Privacy Policy
Privacy at a Glance
- Audio is encrypted and securely transmitted to OpenAI for transcription, then immediately discarded — no recordings are ever stored
- All data is encrypted at rest using AWS KMS envelope encryption and transmitted over TLS
- Clinical content is processed under signed Business Associate Agreements with HIPAA-covered services
- OpenAI operates under a Business Associate Agreement (BAA) with Shepard and does not retain, store, or train on your data
- We never sell your data to third parties or share it with advertisers
- You control your data and can delete it at any time
1. Introduction
Shepard Health ("we," "our," or "us") is committed to protecting your privacy and the privacy of your patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Shepard mobile application and related services ("the App").
Shepard serves both clinicians (medical students, residents, attending physicians, nurses, and other healthcare professionals) and patients. As a clinical documentation tool, we understand the critical importance of protecting Protected Health Information (PHI) and maintaining the highest privacy standards. This policy reflects our commitment to privacy by design.
2. Information We Collect
2.1 Information You Provide
- Account Information: Email address, name, professional credentials, specialty, practitioner role (e.g., student, resident, attending), and account type (clinician or patient)
- Patient Profile (Patient Users): Optional personal profile information (education level, occupation, hobbies) used to tailor AI explanations with relatable analogies. This data is stored as part of your user profile and is never shared externally
- Health Data (Patient Users): Health concerns, medications, and visit recordings you choose to enter or record
- Subscription Information: Payment is processed exclusively through Apple's App Store; we receive subscription status and tier but never payment card details
- Preferences: App settings, specialty preferences, theme, and documentation preferences
- Support Messages: Communications sent through in-app support chat
2.2 Information Transmitted for Processing
The following data is transmitted from your device to Shepard's servers and/or OpenAI for processing:
- Audio Recordings: Encounter audio is encrypted (TLS 1.3) and sent to Shepard's server, which forwards it to OpenAI for speech-to-text transcription. OpenAI processes the audio ephemerally and discards it immediately after transcription. No audio is ever stored by Shepard or OpenAI
- Encrypted Encounter Text: After transcription, encounter text is processed securely under our BAA with OpenAI for note generation. All data is encrypted at rest and in transit. See Section 6 for full details
- Questions to Ask Shepard: Patient questions submitted to our AI Q&A feature are sent to OpenAI for answers
2.4 Information Collected Automatically
- Device Information: Device type, operating system version, unique device identifiers
- Usage Data: Features used, session duration, crash reports (no clinical content is included)
- Log Data: IP address, access times, app version (used for troubleshooting and security only)
3. How We Protect Patient Information
3.1 Secure Audio Transmission & Transcription
Audio recordings are encrypted using TLS 1.3 and transmitted to Shepard's server, which forwards them to OpenAI's transcription API. OpenAI converts speech to text in real-time and immediately discards the audio — no recordings are stored by either Shepard or OpenAI. The complete data flow is: your device sends encrypted audio to Shepard's server, Shepard's server sends it to OpenAI for transcription, OpenAI returns the text and deletes the audio.
3.2 PHI Protection
All Protected Health Information is safeguarded through HIPAA-compliant encryption and BAA-covered processing. Shepard processes clinical data securely under signed Business Associate Agreements. The following categories of PHI are protected:
- Patient names and identifiers
- Dates of birth and specific ages
- Addresses, phone numbers, and email addresses
- Medical record numbers (MRNs)
- Social Security numbers
- Insurance and account identifiers
- Other identifying information as defined by HIPAA's 18 Safe Harbor identifiers
All PHI categories are protected through encryption and access controls. Data is encrypted at rest using AWS KMS envelope encryption and transmitted exclusively over TLS 1.3.
3.3 Secure Server Processing
Our server processes clinical data securely under HIPAA-compliant infrastructure. Transcripts are processed in real-time for note generation. Cloud-saved notes are encrypted at rest using AWS KMS envelope encryption (AES-256-GCM). Generated notes are returned to your device immediately after creation.
