Privacy Policy

Updated on June 8, 2026

Your privacy is not a compliance exercise. At Diagnose, we handle some of the most sensitive data that exists, clinical conversations between physicians and patients. We take that seriously. This policy explains exactly what we collect, how we use it, and what we never do with it. No legal jargon, no burying the important parts in footnotes.

What data we collect

We collect only what we need to provide the service.

Account data: When you create an account, we collect your name, email address, role, and practice or organisation details.

Usage data: We collect information about how you use Diagnose, including features accessed, session duration, and interaction patterns. This helps us improve the product.

Clinical encounter data: When Diagnose is active during a patient encounter, it processes the audio of that conversation to generate a clinical note. This is the most sensitive data we handle. Audio is processed in real time and permanently deleted the moment the note is generated. It is not stored, archived, reviewed by humans, or retained in any form after deletion. The clinical note is delivered to your EHR and retained in Diagnose for the period described in section 3. Notes are never used for any purpose other than delivering them to you. We do not listen to, review, or access encounter audio for any purpose other than automated note generation.

Device and technical data: We collect standard technical information including IP address, browser type, operating system, and device identifiers to ensure the service functions correctly and securely.

HIPAA compliance

Diagnose is a HIPAA compliant platform. We act as a Business Associate under HIPAA and sign a Business Associate Agreement with every healthcare organisation and physician practice before any protected health information is processed.

Our HIPAA compliance covers the following: all PHI is encrypted in transit and at rest, access to PHI is restricted on a strict need to know basis, audit logs are maintained for all access to clinical data, breach notification procedures are in place in accordance with HIPAA requirements, and our workforce receives regular HIPAA training.

If you require a Business Associate Agreement, contact us before activating your account. We will not process any clinical data without one in place.

How we store and protect your data

All data transmitted between your device, our servers, and your EHR is encrypted using TLS 1.2 or higher. All data stored at rest is encrypted using AES 256 encryption. Our infrastructure is hosted on SOC 2 Type II certified cloud providers. Access to production systems is restricted to authorised personnel only, protected by multi factor authentication, and subject to regular security audits. We conduct annual penetration testing and maintain an internal security programme that is reviewed and updated regularly.

We retain your account data for as long as your account is active. If you close your account, your account data is deleted within 30 days. Clinical notes are retained for 7 years from the date of generation to support medical record keeping requirements. If your organisation requires a different retention period, contact us to discuss a custom arrangement. Audio is deleted immediately and automatically upon note generation. There is no exception to this rule. You can request deletion of your data at any time by contacting us at the address below. We will respond within 30 days.

We do not sell your data. We do not share your data with third parties for advertising or marketing purposes. We share data only in the following circumstances: with your EHR provider to deliver generated notes, with subprocessors who help us operate the service such as cloud infrastructure and security monitoring providers, and when required by law, court order, or regulatory authority. All subprocessors are bound by data processing agreements that require them to protect your data to the same standard we do. A current list of our subprocessors is available on request.

Your rights

Regardless of where you are located, you have the right to access the data we hold about you, correct inaccurate data, request deletion of your data, and object to how we process your data.

To exercise any of these rights, contact us. We will respond within 30 days. We will never penalise you for exercising your privacy rights.

GDPR (EU and UK)

If you are located in the European Union or the United Kingdom, the General Data Protection Regulation applies to how we handle your data.

Our lawful basis for processing your data is the performance of a contract when we use your data to provide the Diagnose service, and legitimate interests when we use usage data to improve the product.

You have the following additional rights under GDPR: the right to data portability, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority.

For EU users, our data processing activities are governed by standard contractual clauses approved by the European Commission. For UK users, we comply with the UK GDPR as retained in domestic law following Brexit.

If you have questions about your GDPR rights, contact us.

CCPA (California)

If you are a California resident, the California Consumer Privacy Act gives you additional rights over your personal information.

You have the right to know what personal information we collect and how we use it, the right to delete your personal information, the right to opt out of the sale of your personal information, and the right not to be discriminated against for exercising these rights.

We do not sell personal information. To exercise your CCPA rights, contact us.

Cookies

Diagnose uses cookies and similar technologies to keep you logged in, remember your preferences, and understand how the product is being used.

We use strictly necessary cookies that are required for the service to function, and analytics cookies that help us understand usage patterns and improve the product. We do not use advertising or tracking cookies.

You can manage your cookie preferences through your browser settings at any time.

Changes to this policy

We will update this policy when our practices change or when we are required to do so by law. When we make material changes, we will notify you by email and update the effective date at the top of this page.

We will never make changes that reduce your privacy protections without giving you advance notice and, where required, obtaining your consent.

Contact information

If you have questions about this policy, want to exercise your rights, or need to discuss a Business Associate Agreement, contact us at:

Email: legal@diagnose.com
Address: 350 California St, STE 1200 San Francisco, CA 94104

For EU and UK enquiries, you may also contact our data protection representative at the same address.

Create a free website with Framer, the website builder loved by startups, designers and agencies.