Privacy Policy

---

1. Introduction

Welcome to Dictately.ai ("Dictately.ai", "we", "us", "our"). We provide a secure medical dictation and transcription service (the "Service"). This Privacy Policy explains how we collect, use, disclose, protect, and otherwise process your personal data when you use our website, mobile application, and related services.

We are committed to protecting your privacy and handling your data in an open and transparent manner. As a company based in the United Kingdom, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We also strive to meet high privacy standards for our users globally.

This policy applies to all users of the Service, whether registered or using anonymous testing features. Please read this policy carefully.

2. What Information We Collect

We collect different types of information depending on how you interact with our Service:

• Account Information: When you register for an account, we collect information such as your name, email address, password (stored securely hashed), and potentially billing information if you subscribe to paid services (processed securely by a third-party payment processor).
• Audio Recordings: When you use the dictation feature, we process audio files you record through the Service. These recordings may contain sensitive personal data, specifically health information ("Special Category Data") relating to you or third parties (patients). These recordings are not retained after transcription is complete.
• Transcriptions: We process your audio recordings to generate text transcriptions. These transcriptions will contain the same information as the audio recordings, potentially including Special Category Data. These transcriptions are not retained.
• Usage Data: We automatically collect technical information about how you access and use the Service, such as your IP address, device type, operating system, browser type, access times, pages viewed, interactions with features, and error logs. This helps us maintain security and improve the Service.
• Cookies and Similar Technologies: We use cookies and similar technologies to operate and personalize the website, remember your preferences, and analyze usage. Please see our Cookie Policy for more details.
• Communications: If you contact us for support or other inquiries, we collect the information you provide in your communications (e.g., email address, content of the message).

3. How We Use Your Information

We use your information for the following purposes:

• To Provide and Maintain the Service: To allow you to record audio, generate transcriptions, manage your account, store your data, and use other Service features (like encryption, if applicable).
• To Process Payments: To process transactions for paid subscription services (handled by our third-party payment processor).
• To Improve the Service: To analyze usage patterns, diagnose technical issues, conduct research (using anonymized or aggregated data where possible), and develop new features.
• To Ensure Security: To monitor for fraudulent or malicious activity, protect the integrity of our systems, and enforce our terms.
• To Communicate With You: To respond to your inquiries, send service-related announcements (e.g., maintenance, policy updates), and provide customer support.
• To Comply with Legal Obligations: To comply with applicable laws, regulations, court orders, or other legal processes.

4. Lawful Basis for Processing (UK GDPR)

We only process your personal data when we have a valid lawful basis to do so:

• Contractual Necessity: We process Account Information, Audio Recordings, and Transcriptions to fulfill our contract with you to provide the Service you requested.
• Explicit Consent: We rely on your explicit consent to process Special Category Data (health information) contained within your Audio Recordings and Transcriptions. You provide this consent when you choose to use the dictation service for medical content and agree to our Terms of Service and this Privacy Policy. You can withdraw this consent at any time (see Section 9), but this may prevent you from using the core dictation/transcription features for sensitive data.
• Legitimate Interests: We process Usage Data and Communications based on our legitimate interests in maintaining and improving the Service, ensuring security, and communicating effectively, provided these interests are not overridden by your fundamental rights and freedoms.
• Legal Obligation: We may process any required data to comply with our legal obligations.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following limited circumstances:

• Service Providers: We engage trusted third-party companies to perform functions on our behalf, such as cloud hosting (e.g., AWS, Google Cloud, Azure), transcription processing (if using a third-party engine), payment processing, analytics, and customer support. These providers only have access to the information necessary to perform their tasks and are obligated under contract (Data Processing Agreements) to protect your data and use it solely for the purposes we specify.
• Legal Requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: If Dictately.ai is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, your information may be transferred as part of that transaction, subject to standard confidentiality agreements and notice provided to you where feasible.
• With Your Consent: We may share your information with third parties when we have your explicit consent to do so (beyond the consent needed for core service provision).

6. Data Security

We take the security of your data, particularly sensitive medical information, very seriously. We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption: Data is encrypted in transit (using TLS/SSL) and at rest (using industry-standard encryption for databases and storage).
• Access Controls: Strict access controls limit personnel access to personal data based on job function and necessity.
• Secure Development Practices: We incorporate security considerations into our software development lifecycle.
• Regular Reviews: We periodically review our security practices and technologies.
• Anonymization/Pseudonymization: We aim to use anonymized or pseudonymized data for analytics and improvement where possible.

However, please note that no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Service, managing your account, complying with our legal obligations, resolving disputes, and enforcing our agreements.

• Account Data: Retained for as long as your account is active and for a reasonable period thereafter for administrative or legal purposes.
• Audio Recordings & Transcriptions: Not retained.
• Usage Data: May be retained in aggregated or anonymized form for longer periods for analytical purposes.

8. International Data Transfers

Your information may be transferred to, and processed in, countries other than the UK or the country where you reside. These countries may have data protection laws that are different from your jurisdiction.

When we transfer your personal data outside the UK and European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data, such as:

• Transferring to countries deemed adequate by the UK government or European Commission.
• Using Standard Contractual Clauses (SCCs) approved by the UK government (e.g., the UK Addendum or IDTA) or the European Commission, supplemented by transfer impact assessments where necessary.
• Relying on other valid transfer mechanisms under UK GDPR.

Our primary hosting providers Amazon Web Services and OpenAI are located within the UK/EEA and in the US and comply with required safeguards..

9. Your Data Protection Rights

Under UK GDPR and applicable data protection laws, you have certain rights regarding your personal data:

• Right to Access: You can request copies of your personal data that we hold.
• Right to Rectification: You can request correction of inaccurate or incomplete personal data.
• Right to Erasure ('Right to be Forgotten'): You can request deletion of your personal data under certain conditions (e.g., it's no longer necessary, you withdraw consent).
• Right to Restrict Processing: You can request that we limit the processing of your personal data under certain circumstances.
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used, machine-readable format and have it transferred to another controller where technically feasible.
• Right to Object: You can object to the processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where we rely on your consent (especially for Special Category Data), you can withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. Withdrawing consent for processing health data will likely prevent you from using the core dictation/transcription service for that purpose.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the UK's Information Commissioner's Office (ICO) or your local supervisory authority if you believe our processing of your personal data infringes data protection laws.

To exercise any of these rights, please contact us using the details in Section 13. We will respond to your request in accordance with applicable laws.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or a higher age if required by local law for processing health data). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly.

11. Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information on the cookies we use, why we use them, and how you can manage them, please refer to our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email (if we have your address), through the Service interface, or by posting the updated policy on our website with a new effective date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: contact@dictately.ai

Blackheath Medical Services Ltd