NeuroScribeAI Privacy Policy

Effective Date: June 01 2025

At NeuroScribeAI, Inc. and its affiliates ("Company," "we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your Personal Information and Client Data, as defined below.

This Privacy Policy describes how we collect, use, store, share, and protect your information when you ("User," "you," or "your") use NeuroScribeAI (the "Service," as defined in our Terms of Service). This policy should be read in conjunction with our Terms of Service ("Terms") and our Business Associate Agreement ("BAA"), which is incorporated into the Terms.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms, which are hereby incorporated by reference.

1. Our Role Under HIPAA

As a provider of services to healthcare professionals, NeuroScribeAI acts as a "Business Associate" under the Health Insurance Portability and Accountability Act ("HIPAA"). This means we are legally obligated to protect the privacy and security of any Protected Health Information ("PHI") we receive, create, maintain, or transmit on your behalf. Our responsibilities are detailed in the BAA, which governs our handling of all PHI.

The Service is intended for use by licensed clinicians and their authorized staff (the "User"). Patients, guardians, and collaterals do not hold accounts as Users of the Service; their interaction with the Service is limited to the Patient Portal, as described in Section 3.

2. User Consent and Preferences

2.1 Consent Mechanisms. By using our Service, or by clicking the "I acknowledge and agree" checkbox during the signup process, you consent to the collection and use of your Personal Information and Client Data as described in this Privacy Policy.

2.2 Preference Management. Currently, we do not provide tools or settings for users to manage their privacy preferences. However, you can modify your Personal Information or request its deletion by contacting our support team at info@neuroscribeai.com.

3. Information We Collect and How We Collect It

3.1 User Information. We collect personal information that you provide directly to us when you create an account or interact with the Service, including:

(a) email address;

(b) first name;

(d) organization or company you work for (collectively, "Personal Information").

3.2 Client Data. You retain ownership of all data, including assessment scores, rating scale scores, qualitative observations and notes about your clients ("Client Data"), and past clinical reports that you provide to configure your account or templates ("Example Reports"), that you input into the Service. Client Data also includes information submitted by your clients — including patients, guardians, and collaterals — through the Patient Portal, such as completed questionnaires and forms and documents uploaded at your request. Client Data may include PHI, as defined under HIPAA. We collect and process Client Data solely to provide the Service to you in accordance with our Terms and BAA, and we treat all such information as Client Data and PHI belonging to and controlled by you.

3.3 Patient Portal. The Patient Portal is a feature of the Service that allows your adult patients, guardians, and collaterals to complete and submit questionnaires and forms you have requested, and to upload supporting documents. Patient Portal participants access the Portal solely to provide information at your direction. They are not Users of the Service, and all information they submit is collected, used, and protected as Client Data and PHI on your behalf under the BAA.

3.4 Automatically Collected Data. We do NOT automatically collect Personal Information such as browser types or browsing behavior through advertising cookies or similar tracking technologies within the secure Service. However, we may use local storage on your device to deliver the Service and enhance your user experience. Local storage may be used to store session information and user preferences to facilitate seamless navigation and operation of the Service. We may collect basic usage data, such as login times, features used, and interaction patterns, to operate and improve the Service. This data is collected without using third-party advertising or tracking technologies.

3.5 Secure Service. To protect the confidentiality of Client Data, the secure, logged-in portion of our Service does not use third-party advertising cookies or tracking pixels. We do, however, use local storage and essential authentication tokens on your device, which are necessary to provide the core functionality of the Service and maintain your logged-in state. We may temporarily cache Client Data in your browser's local storage to support features such as auto-save and to prevent data loss from inadvertent page refreshes or connectivity issues. This data resides on your local device and is cleared periodically.

3.6 Data Minimization. We adhere to the principle of data minimization, collecting only the information necessary to provide and improve our Service. We regularly review our data collection practices to ensure we are not collecting unnecessary information.

3.7 Direct Collection. We collect information directly from you when you:

(a) create an account;

(b) input Client Data or configure templates; or

We also collect Client Data indirectly, on your behalf, when your patients, guardians, or collaterals submit information through the Patient Portal at your request.

