Privacy Policy

This Privacy Policy describes how Merza Medical, LLC (“Merza Medical,” “we,” “us,” or “our”) collects, uses, discloses, and protects information — including Protected Health Information (“PHI”) — in connection with our ambient medical scribe application, Alfred, and related services (collectively, the “Services”). This policy applies to healthcare providers (“Providers”) who use Alfred, patients whose clinical encounters are processed through Alfred, and visitors to our website at merzamedical.com.

Merza Medical operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). We process PHI on behalf of healthcare providers (Covered Entities) pursuant to Business Associate Agreements. This Privacy Policy supplements, and does not replace, any Business Associate Agreement between Merza Medical and a healthcare provider.

Important: If you are a patient, your healthcare provider (the doctor or clinic using Alfred) is the Covered Entity responsible for providing you with a Notice of Privacy Practices. Merza Medical processes your health information on behalf of your provider. If you have questions about how your health information is used, please contact your healthcare provider directly, or reach us at admin@merzamedical.com.

1. Information We Collect

1.1 Protected Health Information (PHI)

When a healthcare provider uses Alfred to document a clinical encounter, we collect and process the following categories of PHI on behalf of that provider:

• Audio recordings of doctor-patient encounters (M4A/AAC format, captured on the provider’s iOS device)
• Transcripts generated from those audio recordings via our transcription service
• Clinical notes (SOAP notes — Subjective, Objective, Assessment, Plan) generated from transcripts, including associated ICD-10 diagnostic codes and LOINC codes
• Patient demographic information entered by the provider (e.g., patient name, date of birth, medical record number)
• Metadata associated with the above, such as encounter date, recording duration, and processing timestamps

1.2 Provider Account Information

When a healthcare provider registers for Alfred, we collect:

• Identity data: Full name, professional title, medical license information
• Contact data: Email address, phone number (used for multi-factor authentication)
• Authentication data: Login credentials (managed via AWS Cognito; passwords are never stored in plaintext)
• Practice data: Clinic or practice name, specialty, NPI number (if provided)

1.3 Technical and Usage Data

We automatically collect limited technical data necessary to operate and secure the Services:

• Device information: Device type, operating system version, app version
• Log data: API access logs, error logs (sanitized to exclude PHI), authentication events
• Usage data: Feature usage patterns, session duration, number of encounters processed (aggregated, not tied to individual patients)

What we do NOT collect: We do not use analytics SDKs, crash reporting tools, advertising trackers, or any third-party tools that could capture PHI. We do not collect data from patients directly — all PHI flows through the healthcare provider’s use of Alfred.

2. How We Use Information

2.1 PHI — Permitted Uses

We use PHI solely as authorized by our Business Associate Agreement with each healthcare provider and as permitted by HIPAA. Specifically, we use PHI to:

• Transcribe audio recordings of clinical encounters
• Generate SOAP notes with ICD-10 and LOINC codes from transcripts
• Display clinical notes on the provider’s secure web dashboard for review and export to the provider’s Electronic Medical Record (EMR)
• Fulfill patient data access, amendment, and deletion requests as directed by the provider
• Maintain audit logs as required by HIPAA

We do NOT use PHI for:

• Marketing or advertising of any kind
• Training machine learning or artificial intelligence models
• Sale to third parties
• Any purpose not authorized by the applicable Business Associate Agreement and HIPAA

2.2 Provider Account Information

We use provider account information to:

• Create and manage provider accounts
• Authenticate providers and enforce access controls
• Communicate with providers about their account, service updates, and security notices
• Process payments and manage subscriptions
• Comply with legal obligations

2.3 Technical and Usage Data

We use technical and usage data to:

• Operate, maintain, and improve the Services
• Monitor system performance and security
• Detect and prevent fraud, unauthorized access, and security incidents
• Generate aggregated, de-identified analytics (which do not constitute PHI)

3. How We Process PHI — Technical Details

Transparency about how we handle PHI is central to our commitment to providers and their patients. The following describes our technical processing pipeline:

3.1 Recording and Upload

Audio is recorded on the provider’s iOS device in M4A/AAC format at 44.1 kHz mono. Recordings are encrypted on-device using iOS FileProtectionType.complete (files are inaccessible when the device is locked). Audio is uploaded to our backend via a presigned Amazon S3 URL over TLS 1.2+.

