Paige

Privacy Policy

Paige Scribe Healthcare Documentation Platform

Last Updated: September 2025

Healthcare Privacy Notice

This privacy policy governs the collection, use, and disclosure of Personal Health Information (PHI) under Ontario's Personal Health Information Protection Act (PHIPA). This document references PHIPA for compliance alignment; Paige is not limited to Ontario-based professionals, and we do not verify professional credentials.

1. Who We Are

Paige Scribe ("we," "us," "our") operates as a Health Information Network Provider under PHIPA, providing therapy documentation services to licensed healthcare professionals. We do not independently verify professional credentials. We serve as a Business Associate under applicable privacy legislation.

2. Information We Collect

2.1 Personal Health Information (PHI)

Under PHIPA, we collect and process the following PHI:

  • Audio for Transcription: Therapy session audio used to generate transcripts (deleted immediately after processing)
  • Session Transcripts: Text transcription of therapy sessions
  • Clinical Notes: AI-generated and therapist-edited session documentation
  • Client Identifiers: Encrypted client names and session metadata
  • Professional Information: Therapist license numbers and specialties (encrypted)

2.2 Account Information

We also collect non-PHI account data:

  • Professional email addresses and authentication credentials
  • Subscription and billing information
  • Platform usage analytics (anonymized)
  • Technical logs for security and performance monitoring

3. How We Use Information

3.1 Primary Purposes (PHIPA Section 36)

We use PHI only for the following healthcare purposes:

Transcription Services

Converting audio to text for clinical documentation

Note Generation

AI-assisted creation of therapy session notes

Session Management

Organizing and storing session data for therapist access

Quality Assurance

Ensuring accuracy and completeness of documentation

3.2 Secondary Purposes (With Consent)

With your explicit consent, we may use aggregated, anonymized data for:

  • Service improvement and feature development
  • Healthcare research (fully anonymized, no PHI)
  • Quality metrics and performance analytics

4. Information Sharing and Disclosure

4.1 Permitted Disclosures

We may disclose PHI only in the following circumstances:

To You

Full access to your own session data and documentation

Business Associates

OpenAI (US) for transcription under equivalent protection

Legal Requirements

Court orders or regulatory investigations

Health and Safety

Imminent risk to individual or public health

4.2 Third-Party Processors

PHI is processed by the following third parties under Business Associate Agreements:

OpenAI (United States)

Audio transcription services

Amazon Web Services (Canada)

Secure cloud storage and processing

Stripe (Global)

Payment processing (billing data only, no PHI)

Note: All third parties operate under equivalent privacy protection standards and are contractually bound to PHIPA compliance requirements.

5. Data Security and Protection

5.1 Technical Safeguards (PHIPA Section 29)

We implement comprehensive security measures:

🔒

Encryption

AES-128 encryption for all PHI at rest and in transit

🔑

Access Controls

Multi-factor authentication and role-based access

📋

Audit Logging

Complete access logs per PHIPA Section 10.1 requirements

🛡️

Network Security

Firewalls, intrusion detection, and monitoring

5.2 Administrative Safeguards

Our administrative protections include:

Designated Privacy Officer responsible for PHIPA compliance
Regular staff training on healthcare privacy requirements
Incident response procedures for potential breaches
Regular security assessments and vulnerability testing

6. Data Retention and Deletion

6.1 Retention Periods

We retain data according to healthcare professional standards:

  • Session Transcripts: 10 years from last session date (healthcare standards)
  • Clinical Notes: 10 years from creation date
  • Audio for Transcription: Deleted immediately after processing
  • Account Data: 7 years after account closure for legal compliance

6.2 Secure Deletion

When retention periods expire, we ensure:

  • Cryptographic erasure of encryption keys
  • Multi-pass overwriting of storage media
  • Certificate of destruction for physical media
  • Verification of complete data removal

7. Your Privacy Rights Under PHIPA

7.1 Access Rights (PHIPA Section 52)

You have the right to:

  • Access Your PHI: View and obtain copies of all your session data
  • Correct Inaccuracies: Request corrections to any incorrect information
  • Access History: See who has accessed your PHI and when
  • Complaint Process: File complaints with the Ontario IPC

7.2 How to Exercise Your Rights

To access or correct your PHI:

  1. Log into your account dashboard for immediate access to most data
  2. Email our support team for formal access requests
  3. We will respond within 30 days as required by PHIPA
  4. Complex requests may incur reasonable administrative fees

8. Consent Management

8.1 Types of Consent

We obtain different types of consent for various activities:

  • Express Consent: Required for AI processing and cross-border transfers
  • Implied Consent: Basic transcription within Canada
  • Ongoing Consent: Continued use implies consent for core services

8.2 Withdrawing Consent

You may withdraw consent at any time by:

  • Updating preferences in your account settings
  • Contacting our Privacy Officer
  • Note: Withdrawal may limit service functionality
  • Previously processed data remains subject to retention requirements

9. Cross-Border Data Transfers

9.1 United States Processing

With your express consent, PHI may be processed in the United States for:

  • OpenAI transcription services
  • Advanced AI analysis features

US processing is subject to:

  • Business Associate Agreements ensuring equivalent protection
  • Contractual data protection requirements
  • Immediate deletion after processing
  • No permanent storage outside Canada

10. Breach Notification

10.1 Our Obligations

In case of a privacy breach, we will:

  • Notify the Ontario IPC within 24 hours of discovery
  • Notify affected individuals "at the first reasonable opportunity"
  • Provide details about the breach and steps taken
  • Offer support and remediation services as appropriate

10.2 Your Reporting Rights

If you suspect a privacy breach, contact us immediately at:

  • Emergency: [TBD]
  • Phone: [TBD]
  • You may also report directly to the Ontario IPC

11. Children's Privacy

Our service is designed for licensed healthcare professionals only. We do not knowingly collect PHI from individuals under 18 without appropriate parental consent and professional authorization.

12. Changes to This Policy

We may update this privacy policy to reflect:

  • Changes in privacy legislation
  • New service features or functionality
  • Enhanced security measures

Material changes will be communicated with 30 days advance notice via email and account notifications.

13. Contact Information

13.1 Privacy Officer

  • Email: [TBD]
  • Phone: [TBD]
  • Mail: [TBD]

13.2 Regulatory Contacts

  • Ontario IPC: 1-800-387-0073 or www.ipc.on.ca
  • Healthcare Regulators: Contact your professional regulatory body

Your Privacy Rights Summary

  • ✓ Access your PHI and session data anytime
  • ✓ Correct any inaccurate information
  • ✓ Know who accessed your data and when
  • ✓ Withdraw consent for optional services
  • ✓ File complaints with Ontario IPC
  • ✓ Receive breach notifications immediately

PHIPA Compliance Guarantee

We are committed to maintaining full compliance with PHIPA and supporting your professional obligations. Our privacy practices are regularly audited and updated to meet the highest healthcare privacy standards.

Questions about your privacy rights? Contact our Privacy Officer at [TBD]