Privacy Policy

Brevity AI, Inc.

Privacy Policy

Last Updated: October 26, 2025

This Privacy Policy describes how Brevity AI, Inc. ("Brevity AI," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our website (https://getbrevity.ai), web application, and related services (collectively, the "Platform"). This Policy applies to:

  • Visitors who view public pages on our website ("Visitors").
  • Customers (healthcare practices and organizations) who license and configure the Platform ("Customers").
  • Authorized users (e.g., clinicians and staff) whom Customers permit to access the Platform ("Authorized Users").

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Platform.

1. Roles Under Privacy Laws and HIPAA

  • For information about healthcare patients uploaded to or generated within the Platform (including case data, documents, audio, transcripts, and clinical notes), the Customer is the data controller under GDPR (or covered entity under HIPAA), and Brevity AI, Inc. acts as data processor/business associate. We process this information only on the Customer’s documented instructions and pursuant to our agreement and Business Associate Agreement (BAA).
  • For Customer and Authorized User account, billing, and usage information (e.g., organization details, admin contact info), Brevity AI, Inc. is the data controller (or service provider under U.S. state privacy laws) and processes such data consistent with this Policy.

2. Information We Collect and Receive

We collect and process information as described below.

2.1 Account and Contact Information

Collected from Customers and Authorized Users during onboarding and account management:

  • Name, email address, password (stored using industry-standard hashing), phone number.
  • Professional details such as practitioner type and specialty.
  • Organization information (name, address, phone number, EHR system field).
  • Email verification status, timestamps (e.g., date joined, last active), profile completion state.
  • Terms acceptance records including version, accepting user, IP address, and user agent.

2.2 Patient/Case Information (PHI)

Collected and processed at the direction of Customers:

  • Patient demographics and identifiers: first and last name, gender, date of birth, optional patient email and phone number, address.
  • Case artifacts: uploaded documents (e.g., PDFs), audio recordings, associated content hashes, file metadata and storage locations.
  • Transcripts and derived/structured data extracted from patient documents and audio (e.g., medications, diagnoses, vitals, lab results, risk factors), comprehensive case summaries, key insights, and recommendations.
  • In-product chat content (case-specific conversations) and associated model metadata. Note: the system may store AI-provided “thoughts” (model reasoning metadata) alongside chat messages to improve explainability for clinical review—this data is treated as sensitive medical information.

2.3 Payment and Billing Information

If you purchase a subscription, we use a third-party payment processor to process payments. The processor may collect payment card details (e.g., card number, expiration date, CVC), billing address, and related information directly. We do not store full card numbers or CVC/CVV codes. We may retain limited billing metadata for the billing dashboard and receipts (e.g., customer ID with our payment processor, subscription ID, last 4 digits and brand of card, payment status, invoice/receipt URLs, and amounts paid). See Subprocessors below for our current payment processor.

2.4 Platform Usage, Device, and Log Information

When you use the Platform, we automatically collect:

  • Technical data: IP address, browser type, operating system, and security-related headers.
  • Application logs and audit logs (e.g., access, error, and HIPAA audit events, including which user accessed a recording and when). Logs are rotated and retained per operational needs.
  • Authentication state via HttpOnly cookies for JWT access/refresh tokens (e.g., access, refresh) to maintain secure sessions.

We do not use third-party behavioral advertising cookies or cross-site tracking pixels. Our payment processor’s scripts may set their own cookies to enable secure payment processing.

2.5 Support and Communications

If you contact us, we collect the information you provide (e.g., name, email, message content) and our correspondence, including support status and timestamps. We use a third-party email service provider to deliver transactional emails (e.g., activation, password reset, welcome, and payment receipts). We do not send PHI via email. See Subprocessors below for our current email provider.