3.2 Transcription and Note Generation

Alfred uses a two-stage processing pipeline to transcribe audio and generate clinical notes. This pipeline operates under Business Associate Agreements with all vendors and is subject to the same HIPAA safeguards described in this Privacy Policy.

Uploaded audio is processed in two stages:

1. Transcription: Audio is sent to AssemblyAI’s Universal-3 Pro engine with Medical Mode enabled. AssemblyAI performs medical speech-to-text transcription with speaker diarization (identifying distinct speakers) and PHI redaction capabilities. Audio is deleted from AssemblyAI’s systems immediately after the transcript is retrieved.
2. Clinical note generation: The transcript is sent to Anthropic’s Claude API (Sonnet model) to generate a structured SOAP note with ICD-10 diagnostic codes and LOINC observation codes. Anthropic operates under a Zero Data Retention API policy — no PHI is stored, cached, or used for model training by Anthropic.

AssemblyAI and Anthropic process data exclusively within the United States and are covered by executed Business Associate Agreements (see Section 4).

3.2.1 AI-Generated Content and Clinician Review

Clinical notes produced by Alfred are generated with the assistance of artificial intelligence. AI-generated clinical notes are drafts that require clinician review, verification, and electronic signature before they may be used in patient care or incorporated into the medical record. Merza Medical does not represent that AI-generated content is a substitute for clinical judgment. The provider bears sole responsibility for the accuracy and completeness of any signed clinical note. For additional information, see the AI Disclaimer in our Terms of Service.

3.3 Storage and Encryption

• At rest: All data is encrypted using AES-256 encryption with AWS Key Management Service (KMS) managed keys
• In transit: All data is transmitted over TLS 1.2 or higher
• Database: Amazon RDS PostgreSQL with SSL-required connections and encryption at rest
• Object storage: Amazon S3 with server-side encryption (SSE-KMS)

3.4 Access and Display

Completed clinical notes are displayed on the provider’s secure web dashboard at app.merzamedical.com. The provider reviews notes and copies them into their EMR. Access to the dashboard requires authentication via AWS Cognito with PKCE OAuth 2.0 and a 15-minute idle session timeout. Multi-factor authentication (MFA) is available and strongly recommended for all accounts, supporting SMS, authenticator apps (TOTP), and passkeys (WebAuthn).

3.5 Data Minimization in the Processing Pipeline

We apply the principle of minimum necessary to every stage of PHI processing:

• Audio retention at AssemblyAI: Audio files are deleted from AssemblyAI’s infrastructure immediately after the transcript is retrieved. AssemblyAI does not retain audio beyond the duration of processing.
• Zero data retention at Anthropic: Anthropic’s Zero Data Retention API policy ensures that transcripts sent for note generation are not stored, logged, or used for model training. PHI is held in memory only for the duration of the API request.
• No vendor model training: Neither AssemblyAI nor Anthropic uses Merza Medical data — including audio, transcripts, or clinical notes — to train or improve their AI models.

4. Subprocessors and Third-Party Services

We use the following subprocessors to deliver the Services. Each subprocessor that handles PHI is covered by a Business Associate Agreement and operates HIPAA-eligible services:

We do not share PHI with any subprocessor not listed above. If we engage additional subprocessors that will handle PHI, we will update this Privacy Policy and, where required by our Business Associate Agreements, provide at least 30 days’ advance written notice to affected providers before the new subprocessor begins processing PHI.

Specific AWS services used include: S3 (storage), Lambda (compute), API Gateway (API management), RDS PostgreSQL (database), Cognito (authentication), KMS (encryption key management), CloudFront (content delivery), CloudTrail (audit logging), WAF (web application firewall), and GuardDuty (threat detection).

5. Data Retention and Deletion

5.1 Retention Periods

• Audio recordings: Retained in encrypted S3 storage with a 7-year lifecycle policy, consistent with medical record retention requirements in most U.S. states
• Transcripts and SOAP notes: Retained in the encrypted RDS database for the duration of the provider’s account, plus the applicable retention period
• Provider account data: Retained for the duration of the active account, plus 30 days after account deletion is initiated
• Audit logs: Retained indefinitely (audit logs contain metadata about actions taken but do not contain PHI content)
• Technical logs: Retained for up to 90 days for operational and security purposes

5.2 Account Deletion

Providers may delete their account at any time via two methods:

• Self-service: Navigate to Settings > Delete Account in the Alfred iOS app. This immediately disables the account and initiates a 30-day grace period.
• Email request: Contact admin@merzamedical.com to request account deletion.

