Privacy Policy
Effective Date: January 16, 2026
Key points
- Clinician-only, invite-only service; not for patients or minors.
- We process session audio that may include PHI to create transcripts and clinical notes.
- Audio auto-deletes after ~3 days; transcripts/notes/edits/patient-name labels retained up to ~30 days (current default) unless you delete sooner.
- Deleting a session hard-deletes content from primary systems; backups may retain deleted data up to ~7 days.
- No selling data, no targeted advertising.
- United States-only storage and processing.
- Contact: privacy@alaniscribe.com. Security issues: security@alaniscribe.com.
Who we are
Waejay LLC, doing business as Alani Scribe ("Alani Scribe", "we", "us") provides Alani Scribe, available at alaniscribe.com and alani.app (getalani.com redirects). The Service is intended for clinicians and clinical professionals. It is invite-only at this time.
Definitions
"PHI" means protected health information as defined by HIPAA.
"Clinical Session Data" means audio recordings, transcripts, generated notes, and edits created through the Service.
"Subprocessor" means a vendor we use to process data on our behalf (e.g., cloud hosting, AI processing).
Information we collect
We collect the following categories of information:
| Category | Examples | Why we collect it | Default retention |
|---|---|---|---|
| Account data | name, email | create/manage account, support | account lifetime (until deleted) |
| Authentication/session | session cookie (HttpOnly), session IDs | keep you signed in securely | session duration |
| Clinical Session Data | audio, transcripts, generated notes, clinician edits | provide transcription and note generation | audio ~3 days; others up to ~30 days |
| Patient label (optional) | patient name label | session organization | up to ~30 days (current default) |
| Usage and Security Logs | session IDs, timestamps, audit events | security, troubleshooting, compliance | up to ~7 years (non-PHI) |
Notes:
- We do not store your password. We utilize secure, industry-standard authentication providers.
- We are designed to avoid PHI in application logs and analytics.
How we use information
We use information to:
- Provide the Service (recording, transcription, note generation, and saving your edits)
- Secure the Service and prevent abuse
- Maintain reliability and performance
- Respond to support requests
- Comply with legal obligations and enforce our agreements
Transcription and note generation
To generate transcripts and clinical notes, we may process transcript text with industry-leading AI model providers (on platforms that support BAA/compliance requirements).
- We configure AI processing to prohibit training on your data and to minimize retention by the provider where available.
- We send only only the content needed to generate outputs and do not intentionally add extra identifiers beyond what exists in the transcript.
- AI-generated outputs may be inaccurate and are provided for clinician review; they are not a substitute for professional judgment.
How we share information
We do not sell personal information and we do not share it for cross-context behavioral advertising.
We share information only:
- With subprocessors that help us operate the Service (hosting, storage, processing, security)
- When required by law or valid legal process
We require subprocessors to protect data and use it only to provide services to us. Current subprocessors:
| Name | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, and AI processing | United States |
Cookies
We use a secure, HttpOnly session cookie to maintain your authenticated session. We do not use advertising cookies. If we add product analytics in the future, we will configure it to avoid PHI content and will update this policy as needed.
Retention and deletion
Retention summary
| Data type | Default retention | Notes |
|---|---|---|
| Audio recordings | ~3 days | automatic deletion |
| Transcripts, notes, clinician edits, patient-name labels | up to ~30 days | current default for testing; may change |
| Backups | up to ~7 days | data may persist until backups expire |
| Audit logs (non-PHI) | up to ~7 years | security/compliance events only |
Deletion
- Session deletion: hard-delete session audio, transcript, note outputs, edits, and patient label from primary systems.
- Account deletion: self-serve; deletes your account and session data from primary systems. Audit logs may remain (non-PHI).
Access controls and support access
- Clinicians can access only their own sessions (row-level scoping).
- In rare, high-severity cases, we may access limited customer data to troubleshoot only upon explicit customer request. Such access is logged for audit purposes.
HIPAA
We operate as a HIPAA Business Associate and can provide a Business Associate Agreement (BAA) to clinician customers. Clinicians are responsible for obtaining any required patient consent and using the Service consistent with their legal and professional obligations.
Your rights (including California)
Depending on where you live, you may have rights to request deletion or correction of your information. You may also request access to or a copy of your information; however, we may be unable to fulfill certain requests at this time (for example, providing a complete export). If we cannot fulfill a request, we will explain why and what we can provide.
We do not sell personal information and do not share it for cross-context behavioral advertising.
Legal requests
We disclose information only when we believe disclosure is required by law or valid legal process. Where permitted, we will attempt to notify affected customers.
Changes to this policy
We may update this policy. If changes are material, we will notify you by email and update the effective date. Continued use after the effective date means you accept the updated policy.
Contact
Waejay LLC, doing business as Alani Scribe
Privacy: privacy@alaniscribe.com
Security: security@alaniscribe.com