← Back to Trust Center

Privacy Policy

How we collect, use, and protect your information. Last updated: June 12, 2026.

🔐
Summary in plain English: We process patient and clinic data as a HIPAA-compliant Business Associate. We never sell your data. You always retain ownership. We use industry-leading security measures to keep your information safe.

1. Introduction

Hypocrates ("Hypocrates", "we", "our", or "us") is committed to protecting the privacy and security of the personal information of our users, including healthcare providers, clinic administrators, staff members, and patients whose data may be processed through our platform (collectively, "Users").

This Privacy Policy describes how we collect, use, disclose, store, and protect information when you access or use the Hypocrates platform, website, mobile applications, APIs, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of our Services immediately.

This policy was last updated on June 12, 2026, and is effective as of that date. We reserve the right to update this policy periodically; we will notify you of material changes via email or a prominent notice on our platform.

2. Information We Collect

2.1 Account & Registration Information. When you register for Hypocrates, we collect information such as your full name, professional title, work email address, phone number, clinic name, clinic address, and billing information. For healthcare providers, we may also collect your professional license number and specialty.

2.2 Clinical & Patient Data (PHI). As a healthcare technology platform, Hypocrates processes Protected Health Information ("PHI") as defined under HIPAA. This may include patient names, dates of birth, contact information, medical records, clinical notes, diagnoses, treatment plans, prescriptions, laboratory results, appointment histories, audio recordings of consultations (with consent), and billing and insurance information. We process this data strictly on behalf of your clinic under a Business Associate Agreement (BAA) and act solely as a data processor.

2.3 Usage & Behavioral Data. We automatically collect information about how you interact with our Services, including log data (IP addresses, browser type, operating system, pages visited, timestamps), feature usage patterns, session duration, click paths, and error reports. This is used to improve the platform and is not linked to PHI.

2.4 Device & Technical Information. We collect device identifiers, hardware model, operating system versions, app version numbers, and network connection data to ensure compatibility and diagnose technical issues.

2.5 Communications Data. If you contact our support team, sales, or submit a form on our website, we retain the contents of those communications including your name, email, and the substance of the inquiry to respond to your request and improve our service.

2.6 Cookies & Tracking Technologies. We use first-party cookies, session tokens, local storage, and analytics pixels to maintain sessions, remember preferences, and gather aggregate analytics. You may manage cookie preferences through your browser settings, though this may affect platform functionality.

3. How We Use Your Information

3.1 Providing & Operating the Services. We use collected data to provision accounts, process appointments and clinical workflows, operate our AI models, and ensure the platform functions correctly for your clinic.

3.2 AI Model Training and Improvement. Hypocrates uses de-identified and aggregated data to train and improve our AI models, including our ambient transcription engine, SOAP note compiler, and scheduling optimizer. We will never use identifiable PHI to train models without explicit opt-in consent and appropriate BAA coverage.

3.3 Communications. We use your email address and phone number to send account-related notifications, appointment confirmations, product updates, billing notifications, and security alerts. Marketing communications require your explicit opt-in and can be withdrawn at any time.

3.4 Customer Support. We access account and usage information as necessary to diagnose issues, provide technical assistance, and resolve disputes.

3.5 Legal & Compliance Obligations. We may process and retain data to comply with legal obligations, respond to lawful requests from government authorities, enforce our Terms of Service, and protect the rights and safety of Hypocrates and its users.

3.6 Fraud Prevention & Security. We analyze usage patterns and device information to detect, prevent, and respond to fraudulent activity, security threats, and unauthorized access to our platform.

4. Data Sharing & Disclosure

4.1 We Do Not Sell Your Data. Hypocrates does not sell, rent, or trade your personal information or PHI to third parties for their commercial purposes.

4.2 Service Providers & Sub-Processors. We engage trusted third-party vendors who assist in delivering our Services, including cloud infrastructure providers (such as certified hosting environments), payment processors, email delivery services, analytics providers, and security auditing firms. All sub-processors are contractually bound to process data only as instructed and to maintain appropriate safeguards. A list of our active sub-processors is available upon request at privacy@hypocrates.com.

4.3 Healthcare Partners. If your clinic integrates Hypocrates with third-party EHR systems, laboratory services, insurance platforms, or referral networks, data may be shared with those systems as authorized by you and your clinic's data sharing agreements.

4.4 Legal Requirements. We may disclose information to courts, regulators, law enforcement, or other authorities when required by applicable law, judicial proceedings, or government request.

4.5 Business Transfers. In the event of a merger, acquisition, bankruptcy, or sale of business assets, user data may be transferred to the acquiring entity, subject to the same privacy commitments described herein. We will provide notice before PHI is transferred or becomes subject to a different privacy policy.