4. How We Use Your Information

4.1 Service Provision. We use the information you provide to:

(a) deliver the Service and enhance your user experience;

(b) configure your account, templates, and report formatting using the Example Reports and settings you provide, which may include manual review by authorized personnel;

(d) improve the quality of our report outputs.

4.2 Communication. By providing your information when signing up for the Service or otherwise engaging with us, you consent to receive service-related communications and, where you have not opted out, marketing communications such as product updates. You may opt out of marketing communications at any time as described in Section 7.3. We use your contact information to:

(a) send service-related announcements and updates;

(b) respond to your inquiries and provide customer support; or

4.3 Analytics and Improvement. We may use de-identified and aggregate data to:

(a) enhance and optimize the Service;

(b) conduct research and development; or

Any de-identification is performed by us in accordance with the HIPAA de-identification standard at 45 C.F.R. § 164.514(b) as described in our BAA.

4.4 Legal Compliance. We may use your information to comply with applicable laws, regulations, legal processes, or governmental requests, and to meet our obligations under HIPAA and our BAA with you.

5. Sharing of Information

5.1 Third-Party Service Providers and Subcontractors. To provide our Service, we engage third-party service providers. These providers are contractually obligated to use data solely to provide the specified service to us and are prohibited from using the data for their own purposes. We formally distinguish between providers based on their access to PHI:

(a) Subcontractors. These are providers who create, receive, maintain, or transmit PHI on our behalf to deliver core aspects of our Service. We have signed a HIPAA-compliant BAA with each Subcontractor that requires them to protect PHI to the same standards that we do. A complete list of our Subcontractors is maintained in Exhibit A of our BAA.

(b) Other Third-Party Service Providers. We may also use providers for services that do not involve PHI ("OTPSP"). These providers do not have access to PHI and are not considered Subcontractors under HIPAA.

5.2 Sharing Data. We may share your Personal Information and Client Data with the following Subcontractors and providers who assist us in operating the Service. Each provider listed below that may access PHI does so under a HIPAA-compliant BAA with us:

Provider	Purpose	May Access PHI
Amazon Web Services (AWS)	Cloud infrastructure, including compute (Amazon EKS), data hosting and storage, and logging and monitoring. We self-host the Service on AWS in the United States.	Yes
Google Cloud (Vertex AI – Gemini)	AI processing services. Gemini models are accessed through Google Cloud's Vertex AI platform. Data submitted to Vertex AI is processed under our BAA with Google and Google Cloud's data processing terms, under which such data is not used to train Google's foundation models and is not retained beyond what is necessary to provide the Service.	Yes
Anthropic (Claude)	AI processing services. Data sent to Anthropic is processed in accordance with the BAA we have in place with them, which prohibits use of the data for model training.	Yes
OpenAI	AI processing services. Data sent to OpenAI is processed in accordance with the BAA we have in place with them, which prohibits data retention and use for model training.	Yes
Google Workspace (enterprise email)	Email delivery for service-related and account notifications.	Yes

Note for review — Google Workspace is listed as a PHI Subcontractor under the Google BAA. If your service notifications never contain PHI, it may instead be reclassified as a non-PHI provider (OTPSP).

5.3 Legal Requirements. We may disclose your Personal Information or Client Data if required by law or in response to valid requests by public authorities (e.g., courts or government agencies).

5.4 Business Transfers. In the event of a merger, acquisition, or sale of all or a portion of our assets, your Personal Information and Client Data may be transferred to the acquiring entity, subject to the protections of this Privacy Policy and our BAA.

6. Data Security, Storage, and Retention

6.1 Security Measures. We protect your Personal Information and Client Data using reasonable and appropriate administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule. These include encryption, secure servers, firewalls, and access controls.