3.4 Encryption
- In Transit: All data transmitted between your device and our servers, and between our servers and OpenAI, is encrypted using TLS 1.3
- At Rest: All clinical content and account data are encrypted using AWS KMS envelope encryption (AES-256-GCM) with customer-managed encryption keys
- On Device: Sensitive credentials (authentication tokens) are stored using iOS Secure Enclave / Expo SecureStore
4. Data Storage and Retention
| Data Type | Storage Location | Retention Period |
|---|---|---|
| Audio recordings (local copy) | Your device | Until you delete them |
| Audio sent to OpenAI for transcription | Not stored (ephemeral processing) | Discarded immediately after transcription by OpenAI |
| Local notes (all users) | Your device only | Until you delete them (auto-delete available) |
| Cloud-saved notes (paid tiers) | Encrypted cloud storage (AES-256-GCM) | Until you delete them or close your account |
| Account information | Our secure servers | Until account deletion + 60-day grace period |
| Encrypted text sent to OpenAI under BAA | Not stored (ephemeral processing) | Not retained by OpenAI or by us after response generation |
| Health concerns & medications (patients) | Our secure servers (encrypted) | Until you delete them or close your account |
| Usage analytics | Our secure servers | 24 months |
5. How We Use Information
We use the information we collect to:
- Provide and maintain the App's core functionality (note generation, clinical summaries, patient education)
- Process your subscription and provide customer support
- Generate AI-powered clinical notes, safety suggestions, and educational content using encrypted, BAA-protected data
- Personalize patient explanations using your optional personal profile (occupation, hobbies) to create relatable analogies
- Send important service updates, security alerts, and (for waitlist members) informational emails about Shepard
- Monitor for abuse, security threats, and service integrity
- Comply with legal obligations
We never:
- Sell your personal data, health data, or clinical data to any third party
- Share your data with advertisers or ad networks
- Use your data to build marketing profiles
- Use identifiable patient data for any purpose other than providing you the Shepard service
- Allow OpenAI or any third party to use your data for AI model training
6. Third-Party AI Processing (OpenAI)
Shepard uses OpenAI's API services as our AI processing provider for two distinct purposes:
- Audio Transcription: Using OpenAI's gpt-4o-mini-transcribe model to convert encounter audio into text
- Note Generation & AI Features: Using GPT-4.1-mini to generate clinical notes, summaries, safety suggestions, educational content, and patient Q&A responses under our BAA with OpenAI
6.1 What Data is Sent to OpenAI
- Encrypted audio recordings are sent to OpenAI for speech-to-text transcription. OpenAI processes the audio ephemerally and discards it immediately after returning the transcript
- Encrypted encounter text — encounter text is transmitted securely over TLS to OpenAI for note generation under our signed Business Associate Agreement
- Patient questions submitted through the "Ask Shepard" feature
- All data sent to OpenAI is transmitted securely over TLS and processed under our BAA — OpenAI does not retain, store, or train on your data
6.2 How OpenAI Handles Your Data
Business Associate Agreement (BAA): Shepard Health maintains a signed Business Associate Agreement (BAA) with OpenAI. Under this agreement, OpenAI is contractually obligated to handle any data it receives from Shepard in compliance with HIPAA requirements, including maintaining appropriate administrative, physical, and technical safeguards.
Under our agreement with OpenAI:
- No Data Retention: OpenAI processes data ephemerally (in real-time) and does not store input or output data after generating the response. Data is processed and immediately discarded
- No Model Training: Your data is never used to train, improve, or fine-tune OpenAI's models. This is contractually guaranteed under both our BAA and OpenAI's API data usage policy
- No Third-Party Sharing: OpenAI does not share, sell, or distribute your data to any third party
- Encrypted Transmission: All data transmitted between Shepard's servers and OpenAI's API is encrypted using TLS 1.3
- SOC 2 Type II Certified: OpenAI maintains SOC 2 Type II certification, demonstrating adherence to rigorous security, availability, and confidentiality standards
6.3 Why We Use OpenAI
We selected OpenAI as our AI processing provider because of their commitment to enterprise data privacy, their willingness to execute a BAA for healthcare use cases, their zero-data-retention API policy, and the quality of their clinical text processing capabilities. We continuously evaluate our AI provider relationships to ensure they meet the highest standards of data protection.