4.6 Aggregated & De-Identified Data. We may share aggregate, de-identified, or anonymized data with research institutions, industry partners, or publicly for benchmarking, research, or promotional purposes. This data cannot reasonably be used to re-identify individuals.

5. HIPAA Compliance & PHI

5.1 Business Associate Agreement. Hypocrates operates as a Business Associate under HIPAA. Before processing any PHI on your behalf, we require the execution of a Business Associate Agreement (BAA) that governs how PHI is handled, protected, and disclosed. Contact legal@hypocrates.com to execute a BAA.

5.2 Safeguards. We implement administrative, physical, and technical safeguards to protect PHI, including role-based access controls, audit logging, encryption in transit and at rest (AES-256), and regular third-party penetration testing.

5.3 Breach Notification. In the event of a breach affecting PHI, we will notify affected covered entities within 60 calendar days of discovery, or as required by HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), whichever is sooner.

5.4 Patient Rights. Hypocrates supports covered entities in fulfilling patient rights under HIPAA, including the right to access their records, request corrections, and receive an accounting of disclosures. Requests should be directed to your clinic's designated Privacy Officer.

5.5 Minimum Necessary Standard. We access and process only the minimum amount of PHI necessary to fulfill the purpose for which it is being used or disclosed, consistent with the HIPAA minimum necessary standard.

6. Data Retention

6.1 Account Data. We retain your account information for the duration of your active subscription and for up to 7 years following termination of the agreement, unless a longer retention period is required by law or is necessary to resolve disputes.

6.2 Clinical Records. PHI is retained in accordance with your clinic's obligations under applicable state and federal laws. Standard medical record retention is a minimum of 7 years from the date of service, or until a patient's 21st birthday, whichever is later.

6.3 Usage Logs. Anonymized usage logs and analytics data are retained for up to 3 years.

6.4 Deletion Requests. Upon termination of your subscription, you may request a complete export and subsequent deletion of your clinic's data within 90 days. We will confirm deletion in writing. Certain data may be retained to comply with legal obligations or legitimate business interests.

7. Security Measures

Hypocrates takes security seriously. We implement comprehensive technical and organizational security measures, including: (a) encryption of all data in transit using TLS 1.3 and at rest using AES-256; (b) multi-factor authentication (MFA) on all administrative systems; (c) role-based access control with least-privilege principles; (d) continuous monitoring, intrusion detection, and anomaly alerting; (e) annual third-party penetration testing and vulnerability assessments; (f) SOC 2 Type II audit compliance; (g) employee background checks and mandatory security training; and (h) a dedicated Security Incident Response Team (SIRT).

While we employ industry-leading safeguards, no system can guarantee absolute security. We encourage users to use strong unique passwords, enable MFA on their accounts, and report any suspected unauthorized access immediately to security@hypocrates.com.

8. Your Rights

8.1 Access. You have the right to request a copy of the personal data we hold about you, including information about how it is being used.

8.2 Correction. You may request correction of any inaccurate or incomplete personal information we hold about you.

8.3 Deletion. Subject to legal retention requirements, you may request deletion of your personal data. We will fulfil valid deletion requests within 30 days.

8.4 Portability. You may request an export of your personal data in a machine-readable format (CSV or JSON) to transfer to another service.

8.5 Objection & Restriction. Where we rely on legitimate interests as a legal basis, you may object to processing. You may also request that we restrict processing in certain circumstances.

8.6 Opt-Out of Marketing. You may unsubscribe from marketing communications at any time via the unsubscribe link in any email or by contacting privacy@hypocrates.com.

8.7 Exercising Rights. To exercise any of these rights, submit a request to privacy@hypocrates.com. We will respond within 30 days and may require identity verification before fulfilling requests.

9. International Data Transfers

Hypocrates operates globally and your data may be transferred to and processed in countries other than your country of residence, including the United States, United Kingdom, and the United Arab Emirates. These countries may have different data protection laws than your jurisdiction.

For transfers of data from the European Economic Area (EEA), UK, or Switzerland, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized mechanisms to ensure adequate protection of your data.

All international data transfers are conducted with appropriate safeguards in place to ensure data is protected to a standard equivalent to, or exceeding, your local data protection laws.

10. Children's Privacy

Our Services are not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that information promptly.

Healthcare clinics treating minors may process PHI for pediatric patients in compliance with HIPAA and applicable parental consent laws. Such processing is governed by the BAA between Hypocrates and the covered entity.

11. Contact & Data Protection Officer

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Hypocrates Privacy Team

Email: privacy@hypocrates.com

Postal: Hypocrates Inc., 350 Fifth Avenue, Suite 7010, New York, NY 10118

For EU/UK data subjects, our Data Protection Officer (DPO) can be reached at dpo@hypocrates.com. You also have the right to lodge a complaint with your local supervisory authority.