Omi Scribe Cloud — Privacy Notice

Version: 1.5

Effective: 11 March 2026

Provider: Omi Health B.V., Eindhoven, Netherlands

Contact: [email protected]

This Privacy Notice applies to Omi Scribe Cloud (the “Service”) and related support services. It does not apply to Omi Scribe for Mac (Offline), which has a separate privacy policy at /legal/mac-privacy.

This Notice is written for:

• Customers (clinics, hospitals, practices) evaluating or using the Service; and
• End users (clinicians and staff) using the Service under a Customer account.

> Important: For patient-related content, the Customer is typically the data controller. Omi Health typically acts as a processor for that content.

1. Summary

Omi Scribe Cloud is built to be privacy‑first:

• We process audio, transcripts, and clinical drafts only to provide the Service.
• No training on your content. We do not use Customer Content to train, fine‑tune, or evaluate machine learning models.
• Review‑first. Outputs are AI‑generated drafts. The clinician reviews and finalises as the sole author of the clinical record.
• EU-first residency today. The Service is currently hosted in Azure Sweden Central and uses Azure AI Foundry (Data Zone Standard) to keep AI processing within the EU data zone.
• You control retention and deletion of Customer Content through tenant settings.
• Enterprise security pack available under NDA (DPA, DPIA, ROPA, incident response, and security policies).

2. Roles and responsibilities

2.1 Customer Content (patient-related)

If you use the Service through a clinic, hospital, or other organisation (the “Customer”), that Customer is typically the Controller for patient-related content (“Customer Content”). Omi Health B.V. acts as a Processor and processes Customer Content only on the Customer’s documented instructions, as set out in the service agreement and Data Processing Addendum (DPA).

2.2 Service Data (account and operational)

Omi Health B.V. is the Controller for “Service Data” used to operate the Service (for example: account details, authentication logs, security logs, billing and usage data, and service communications). This Privacy Notice covers Service Data.

3. What we process

3.1 Customer Content (processed on the Customer’s behalf)

Depending on the Customer’s configuration and use, Customer Content may include:

• Audio recordings or uploaded audio files
• Speaker‑labelled transcripts (diarisation)
• AI‑generated draft notes (e.g., SOAP), letters, and summaries
• Structured clinical extraction outputs (e.g., problem list, medications, assessment/plan fields)
• Session metadata (timestamps, language, session identifiers)

Customer Content may contain special category data (health data) and sensitive information.

3.2 Service Data (processed by Omi Health as Controller)

Service Data may include:

• Account and profile: name, work email, organisation/tenant, role
• Authentication and access: login timestamps, IP address, device/browser metadata, token/session identifiers
• Audit and security logs: user actions (e.g., create session, delete session, export), admin actions, and security events
• Usage and billing metrics (more granular than “feature usage”):

STT and LLM provider and model identifiers, audio duration, token counts (input/output), estimated cost, template identifiers, locale, and operation types (e.g., STT, finalise note, extract, regenerate)

• Support communications: emails or tickets you send to us (and our responses)

We design logs and telemetry to avoid storing clinical content, and we do not intentionally log Customer Content.

3.3 Cookies and similar technologies

The web app uses essential cookies to provide secure authentication and session management.

• We use an HTTP‑only refresh token cookie (typically named `refresh_token`) with a maximum lifetime of 30 days to keep users signed in.
• We do not use cookies for behavioural advertising.

If we add non-essential analytics cookies in the future, we will provide appropriate notice and consent controls where required.

4. Why we process information (purposes and legal bases)

4.1 Customer Content (processor purposes)

We process Customer Content solely to provide the Service under the Customer’s instructions, including:

• transcription and diarisation
• drafting notes and structured extraction
• displaying and storing sessions as configured
• enabling exports and integrations initiated by users/admins
• security and abuse prevention

4.2 Service Data (controller purposes)

We process Service Data for:

• Providing and operating the Service (GDPR Art. 6(1)(b) — contract)
• Security, abuse prevention, and reliability (GDPR Art. 6(1)(f) — legitimate interests; and Art. 6(1)(c) — legal obligations where applicable)
• Billing and subscription management (contractual necessity; legal obligations)
• Customer support (contractual necessity; legitimate interests)
• Product improvement using aggregated and/or de‑identified telemetry (legitimate interests)

We do not use Customer Content to train models.

5. How the Service uses AI models

The Service processes Customer Content using speech-to-text and language models to provide transcription and draft generation. Depending on Customer configuration, models may be:

1) Azure AI Foundry (EU Data Zone Standard)

• STT: audio → transcript (+ diarisation)
• LLM: transcript → draft note / extraction

These services operate under Microsoft enterprise terms and do not use customer data for model training.

2) Self-hosted STT within our Azure network (optional mode)

Some deployments use a dedicated GPU VM in the same Azure virtual network to run speech recognition and diarisation. In this mode, audio is not sent to external STT endpoints.

Real‑time streaming transcription

The Service may support real-time streaming transcription. Streaming audio is processed incrementally and held in memory during the session by the STT component. Customer Content retention is governed by the Customer’s configuration and storage settings for the session.

6. Sharing and disclosures

We do not sell Customer Content or Service Data.

We may share information in these limited cases:

A) Sub‑processors

We use vetted service providers (“sub‑processors”) to host and operate the Service (for example, Microsoft Azure and Azure AI services). Sub‑processors are contractually bound to process data only to provide services to us and to protect it.

A current list of sub‑processors is available at /legal/sub-processors.