7. Other Third-Party Services
In addition to OpenAI, we use the following third-party services:
- Apple App Store: For app distribution and subscription payment processing. Apple processes your payment information directly; we receive only subscription status and tier, never payment card details
- Resend: For transactional email delivery (account confirmations, waitlist communications). We share only your email address and first name for email delivery purposes
- Cloud Infrastructure (Replit/Neon): For secure, encrypted hosting and database storage. All data at rest is encrypted using AES-256-GCM
All third-party service providers are bound by data processing agreements and are required to maintain appropriate security measures consistent with industry standards.
8. Data Sharing Summary
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| OpenAI | Encrypted audio (for transcription) and encounter text (for note generation), all under BAA | Audio transcription, AI note generation, clinical summaries, patient Q&A | BAA, zero retention, no model training, TLS 1.3, SOC 2 Type II |
| Apple | Subscription purchase data | Payment processing | Apple's privacy standards, no clinical data shared |
| Resend | Email address, first name | Transactional email delivery | Data processing agreement, TLS encryption |
| Advertisers | None. We do not share any data with advertisers. Ever. | ||
9. Your Rights and Choices
You have the right to:
- Access: Request a copy of your personal data at any time through the App's Settings screen or by contacting us
- Correction: Update or correct inaccurate information through the App or by contacting us
- Deletion: Delete your account and all associated data. Account deletion includes a 60-day grace period during which you can reactivate by logging in. After 60 days, all data is permanently erased
- Data Export: Export your data in a machine-readable format through the App's privacy settings
- Withdraw Consent: You may withdraw consent for AI processing at any time by discontinuing use of the App
- Opt Out of Communications: Unsubscribe from non-essential emails at any time
To exercise these rights, contact us at privacy@shepardhealth.ai. We will respond to all requests within 30 days.
10. Security Measures
We implement comprehensive security measures including:
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for all data at rest
- JWT-based authentication with secure token management
- iOS Secure Enclave / Expo SecureStore for on-device credential storage
- Tamper-evident audit logging for security and compliance monitoring
- Role-based access controls
- Automatic session management and token expiration
- HTML injection protection and input validation on all endpoints
- Rate limiting on API endpoints to prevent abuse
11. HIPAA Compliance
Shepard is designed with privacy-first principles that protect all PHI through encryption and BAA-covered infrastructure. Our architecture ensures that all data is encrypted at rest using AWS KMS and in transit using TLS, with signed Business Associate Agreements across the entire processing pipeline.
Key compliance features:
- AWS KMS envelope encryption (AES-256-GCM) for all clinical content at rest
- Business Associate Agreements (BAAs) with AWS and OpenAI
- Encryption at rest (AES-256-GCM with KMS) and in transit (TLS 1.3)
- Tamper-evident audit logging
- Data retention policies with automatic cleanup
- Account deletion with verified data purge
For organizations requiring additional compliance documentation, please contact us at compliance@shepardhealth.ai.
12. Children's Privacy
The App is intended for use by healthcare professionals (18+) and adult patients. We do not knowingly collect personal information from individuals under 18 years of age. If we discover that we have inadvertently collected data from a minor, we will promptly delete it.
13. International Data Transfers
Your information may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required by applicable law (e.g., GDPR).
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes through the App, by email, or by posting a prominent notice on our website. The "Last updated" date at the top of this policy indicates when it was most recently revised. Your continued use of the App after such changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us:
Privacy Inquiries: privacy@shepardhealth.ai
Compliance: compliance@shepardhealth.ai
General Support: support@shepardhealth.ai