3. How We Use Information

We use information to:

  • Provide, operate, and secure the Platform, including: patient case management; document processing; audio transcription; clinical note generation; and case-centric chat using Customer-provided content.
  • Authenticate users and maintain sessions using secure HttpOnly cookies.
  • Send transactional communications (activation links, receipts, password resets, service notifications).
  • Monitor performance, reliability, and security; prevent, detect, and investigate fraud, abuse, and service misuse.
  • Comply with legal obligations and our agreements (including executing Customer instructions as a processor/BA).
  • Improve the Platform’s functionality and user experience. We may use de-identified or aggregated data for analytics and product improvement. We do not use patient data (PHI) to train generalized large language models. We do not use Your Data or PHI to train third-party foundation models and will not use Your Data or PHI to train Brevity AI models without Customer’s prior written consent or opt-in, consistent with the BAA.

4. How We Disclose Information

We do not sell personal information and do not share personal information for cross-context behavioral advertising. We disclose information only as described below:

  • Service Providers (Processors/Subprocessors): We engage service providers to deliver the Platform (e.g., cloud infrastructure and storage, AI processing, payments, email delivery, and caching/coordination). We require them to protect the information we share and to use it only to provide services to us. See Subprocessors below for our current providers.
  • Customer-Directed Disclosures: At a Customer’s direction (e.g., exports, integrations the Customer configures).
  • Legal, Safety, and Compliance: To comply with law, enforce our agreements, protect rights, security, and safety.
  • Corporate Transactions: In connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate event, subject to applicable confidentiality and legal requirements.

We take reasonable measures (including contracts) to require service providers to protect the information we share with them and use it only for the services they provide to us.

5. HIPAA, Business Associate Terms, and Data Governance

  • HIPAA Program: Brevity AI operates a HIPAA compliance program (including audit logging and access controls) and enters into BAAs with Customers where required. We also enter into BAAs with applicable cloud service providers offering HIPAA-eligible services used in our Platform.
  • Processor/BA Role: For PHI processed in the Platform, we act as a Business Associate processing PHI solely to provide the services and in accordance with the BAA and Customer instructions.
  • AI/Model Training: We do not use PHI to train generalized large language models. We configure our AI providers to process data only to deliver requested outputs, consistent with provider terms applicable to HIPAA-eligible services.
  • Minimum Necessary: The Platform is designed to limit routine access to PHI to the minimum necessary to fulfill the requested operation.

6. Cookies and Similar Technologies

We use:

  • Strictly necessary cookies (e.g., HttpOnly JWT cookies) for secure authentication and session management.
  • Payment-related cookies and scripts from our payment processor to securely tokenize and process card payments.

We do not deploy third-party analytics or advertising pixels on the Platform. You can manage browser cookies in your browser settings; however, disabling essential cookies may break core functionality.

7. Data Security

We implement administrative, technical, and physical safeguards including:

  • Encryption in transit (TLS) and at rest (cloud provider-managed encryption).
  • HSTS, secure cookies, and strong session settings (Secure, HttpOnly, SameSite=Lax).
  • Access controls with least-privilege, role-based authorization, and audit logging of sensitive operations (e.g., access to recordings).
  • Rotating logs and separation of operational and HIPAA audit logging, with alerts and periodic reviews.
  • Vendor risk management and contractual controls with subprocessors.

No system can be guaranteed 100% secure. We promptly investigate and remediate incidents in accordance with our legal and contractual obligations.

8. Data Retention and Deletion

  • Account and Organization Data: Retained for the duration of the Customer’s subscription and as needed for legal, regulatory, and accounting purposes.
  • Patient/Case Data (PHI): Retained until the Customer deletes it or instructs us otherwise, and for as long as necessary to provide the Platform. Customers control deletion timelines for their PHI in the Platform.
  • Transient Caches and Tokens: Certain caches (e.g., session/idempotency/rate-limit data) are stored with defined TTLs. Signed URLs for uploads and downloads expire per configuration.
  • Logs: Application and security logs are retained for operational needs and compliance, then rotated or deleted.
  • Backups: Backups may persist for up to thirty (30) days after deletion, after which they are securely purged per our retention schedules.
  • Failed Processing Artifacts: Certain failed AI analyses may be automatically cleaned up after a short period (e.g., 24 hours) to prevent accumulation of stale records.
  • Termination: Upon Customer’s termination request, we will begin deletion of Customer data from active systems within a commercially reasonable period and from backups according to our standard backup retention schedules. We may retain limited information as required by law or for legitimate business purposes (e.g., invoices).

