Privacy Policy

We collect the following categories of information:

• Account information: name, email, professional title, NPI/registration number, organization, and credentials you provide during registration.
• Authentication and security data: passwords (hashed), multi-factor authentication factors, session tokens, IP address, browser and device metadata, and audit log events.
• User-generated clinical content: free-text notes, voice recordings, transcripts, uploaded documents, generated note drafts, assessment & plan content, and chat messages exchanged with the AI.
• Patient information (PHI): identifiers, demographics, clinical history, medications, allergies, lab and imaging data, and any other Protected Health Information you choose to enter when an active BAA is in place.
• Usage data: pages visited, features used, AI calls made, timestamps, performance metrics, error reports, and aggregated telemetry needed to operate and improve the Service.
• Billing data: subscription tier, billing contact, and payment metadata. We do not store full payment card numbers; payment processing is handled by our PCI-compliant payment provider.

• Provide the Service: authenticate users, render the application, generate Attest AI outputs, persist your clinical content, and operate the production environment.
• Improve the Service: monitor performance, debug failures, measure feature usage in de-identified aggregate, and evaluate model quality on data not containing PHI.
• Security and integrity: detect abuse, prevent unauthorized access, maintain audit logs required by HIPAA, and respond to security incidents.
• Communications: deliver transactional emails (account confirmations, billing receipts, security alerts) and, with your consent, occasional product updates.
• Legal compliance: respond to lawful subpoenas, court orders, and regulatory requests; enforce our Terms of Service; protect rights, property, and safety.

We do not use PHI to train, fine-tune, or otherwise improve general-purpose AI models. PHI is processed only for the specific clinical task you initiated.

Attest AI uses only the minimum clinical content necessary to perform the requested task. Production PHI workflows are governed by signed Business Associate Agreements, zero-training commitments, and the security controls described in this Policy.

• Attest AI does not use inputs or outputs for training.
• Attest stores clinical inputs and outputs only in the production environment governed by this Policy and the BAA.
• We periodically review the security posture, access controls, and BAA evidence for the production AI path.

We share information only as needed to operate the Service or as required by law:

• Operational vendors: hosting, database, email, billing, security, and support systems approved for the relevant environment.
• Within your organization: PHI is accessible to authorized members of your organization, governed by your organization's access controls and role assignments.
• Legal requests: when compelled by court order, subpoena, or other legal process, we notify the affected customer unless prohibited by law.
• Business transfers: in the event of merger, acquisition, or asset sale, with the same protections in place at the successor entity.
• With your explicit consent for any other disclosure not described here.

We do not sell personal information or PHI. We do not share PHI with advertisers.

attest maintains administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, or destruction:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and row-level security on the database, scoped to the authenticated user and organization.
• Multi-factor authentication available for all accounts and required for administrators.
• Comprehensive audit logging of PHI access events (phi_access_log), retained per HIPAA requirements.
• Annual penetration testing and continuous vulnerability scanning.
• Background checks and HIPAA training for all personnel with access to PHI.
• Incident response procedures, including notification within HIPAA-mandated timeframes (60 days for breaches).

We retain account information and user-generated content for the duration of your subscription plus any post-termination window described in your BAA or order form. Audit logs are retained for six (6) years to satisfy HIPAA. You may request deletion of your account at any time; we will delete or de-identify your data within thirty (30) days of confirmed request, except where retention is required by law or to resolve disputes.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion (subject to legal retention requirements).
• Object to or restrict certain processing.
• Receive a portable copy of your data.
• Lodge a complaint with a supervisory authority (residents of the EEA/UK).

Patients whose PHI is processed by a covered entity using attest should direct requests under the HIPAA Privacy Rule (right of access, amendment, accounting of disclosures) to that covered entity. We will assist the covered entity in responding as required by our BAA.

The Service is not directed to individuals under the age of 18. Pediatric PHI may be entered by authorized clinicians treating pediatric patients; that data is handled with the same protections as adult PHI.

attest stores data on infrastructure located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We implement appropriate safeguards (e.g., Standard Contractual Clauses) for cross-border transfers where required.

We will notify enterprise customers in writing of any material changes at least thirty (30) days before they take effect. Continued use after the effective date constitutes acceptance.

• Privacy, BAA, security, and general inquiries: contact@attest.health