6.2 Data Storage Location. All data is stored on secure servers located in the United States.

6.3 Data Breach Policies and Regulatory Notification. In the event of a data breach that compromises your Personal Information or Unsecured PHI, as defined in HIPAA, we will notify affected users via email. For Unsecured PHI, we will notify you in accordance with our obligations under the BAA, which requires notification without unreasonable delay and in no case later than [INSERT NUMBER FROM YOUR BAA] business days after discovery. For Personal Information, we will notify you as required by applicable law. We will coordinate with relevant authorities and comply with all legal obligations, including timely notifications and cooperation during investigations.

6.4 Retention Period (PHI / Client Data). Upon termination of the Terms, we will return or securely destroy all PHI in our possession and will not retain any copies, in accordance with our BAA. You acknowledge that this destruction process is permanent and irreversible. We may retain PHI in encrypted backups for disaster recovery and business continuity purposes in compliance with HIPAA's Security Rule, provided that such PHI is not accessed or used unless required for those purposes. The process will be initiated upon termination and may take up to [INSERT NUMBER] days to complete to ensure removal of PHI from all production, disaster recovery, and backup systems. If return or destruction is not feasible (for example, where PHI exists only in encrypted backups), we will extend the protections of the BAA to the information and limit further uses and disclosures to those purposes that make return or destruction infeasible for as long as we maintain it. This obligation does not apply to data that has been de-identified. Any data that is not PHI will be handled in accordance with our standard data retention policies.

6.5 Retention of Personal Information. We will retain your Personal Information for as long as your account is active. Following termination of your account, we will retain your Personal Information for a period of five (5) years for legitimate business purposes, including to comply with our legal obligations (such as tax and accounting), resolve disputes, and enforce our agreements.

7. User Rights and Responsibilities

7.1 Access and Correction. You may request access to or correction of your Personal Information by contacting us at info@neuroscribeai.com.

7.2 Deletion Requests. You may request the closure of your account and deletion of your Personal Information by contacting us at info@neuroscribeai.com. Deletion of Client Data containing PHI is governed by the termination provisions in our BAA.

7.3 Opt-Out Options. You may opt out of receiving marketing communications by following the unsubscribe instructions included in such emails. Please note that you cannot opt out of service-related communications necessary for the operation of your account.

7.4 Account Security. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Please do not share your username or password with anyone.

7.5 Third-Party Links. The secure, logged-in portion of our Service does not contain links to third-party websites.

8. Compliance and Regulatory Matters

8.1 GDPR and CCPA. Our Service is not offered to individuals in the European Economic Area ("EEA") and is not subject to the General Data Protection Regulation ("GDPR"). We currently do not meet the thresholds that would require compliance with the California Consumer Privacy Act ("CCPA"), and PHI handled under HIPAA is in any event exempt from the CCPA. We are committed to complying with all applicable privacy laws and regulations as our operations expand and as these laws evolve.

8.2 Ongoing Compliance Efforts and Privacy Impact Assessments. We regularly review and update our practices to ensure ongoing compliance with applicable laws and regulations. This includes conducting periodic internal audits and privacy impact assessments, including audits of Client Data, to ensure compliance with our privacy policies and applicable laws. These assessments are conducted internally under strict confidentiality protocols.

9. International Data Transfers

Our Service is intended for users within the United States, and all data is processed and stored domestically. We do not transfer your Personal Information internationally.

10. Children's Privacy

The Service is operated by and intended for use by licensed clinicians. It is not directed to children, and we do not knowingly create accounts for or collect Personal Information directly from individuals under the age of 13. Access to the Patient Portal is intended for adults — patients, guardians, and collaterals — who use it solely to complete questionnaires and forms requested by a clinician. Where a clinician's client is a minor, information about that minor is provided to us by the clinician (or by a guardian acting at the clinician's direction) and is collected, used, and protected as Client Data and PHI under the BAA. If you believe a child has provided us with Personal Information outside of this clinician-directed context, please contact us immediately at info@neuroscribeai.com.

11. Changes to the Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. We will notify you via email of any significant changes at least thirty (30) days before they take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

12. Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: info@neuroscribeai.com.

Thank you for choosing NeuroScribeAI. We are committed to providing you with a valuable tool to reduce the time and mental burden associated with writing neuropsychological and psychoeducational reports.

NeuroScribeAI, Inc. is incorporated in Delaware.