B) Customer-controlled integrations

If the Customer enables integrations (e.g., EHR export, storage export, identity provider, or other internal tools), Customer Content may be transmitted to those systems under the Customer’s control and terms.

C) Identity providers (SSO)

If a user logs in via a third-party identity provider (e.g., Microsoft or Google), the login flow is handled by that provider under its own privacy policy. We receive only the profile information necessary for authentication (typically name and email). No Customer Content is shared with identity providers.

D) Support and troubleshooting

Authorized Omi Health personnel may access Service Data and (where necessary and permitted) limited Customer Content to provide support, resolve incidents, or investigate misuse. Access is restricted by role, logged, and limited to what is necessary.

E) Legal and safety

We may disclose information where required by law or valid legal process, or to protect the rights, safety, and security of the Service, our Customers, users, and the public.

7. Data residency and international transfers

7.1 Current hosting region (today)

Omi Scribe Cloud is currently deployed in Azure Sweden Central. Customer Content and Service Data are stored in Sweden Central.

AI processing uses Azure AI Foundry (Data Zone Standard) to keep model processing within the EU data zone.

7.2 Additional regions (future)

Additional regions (e.g., Australia or the United States) may be offered in the future. If offered, the applicable region will be specified in the Customer’s order form and sub‑processor list.

7.3 Remote access and transfers

Authorized remote access (for example, support or incident response) may occur from other locations. Where such access constitutes an international transfer, we rely on appropriate safeguards (such as Standard Contractual Clauses) and technical measures (encryption, access controls, audit logs).

8. Retention and deletion

8.1 Customer Content

Customer Content retention is controlled by the Customer’s tenant settings. The Service applies the following default retention periods (configurable per tenant):

• Audio recordings: 7 days
• Transcripts, notes, and structured extraction: 90 days
• Audit logs: 6 years (not configurable; required for compliance)
• Usage metrics: 2 years

Customers may shorten defaults (including immediate deletion of audio after transcription) or extend them as needed for their regulatory and clinical requirements. Manual deletion of individual sessions is available at any time.

Audio files are stored in Azure Blob Storage and subject to lifecycle management (tiered to cool and archive storage before deletion). An automated purge process runs daily to enforce configured retention policies.

8.2 Backups

Encrypted backups may retain deleted data for a limited period for disaster recovery. Current PostgreSQL backup retention is up to 35 days. Backup retention may change as the Service hardens, but is not intended for “archival use.”

8.3 Service Data

Service Data is retained as needed to provide the Service and comply with legal obligations (for example, accounting and tax retention). We minimise retention where possible.

9. Security measures

We implement technical and organisational measures designed to protect Customer Content and Service Data, including:

• Encryption: TLS in transit; encryption at rest (Azure-managed encryption for infrastructure, plus application-layer AES-256-GCM encryption for clinical content fields)
• Access controls: role‑based access, least privilege, strong authentication via OIDC/SSO
• Tenant and user isolation: tenant-scoped queries and user-scoped access for clinician sessions
• Logging and monitoring: audit logs and operational telemetry designed not to contain Customer Content
• Secrets management: Azure Key Vault and managed identities for service-to-service access

We maintain documented internal security policies (information security, access control, data classification) and an incident response plan. These are available to enterprise Customers under NDA.

Network isolation features (such as private endpoints and additional network segmentation controls) are supported by the architecture and are implemented progressively as part of security hardening.

No system is perfectly secure, but we design the Service to reduce exposure and access to sensitive data.

10. HIPAA (United States)

If the Service is used by a HIPAA Covered Entity (or its Business Associate) to process Protected Health Information (PHI), a Business Associate Agreement (BAA) must be executed.

• If a BAA is in place, Omi Health B.V. will act as a Business Associate and process PHI under the terms of the BAA.
• If no BAA is in place, the Customer must not submit PHI to the Service.

BAA inquiries: [email protected].

11. Your rights and choices

11.1 If you are a patient

For patient-related Customer Content, the Customer (e.g., your clinic) is typically the Controller. Please contact your clinic to exercise rights. Omi Health can act only on the Customer’s instructions.

11.2 If you are an end user or business contact

You may have rights to access, correct, or delete your Service Data. To request this, contact [email protected].

We may need to verify identity and authority before fulfilling requests.

12. Regional disclosures

12.1 EEA/UK (GDPR)

Where Omi Health is Controller for Service Data, legal bases include contract performance, legitimate interests, and legal obligations. You may have rights under GDPR (access, rectification, deletion, restriction, objection, portability). You may lodge a complaint with your supervisory authority (for the Netherlands: Autoriteit Persoonsgegevens).

Where Omi Health is Processor for Customer Content, we process that data only on the Customer’s documented instructions under the DPA.

12.2 California (CCPA/CPRA)

We do not sell personal information and do not share it for cross‑context behavioural advertising. California residents may have rights to know/access, delete, correct, and limit use of sensitive personal information where applicable. To exercise rights: [email protected].

12.3 Australia (Privacy Act and APPs)

We handle personal information in accordance with applicable Australian privacy requirements. You may request access or correction by contacting [email protected]. You may also contact the Office of the Australian Information Commissioner (OAIC).

13. Children

The Service is not intended for children under 16 and should be used only by authorised healthcare professionals in lawful workflows. Customers are responsible for obtaining any required consents for recordings and processing in their care setting.

14. Changes

We may update this Privacy Notice from time to time. We will publish updates at /legal/cloud-privacy and update the effective date. Material changes may be communicated through the Service or to account administrators.

15. Contact

Omi Health B.V. — Eindhoven, Netherlands

Email: [email protected]