← Back to Home
  1. Overview SaraMedico, Inc. ("SaraMedico," "we," "our," or "us") provides software tools that support modern medical practice, including AI-assisted documentation, OCR-based medical record intake, visit transcription, reporting, workflow administration, and related support services (collectively, the "Services"). This Privacy Policy explains how SaraMedico collects, uses, discloses, stores, and protects personal information when individuals visit our website, create an account, use the Services, request a demo, contact us, or otherwise interact with us.
  2. Scope This Privacy Policy applies to information collected through our website, applications, APIs, communications, and customer support channels. It does not replace any Business Associate Agreement (BAA), service order, or enterprise contract that specifically governs the handling of protected health information (PHI) for a covered entity or business associate customer. Where a signed BAA or other healthcare-specific agreement applies, that agreement controls to the extent of any direct conflict.
  3. Categories of Information We Collect We may collect the following categories of information depending on how the Services are used: · Account and organization information, such as clinician or staff name, organization name, email address, phone number, billing contact details, role, credentials supplied to us, and account preferences. · Website and device information, such as IP address, browser type, device identifiers, log data, session information, pages viewed, referring URLs, and approximate location derived from technical signals. · Customer content submitted through the Services, including uploaded records, PDFs, images, dictated notes, visit recordings, generated transcripts, draft SOAP notes, summaries, redacted outputs, structured report content, and administrator-entered settings. · Support and communications data, such as messages sent to sales, support, security, or privacy teams, meeting notes, product feedback, onboarding details, and incident reports. · Payment and transaction information, which may include subscription plan, billing history, invoice references, and limited payment metadata received through our payment processors. We do not store full payment card numbers unless expressly stated in a separate payment workflow. · Compliance and security information, such as audit logs, authentication events, access history, permissions, usage metrics, failed login attempts, device verification events, and records related to legal or regulatory requests.
  4. How We Use Information · To provide, operate, maintain, support, secure, and improve the Services. · To create and manage user accounts, authenticate users, enforce permissions, and enable auditability. · To process OCR, transcription, summarization, de-identification, documentation, reporting, and other requested product functions. · To communicate with users about service updates, onboarding, support requests, security notices, invoices, renewals, and policy changes. · To monitor performance, troubleshoot issues, prevent misuse, detect fraud, enforce our agreements, and comply with law. · To analyze product usage trends in aggregated or de-identified form to improve reliability, usability, and safety of the Services. · To evaluate and respond to BAA requests, enterprise security questionnaires, and procurement diligence.
  5. PHI, HIPAA, and Clinical Data Handling SaraMedico is designed for healthcare workflows and may process protected health information on behalf of eligible customers under a signed BAA. Where applicable, we act as a business associate or subcontractor business associate as defined by HIPAA. We use contractual, administrative, physical, and technical safeguards intended to protect electronic PHI, including encryption in transit and at rest, role-based access controls, audit logging, and controlled workforce access. We do not use customer PHI to train public AI models. Product processing involving customer content is performed only to deliver contracted services, maintain the platform, support the customer, or as otherwise permitted by applicable law and contract. Customers are responsible for determining whether their intended use of the Services is permitted under applicable law, obtaining any required patient notices or consents, and reviewing AI-generated outputs before incorporating them into the designated medical record or clinical workflow.
  6. AI-Assisted Features · AI-generated content is intended to assist clinicians and staff, not replace professional judgment. · Draft transcripts, SOAP notes, summaries, classifications, or extracted fields may contain omissions or inaccuracies and must be reviewed by authorized users before clinical or operational reliance. · Customers control whether to activate recording, transcription, and automated drafting features for their users and workflows. · We may retain prompts, model outputs, and system metadata as necessary for service delivery, quality assurance, abuse prevention, and security, subject to contractual retention commitments.
  7. Recording and Consent If the Services are used to record patient or staff conversations, the customer is solely responsible for ensuring that all legally required notices, acknowledgments, and consents are obtained before recording begins. SaraMedico may provide user-interface indicators or workflow controls related to recording status, but the customer remains responsible for configuring and using those controls in compliance with applicable federal and state law. SaraMedico may record audio during consultations when enabled by the user or healthcare provider. These recordings may be used for transcription, documentation, and clinical workflow support. Users are responsible for obtaining any required patient consent before recording.
  8. Disclosure of Information · Service providers and subprocessors that support hosting, storage, communications, billing, analytics, customer support, AI processing, OCR, transcription, security monitoring, or other business operations, subject to contractual confidentiality and security restrictions. · Affiliates or successor entities in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business, subject to standard confidentiality protections. · Government authorities, regulators, courts, law enforcement, or other third parties when we reasonably believe disclosure is required by law, subpoena, court order, or to protect rights, safety, and security. · Other parties at the customer's direction or with the customer's authorization, such as integration partners, consultants, implementation vendors, or export recipients.
  9. De-Identified and Aggregated Information We may create and use de-identified, aggregated, or anonymized data sets for product improvement, benchmarking, service analytics, security monitoring, research, and operational reporting, provided such data does not identify an individual and is handled in accordance with applicable law, contract, and internal governance controls.
  10. Cookies and Similar Technologies · Essential technologies used to authenticate users, preserve sessions, maintain security, and enable core website functionality. · Performance or analytics technologies used to understand usage trends, measure feature adoption, and improve reliability. · Preference technologies used to remember display settings or configuration choices. Where required by law, we will provide additional choices regarding cookies or similar technologies.
  11. Data Security We maintain a security program that is designed to reduce risks to personal information and customer content. Measures may include encryption, access control, logging, monitoring, secure development practices, vendor management, workforce confidentiality obligations, and incident response procedures. No method of transmission or storage is perfectly secure. Accordingly, while we use commercially reasonable safeguards, we cannot guarantee absolute security.
  12. Data Retention We retain personal information and customer content for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain appropriate security and business records. Detailed retention expectations are described in SaraMedico's Data Retention section or in the applicable customer agreement, order form, or BAA.
  13. International Transfers If personal information is transferred across borders, we will use appropriate contractual, organizational, and technical measures required by applicable law. Unless otherwise agreed in writing, customers are responsible for assessing whether the Services are suitable for any country-specific localization requirements.
  14. Individual Rights · Depending on applicable law, individuals may have rights to access, correct, delete, restrict, or object to the processing of certain personal information. · For PHI maintained on behalf of a covered entity or business associate customer, requests concerning access, amendment, restriction, accounting, or other HIPAA rights should generally be directed to the relevant healthcare provider or customer, which remains the controller or covered entity for that data unless otherwise stated in contract. · To submit a privacy request, contact [privacy@saramedico.com] or the address listed below. We may need to verify identity and authority before fulfilling a request.
  15. Children's Privacy The Services are intended for professional healthcare and administrative use and are not directed to children as consumer users. We do not knowingly collect consumer personal information from children through the website except as part of customer-provided healthcare records processed under the customer's instructions.
  16. Third-Party Services The Services may link to, interoperate with, or rely on third-party products or websites. We are not responsible for the privacy practices of third parties except as expressly stated in a written agreement.
  17. Changes to This Policy We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy, revise the "Last Updated" date, and provide any additional notice required by law or contract.