During the 30-day grace period, the account is disabled (the provider cannot log in) and data is retained but inaccessible. The provider may contact us to reverse the deletion during this window. After 30 days, the following data is permanently deleted: patient records and clinical notes in the database, audio recordings in S3, and the Cognito user account. Audit log entries (which do not contain PHI) are retained for compliance purposes.

5.3 Data Minimization

We follow the principle of data minimization: we collect and retain only the data necessary to provide the Services. We do not retain data longer than required by our contractual obligations and applicable law.

6. Data Security

We implement administrative, technical, and physical safeguards to protect PHI and other data, consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C):

6.1 Technical Safeguards

• Encryption: AES-256 at rest (KMS-managed keys); TLS 1.2+ in transit; SSL-required database connections
• Authentication: AWS Cognito with PKCE OAuth 2.0 and a 15-minute idle session timeout. Multi-factor authentication (MFA) is available and strongly recommended for all accounts, supporting SMS, authenticator apps (TOTP), and passkeys (WebAuthn).
• Access control: Role-based access; providers can only access their own patients’ data
• Audit logging: Multi-layered logging via application-level audit tables, AWS CloudTrail, API Gateway access logs, and WAF logs
• Network security: AWS WAF (web application firewall), GuardDuty (threat detection and monitoring)
• Error handling: All error logging is sanitized to prevent PHI from appearing in log output

6.2 Administrative Safeguards

• HIPAA Security Risk Assessment conducted and documented
• Written HIPAA policies and procedures (14 core policies)
• Workforce HIPAA training with documented acknowledgment
• Incident Response Plan and Breach Notification Plan
• Sanction policy for policy violations
• Change management procedures for system updates

6.3 Physical Safeguards

All data is stored in AWS data centers, which maintain SOC 1/2/3, ISO 27001, and FedRAMP certifications, along with physical access controls including biometric authentication, 24/7 security, and environmental protections. No PHI is stored on Merza Medical’s own physical premises or servers.

7. Your Rights

7.1 Rights of Healthcare Providers (Users)

As a provider using Alfred, you have the right to:

• Access your account data and all PHI processed on your behalf
• Correct inaccurate account information
• Delete your account and associated data (subject to applicable retention requirements)
• Export your data in a portable, machine-readable format
• Restrict certain processing of your data
• Withdraw consent by terminating your account at any time

7.2 Rights of Patients Under HIPAA

Patients whose clinical encounters are processed through Alfred retain all rights guaranteed by the HIPAA Privacy Rule, including:

• Right of Access (45 CFR §164.524) — Request copies of PHI. Fulfilled within 30 days.
• Right to Amendment (45 CFR §164.526) — Request corrections to PHI. Fulfilled within 60 days.
• Right to Accounting of Disclosures (45 CFR §164.528) — Request a log of PHI disclosures.
• Right to Request Restrictions (45 CFR §164.522) — Request limits on certain uses or disclosures of PHI.
• Right to Deletion — Request erasure of PHI, subject to legal retention requirements.

In most cases, patients should direct requests to their healthcare provider (the Covered Entity). If a patient contacts Merza Medical directly, we will coordinate with the applicable provider to fulfill the request. Our Patient Data Request Procedures document details the full process.

7.3 Rights Under Oregon Consumer Privacy Act (OCPA)

Oregon residents may have additional privacy rights under the Oregon Consumer Privacy Act (ORS 646A.570-646A.589). PHI processed under HIPAA is exempt from OCPA at the data level. However, non-PHI personal data (such as provider account information and website usage data) may be subject to OCPA. Under OCPA, Oregon residents have the right to:

• Know what personal data we collect and how it is used
• Access and obtain a copy of their personal data
• Correct inaccuracies in their personal data
• Delete their personal data
• Opt out of the sale of personal data (note: we do not sell personal data)
• Opt out of profiling in furtherance of automated decisions (note: we do not engage in such profiling)

To exercise any of these rights, contact us at admin@merzamedical.com. We will respond to verified requests within 45 days, as required by OCPA.

