OctoOcto← Back to home

Legal

Privacy Policy

Last updated: April 16, 2026

1. Introduction

Octo (“we”, “our”, “us”) is committed to protecting the privacy of our users (“you”, “your”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI medical scribe application and related services. We comply with HIPAA and applicable data protection regulations.

2. Information We Collect

We collect the following categories of information:

  • Account Information: Name, email address, phone number, NPI Number, medical license details, clinic/hospital details.
  • Protected Health Information (PHI): Patient demographics, vitals, medical history, consultation recordings, and clinical notes — collected only with explicit patient consent.
  • Usage Data: Device information, IP address, browser type, pages visited, and feature usage analytics.
  • Payment Information: Billing details processed through our secure payment partner (Stripe). We do not store card numbers.

3. How We Use Your Information

  • To provide and maintain our AI medical scribe services
  • To generate clinical notes, prescriptions, and orders from consultation recordings
  • To improve our AI models and transcription accuracy (using de-identified data only)
  • To communicate service updates, security alerts, and support
  • To comply with legal obligations and regulatory requirements

4. Data Storage & Security

All data is stored on SOC 2 Type II certified servers located within United States, ensuring compliance with HIPAA data security requirements. We use AES-256 encryption for data at rest and TLS 1.3 for data in transit. Access to PHI is restricted to authorized personnel only and is protected by multi-factor authentication and role-based access controls.

5. Patient Consent

Octo requires explicit patient consent before any consultation recording begins. The consent flow is built into our application and maintains a complete audit trail. Patients have the right to withdraw consent at any time.

6. Data Retention & Deletion

You can configure data retention policies (7 days, 90 days, or 365 days) based on your practice needs. All data is automatically deleted after the retention period expires. You or your patients may request deletion of personal data at any time, subject to applicable legal retention requirements.

7. Third-Party Sharing

We do not sell, trade, or rent your personal data. We share data only with: (a) AI processing services for transcription and note generation (under data processing agreements), (b) HIPAA-compliant cloud infrastructure providers for data storage, (c) payment processors for billing, and (d) when required by law or regulatory authorities.

8. Your Rights

  • Right to Access: Request a copy of your personal data and PHI
  • Right to Amendment: Request correction of inaccurate data
  • Right to Accounting: Request an accounting of disclosures of your PHI
  • Right to Restriction: Request restriction on certain uses or disclosures
  • Right to Breach Notification: Be notified in the event of a data breach affecting your PHI

9. Contact Us

For privacy-related questions or to exercise your rights, contact our Privacy Officer at octo@busyocto.ai.

Octo Health, Inc.
San Francisco, CA, United States