Privacy Policy
Charti AI Health Inc. (“Charti,” “we,” “us”) builds an ambient clinical scribe used by physicians to document patient encounters. This policy explains what we collect, how we use it, where it lives, and the rights you and your patients have over it. Clinical content is never used to train AI models.
1. Information we collect
We process three categories of information:
- Account information — clinician name, email, clinic, specialty, license number, and billing details. Provided by you when creating an account.
- Clinical content (PHI / PHIPA-regulated data) — session audio, transcripts, and generated notes from the patient encounters you record with Charti. Processed on your behalf as a Business Associate (HIPAA) / Information Manager (PHIPA).
- Usage data — product telemetry (pages visited, features used, latency, error traces). We strip PHI from telemetry at collection.
2. How we use it
We use clinical content only to generate the note, fill forms, and provide Ask Charti answers inside your own records. We do not use your clinical content to train or fine-tune our models, and we do not sell it. Account and usage data are used to operate, secure, and improve the product and to bill you.
3. Data residency
All clinical data lives in Toronto, Canada on Canadian-hosted infrastructure. We do not transfer clinical data out of Canada without explicit contractual authorization.
4. Audio handling
Session audio is streamed to our ASR pipeline, transcribed in memory, and destroyed as soon as the structured note is produced — typically within seconds of you ending the encounter. We do not retain audio recordings.
5. Encryption
- TLS 1.3 in transit for all traffic.
- AES-256 at rest for stored notes and metadata.
- Per-tenant encryption keys, rotated at least annually and never leaving our HSM.
6. No training on your data
Clinical content — audio, transcripts, notes, chart data — is never used to train, fine-tune, or evaluate foundation models. Period. Our model improvements come from synthetic data, published datasets, and data contributed by customers under explicit, separately signed research agreements.
7. Subprocessors
We use a short list of infrastructure and payment vendors. Each is under an equivalent privacy contract and our current subprocessor list is available on request. We notify customers 30 days before adding a new clinical-data subprocessor.
8. Your rights
Under HIPAA, PHIPA, PIPEDA, Quebec Law 25, and GDPR (where applicable), you and your patients have rights to access, correct, export, and delete personal information. Send requests to admin@charti.ai. We respond within 30 days.
9. Retention
Clinical content is retained as long as you maintain an active subscription, and deleted within 30 days of account closure unless law requires a longer hold. Audio, as noted, is never retained.
10. Security incidents
We follow a 72-hour incident notification policy for confirmed breaches affecting customer data, consistent with HIPAA, PHIPA, and GDPR. You will hear from us by the primary email on file.
11. Contact
Privacy questions: admin@charti.ai. Data-subject requests, same address. Our designated Privacy Officer for PHIPA / Law 25 is reachable at the same address.