7.4 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

Protected Health Information collected and processed by Merza Medical under HIPAA is exempt from the California Consumer Privacy Act and the California Privacy Rights Act pursuant to Cal. Civ. Code §1798.145(c)(1)(A). This exemption applies to all patient encounter data — including audio recordings, transcripts, clinical notes, and associated metadata — because Merza Medical processes this information as a Business Associate governed by HIPAA.

However, non-PHI provider account data (such as name, email address, login activity, and practice information) for California-based providers may be subject to CCPA/CPRA. Under CCPA/CPRA, California residents have the right to know what personal information is collected and how it is used, request deletion of personal information, request correction of inaccurate personal information, and opt out of the sale of personal information (note: we do not sell personal information).

To exercise CCPA/CPRA rights or for questions about California privacy law as it applies to your account data, contact privacy@merzamedical.com. We will respond to verified requests within 45 days.

For a detailed description of the categories of personal information collected, business purposes for collection, and the full scope of CCPA/CPRA rights, see our Privacy Practices & CCPA Disclosure document, available upon request.

8. Disclosures of Information

We may disclose information in the following limited circumstances:

• To healthcare providers: We make PHI available to the provider who created it through Alfred, via the secure web dashboard.
• To subprocessors: As described in Section 4, solely to provide the Services and subject to BAAs.
• As required by law: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including HIPAA-required disclosures to the U.S. Department of Health and Human Services (HHS).
• To protect rights and safety: When we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud.
• Business transfers: In connection with a merger, acquisition, or sale of assets, provided the acquiring entity agrees to be bound by this Privacy Policy and applicable BAAs.

We do NOT sell, rent, or trade PHI or personal data to any third party for any purpose.

9. Breach Notification

In the event of a breach of unsecured PHI, Merza Medical will comply with the HIPAA Breach Notification Rule (45 CFR §§164.400-414). This includes:

• Notifying the affected healthcare provider (Covered Entity) without unreasonable delay, and no later than 30 days after discovery of the breach, consistent with our Business Associate Agreement obligations. (For reference, the HIPAA Breach Notification Rule establishes a maximum statutory deadline of 60 days under 45 CFR §164.410; our BAA imposes the stricter 30-day requirement.)
• Cooperating with the provider in notifying affected patients, as required
• Reporting breaches affecting 500 or more individuals to HHS and, where required, to prominent media outlets in the affected jurisdiction
• Maintaining a log of all breaches, including those affecting fewer than 500 individuals, and reporting them to HHS annually

Our full Incident Response Plan and Breach Notification Plan are maintained as part of our HIPAA compliance documentation and are available to providers upon request.

10. Cookies and Tracking Technologies

The Alfred web dashboard (app.merzamedical.com) uses only essential cookies and session storage required for authentication and security. We do not use:

• Advertising or marketing cookies
• Third-party analytics tools (e.g., Google Analytics)
• Cross-site tracking pixels or beacons
• Social media tracking integrations

Our content delivery network (AWS CloudFront) may set functional cookies for performance and security purposes. These cookies do not contain PHI and are not used for tracking or profiling.

11. Children’s Privacy

The Services are designed for use by licensed healthcare providers and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If patient PHI incidentally includes information about a minor patient, that data is handled under HIPAA and the applicable provider’s obligations, not under the Children’s Online Privacy Protection Act (COPPA), as the provider — not the minor — is our user.

12. Data Location and International Transfers

All data is stored and processed within the United States, in AWS data centers located in the AWS US-East and US-West regions. Our subprocessors — AssemblyAI and Anthropic — also process data exclusively within the United States and have provided written confirmation of US data residency. We do not transfer PHI or personal data outside of the United States. If you access the Services from outside the United States, you understand that your data will be transferred to and processed in the United States.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Notify active providers via email or in-app notification
• Where changes affect PHI handling, provide at least 30 days’ notice before the changes take effect

Continued use of the Services after the effective date of a revised Privacy Policy constitutes acceptance of the changes. If you do not agree with any changes, you may terminate your account.

14. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/ocr/complaints/.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Oregon and applicable federal law, including HIPAA. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Oregon.

Merza Medical, LLC · Oregon, USA · admin@merzamedical.com · 971-712-4907

© 2026 Merza Medical, LLC. All rights reserved.