Privacy Policy

Effective Date: September 19, 2025

1. Overview and Commitment

This Privacy Policy explains how Besti Co. ("we," "our," or "us") collects, uses, and protects information through Besti Health. We are committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI) and personal data in compliance with HIPAA, HITECH, and all applicable privacy laws.

2. Information We Collect

Contact and Account Information:

• Name, email address, phone number
• Professional credentials and license information
• Billing and payment information (processed securely by Stripe)

Clinical and Usage Data:

• SOAP notes and clinical documentation created through our Service
• Audio recordings (temporarily processed, never permanently stored)
• PDF documents and forms uploaded by users
• Usage analytics and performance metrics

Technical Information:

• Device information (browser type, operating system, IP address)
• Log files and error reports
• Cookies and similar tracking technologies

3. How We Use Your Information

Primary Purposes:

• Provide and improve the Service functionality
• Generate clinical documentation and notes
• Process billing and manage your account
• Ensure security, compliance, and system performance

Secondary Purposes:

• Conduct research and development to improve AI accuracy
• Provide customer support and technical assistance
• Comply with legal and regulatory requirements

Important: We never sell, rent, or share your data with third parties for marketing purposes.

4. Data Processing and AI Training

AI Model Training:

• We may use de-identified, aggregated data to improve our AI models
• No identifiable patient information is used in AI training
• All training data undergoes rigorous de-identification processes
• You may opt out of having your data used for model improvement

Data Processing:

• Audio recordings are processed in real-time and immediately deleted after transcription
• Only text transcripts and generated notes are retained
• All processing occurs within HIPAA-compliant environments

5. Data Retention and Deletion

Retention Periods:

• Clinical notes and documentation: Up to 30 days (or as specified by you)
• Account information: Retained while your account is active
• Backup data: Up to 90 days after deletion request

Your Control:

• You may delete specific notes or all data at any time
• Account deletion can be requested via info@bestihealth.com
• We honor all reasonable data deletion requests promptly

6. Data Security and Protection

Technical Safeguards:

• End-to-end encryption for all data transmission (TLS 1.3)
• AES-256 encryption for data at rest
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing

Access Controls:

• Role-based access to PHI strictly limited to authorized personnel
• Comprehensive audit logging of all data access
• Regular access reviews and credential management

Infrastructure Security:

• AWS hosting with HIPAA-compliant infrastructure
• SOC 2 Type II certified operations
• 24/7 security monitoring and incident response

7. Third-Party Vendors and Business Associates

HIPAA-Compliant Partners:

• AWS (hosting and infrastructure) - signed BAA in place
• Stripe (payment processing) - HIPAA-compliant payment handling
• All vendors handling PHI must sign Business Associate Agreements

Vendor Oversight:

• Regular compliance audits of all business associates
• Contractual requirements for equivalent data protection
• Immediate notification requirements for any security incidents

8. International Users and Data Localization

Data Storage:

• Primary data storage occurs in AWS data centers within the United States
• For international users, data may be processed in your local jurisdiction where technically feasible
• Cross-border data transfers comply with applicable international privacy frameworks

International Compliance:

• GDPR compliance for European users
• PIPEDA compliance for Canadian users
• Privacy Act compliance for Australian users

9. Patient Consent and Healthcare Professional Responsibilities

Your Responsibilities:

• Obtain appropriate patient consent before using AI documentation tools
• Ensure compliance with local and professional regulations
• Maintain confidentiality and security of patient information

Consent Considerations:

• Some jurisdictions may require explicit patient consent for AI processing
• We provide resources and guidance on consent best practices
• Ultimate responsibility for consent compliance rests with healthcare professionals

10. Your Rights and Choices

Access and Control:

• Request access to your personal information
• Correct, update, or delete your information
• Opt out of non-essential data processing
• Request data portability in standard formats

Marketing Communications:

• Opt out of marketing emails at any time
• Control cookie and tracking preferences
• Manage notification settings in your account

11. Cookies and Tracking Technologies

Cookie Usage:

• Essential cookies for Service functionality
• Analytics cookies to improve user experience (with consent)
• No third-party advertising cookies

Your Control:

• Browser settings allow cookie management
• Granular consent controls in your account settings
• Opt-out mechanisms for non-essential tracking

12. Data Breach Notification

Incident Response:

• Immediate investigation of any suspected data incidents
• Notification to affected users within 72 hours of discovery
• Coordination with regulatory authorities as required by law
• Comprehensive incident documentation and remediation

13. Children's Privacy

Age Restrictions:

• The Service is not intended for individuals under 18
• We do not knowingly collect information from minors
• Healthcare professionals using our Service for pediatric patients remain responsible for all applicable consent requirements

14. Regional Privacy Rights

California Residents (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of sale of personal information (note: we do not sell personal information)

European Residents (GDPR):

• Right to access, rectify, erase, and port your data
• Right to restrict or object to processing
• Right to lodge complaints with supervisory authorities

15. Changes to This Privacy Policy

Update Process:

• Material changes require advance notice via email
• Non-material changes posted with updated effective date
• Continued use after changes constitutes acceptance
• We maintain previous versions for reference

16. Contact Us

For privacy inquiries, data requests, or to report privacy concerns:

Email: info@bestihealth.com
Address: Besti Co., Louisville, Kentucky
Response Time: We respond to privacy requests within 30 days

For urgent security concerns, contact us immediately at info@bestihealth.com with "URGENT SECURITY" in the subject line.

---

This document was last updated on September 19, 2025 and reflects current industry best practices for healthcare AI documentation services.

© Besti Co. All rights reserved.