1. Information We Collect

ConciCare collects only the data required to deliver the voice intake experience. This includes forms your staff uploads, answers patients provide during guided sessions, signatures, and device metadata necessary for auditability. Audio streams can be processed in a zero-retention mode so that no recordings are stored after transcription unless your organization expressly enables archival storage.

• Structured form responses and questionnaires provided by your organization.
• Optional audio and signature artifacts, encrypted immediately upon creation.
• Operational telemetry (IP address, device type, and error logs) used to secure and maintain the service.

2. How We Use Information

Intake data is converted into structured records for export to your electronic health system, to generate clinician-ready summaries, and to support internal quality assurance. ConciCare does not use PHI to train public machine-learning models, run advertising, or build third-party datasets. Aggregate, de-identified metrics may be used to improve accuracy, latency, and accessibility features.

3. Sharing and Disclosure

ConciCare does not sell or license patient information. We share PHI only with subprocessors that are bound by Business Associate Agreements and that meet our HIPAA, SOC 2 Type II, and ISO 27001 standards. Disclosures are limited to hosting, transcription, analytics, and customer support providers. We may disclose data when required by law or regulatory authorities.

4. Security Practices

We maintain administrative, physical, and technical safeguards aligned with HIPAA and NIST best practices.

• Encryption in transit (TLS 1.2+) and at rest with FIPS 140-2 validated keys.
• Role-based access controls with multi-factor authentication and least-privilege enforcement.
• Comprehensive audit logging retained for six years, anomaly detection, and independent penetration tests.

5. Data Retention

We retain PHI only for the duration defined in your customer agreement. The default retention for transcripts and audio is 30 days, after which files are irreversibly purged using NIST SP 800-88 compliant deletion. You may opt into streaming-only mode for immediate deletion or request accelerated destruction at any time through the admin console or support channel.

6. Your Choices

Administrators can configure consent prompts, retention windows, and export destinations. Patients seeking access, amendments, or deletion of their records should contact the covered entity (your organization), and ConciCare will support those requests in line with HIPAA and other applicable laws.

7. International Data Transfers

ConciCare processes PHI solely within the United States. If future product features require processing outside the United States, we will provide advance notice, execute updated agreements, and implement appropriate transfer safeguards.

8. Updates to This Policy

We may revise this Privacy Policy periodically. Material changes will be communicated via email or in-product notifications. Continued use after the effective date constitutes acceptance of the revised policy.

9. HIPAA Contacts

To request a Business Associate Agreement, report a potential security issue, or ask privacy questions, contact us at team@concicare.com. We will respond within two business days and coordinate breach notifications in accordance with HIPAA timelines if ever required.