SyncSOAP
Log In

Privacy Policy

Last updated: April 12, 2026

1. Data Collection

SyncSOAP collects and temporarily processes the following data solely to generate clinical documentation on your behalf:

  • Audio transcripts - recorded during clinical encounters and converted to text via speech-to-text services.
  • Clinical images - photographs captured or uploaded for storage and workflow support; production AI image analysis remains disabled for PHI unless separately approved in writing for the deployment.
  • SOAP notes - generated by AI models from the transcript and image data you provide.
  • Account credentials - an email address used for authentication. Passwords are hashed and never stored in plain text.

We do not sell customer data or patient data. Encounter data is processed only to provide the documentation workflow described in this policy.

2. Retention Policy

Encounter data, including transcripts, SOAP notes, and clinical images, is designed for short-term operational storage and is automatically scheduled for deletion within the configured retention period. This model supports documentation review, clinician attestation, and copy/export into the customer's official record system.

Users are responsible for exporting or copying their clinical notes to their official Electronic Health Record (EHR) system before the retention window expires.

SyncSOAP is a transient documentation support tool and is not intended to serve as the long-term designated record set or chart repository for the customer.

3. No Third-Party Sharing

We do not sell, rent, lease, or disclose your data to third parties for advertising or unrelated analytics. We may share data with subprocessors and infrastructure providers only when necessary to operate authentication, storage, database, transcription, AI-assisted drafting, image analysis, email delivery, security, and audit workflows.

Depending on the deployment, these service providers may include cloud hosting, database, object storage, transcription, and model providers operating under customer-approved terms and business associate arrangements where required.

Depending on the customer relationship, the applicable Business Associate Agreement may be accepted electronically during onboarding or executed separately in writing.

4. Security Measures

  • All data in transit is encrypted via TLS/HTTPS.
  • Production data stores are intended to use encryption at rest, including backups.
  • The main authenticated clinician workflow is intended to remain usable from ordinary networks; SyncSOAP does not depend on per-user IP allowlisting for normal use.
  • Workforce devices used to access clinical data should use full-disk encryption and screen locking.
  • Image storage uses authenticated, private access patterns; no public clinical object URLs are intended for production use.
  • Audit logging records significant data access and modification events.
  • Passkeys and biometric-backed sign-in are available today, with optional authenticator-based MFA still available for users who want an additional fallback factor.
  • Clinicians review AI-generated output before copying it into the official chart.

For a higher-level overview of infrastructure safeguards and cloud service categories, see our Security & Compliance page.

5. Demo and Production Separation

SyncSOAP maintains separate demo and production environments. Demo deployments are not intended for real PHI and should be used only with fake or de-identified sample data. Production deployments should use the customer's approved HIPAA-aligned configuration, and whether that configuration is compliant depends on the signed BAA and the customer's operational controls.

6. Contact

If you have questions about this Privacy Policy, please contact the application administrator.