9. International Data Transfers

The Platform and its cloud infrastructure are hosted in the United States. If you access the Platform from outside the U.S., your information may be transferred to, stored, and processed in the U.S. and other locations of our service providers. Customers are responsible for ensuring that their use of the Platform complies with applicable cross-border data transfer requirements.

10. Children’s Privacy

The Platform is intended for use by healthcare professionals and their authorized staff. We do not permit individuals under the age of 18 to create Customer or Authorized User accounts. Customers may upload or process information about minor patients as permitted by law; Customers are responsible for obtaining all required consents and authorizations.

11. Your Rights and Choices

Depending on your location and role, you may have rights over your personal information.

  • Customer/Authorized User Data We Control: You may request access, correction, or deletion of your account or profile information by contacting us at the email below. We will honor such requests consistent with applicable law.
  • Patient/Case Data We Process for Customers: For PHI and other patient data, we act as a processor/BA. Please direct requests (e.g., access, correction, deletion) to the applicable Customer (your healthcare provider). We will support the Customer in fulfilling such requests consistent with our agreements and the law.
  • Marketing Communications: We primarily send transactional messages. If we ever send non-transactional messages, you can unsubscribe via the message or by contacting us.
  • Cookies: You can manage cookies via your browser. Essential cookies are required for secure operation of the Platform.

12. U.S. State Privacy Disclosures (e.g., California, Virginia, Colorado, Connecticut, Utah)

  • Categories Collected: As described above (account identifiers, professional and organization info, payment and billing metadata, usage logs, and—on behalf of Customers—patient/case data).
  • Sensitive Personal Information: We may process sensitive information such as patient health information and dates of birth strictly to provide the Platform to Customers. We do not use sensitive personal information for purposes beyond those permitted by law (e.g., we do not use it for marketing or advertising).
  • Sale/Sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising.
  • Rights: Where applicable, you may have rights to access, delete, correct, and opt out of sale/sharing or targeted advertising. Requests related to PHI/patient data should be directed to the Customer. For Customer/Authorized User data we control, contact us at the email below.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

13. Nevada Privacy Rights

We do not sell covered information as defined under Nevada law. Nevada residents may submit inquiries or opt-out requests to the email below.

14. Do Not Track

Browsers may send a Do Not Track (DNT) signal. The Platform does not respond to DNT signals. We do not deploy third-party behavioral advertising trackers on the Platform.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date indicates when changes were most recently made. We will post the updated Policy on our website. Your continued use of the Platform after an update constitutes acceptance of the changes.

16. Subprocessors

As of the date above, our core subprocessors include:

  • Google Cloud Platform (including Google Cloud Storage): infrastructure and storage.
  • Google Vertex AI / Google GenAI SDK: AI processing of documents and audio at Customer’s direction.
  • Stripe: payment processing and subscription management.
  • SendGrid: transactional email delivery.
  • Managed Redis (cloud provider): caching and task coordination.

We may engage additional subprocessors as our services evolve, subject to applicable contractual and legal requirements, including HIPAA where applicable.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, or if you wish to exercise your rights:

  • Email: support@getbrevity.ai

If you are a patient and believe your information is being processed in the Platform, please contact your healthcare provider (the Customer) for requests concerning your records. We will assist the Customer as required by law and our agreements.

Entity Notice: “Brevity AI, Inc.” is a Delaware corporation. References in this Privacy Policy to “Brevity AI” or “Brevity” mean Brevity AI, Inc.