication and session management
• Regular security monitoring and updates
• Access controls and role-based permissions
• Secure cloud infrastructure

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account information is retained while your account is active
• Recordings and content are stored until you delete them
• Deleted data is removed from our systems within a reasonable timeframe
• Some metadata and logs may be retained for security and legal compliance
• Anonymized usage data may be retained indefinitely for service improvement

Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

• Service Providers: Third-party companies that help us operate our services, such as cloud storage providers, transcription services, email delivery services, and error monitoring tools. These providers are contractually obligated to protect your information.
• Legal Requirements: Law enforcement, government authorities, or other third parties when required by law or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you if your information will be subject to a different privacy policy.

Your Rights

You have the following rights regarding your information:

• Access: Request access to your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information
• Data Portability: Request a copy of your data in a portable format
• Object: Object to our processing of your information

To exercise any of these rights, please contact us at support@determa.co.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy, please contact us at legal@determa.co.