Privacy Policy

Effective Date: March 1, 2025 | Version 3.0 — Revised March 2026

NarrateEMS Inc. is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and how we protect it when you use our Service.

Our Service is architected to minimize server-side data exposure. We do not store patient care records or narrative content on our servers.

1. What We Collect — and What We Don't

What We DO Collect (Stored Server-Side)

  • Account information: name, email address, professional credentials.
  • Agency information: agency name, agency code, admin user ID.
  • Subscription and billing metadata: subscription status, Stripe customer ID. Stripe processes payment card details directly — we do not store card numbers.
  • Basic technical logs for service stability. In production, no patient data or transcript content is included in logs.

What We Do NOT Store Server-Side

  • Raw audio recordings: Voice input is transcribed locally within your browser. Raw audio is never captured or transmitted by NarrateEMS.
  • Text transcripts and session data: Narrative transcripts and extracted clinical data (including chief complaints, diagnoses, vital signs, and patient care narratives) are stored temporarily in the browser's local extension storage (chrome.storage.local) on the user's device during session processing. This data is stored locally on the device only — it is never transmitted to or written to NarrateEMS servers or databases. It persists on the device until the user manually resets their session using the Reset function in the extension. NarrateEMS cannot access, retrieve, or delete this locally stored data remotely.
  • Patient records: No patient identifiers, clinical information, or ePCR content is stored in NarrateEMS databases.

In plain terms: patient information processed through NarrateEMS lives temporarily on the provider's device only. NarrateEMS does not build or maintain a database of patient records.

2. How We Use the Information We Collect

  • Provision and manage your access to the Service.
  • Process payments and manage subscriptions via Stripe.
  • Communicate with you about your account, updates, and support.
  • Comply with legal obligations.

We do NOT use patient data or transcript content for AI model training. We do NOT sell any data to third parties.

3. How Transcript Content Is Processed

  • Your browser's Speech API converts audio to text locally on the device.
  • The text transcript is stored in the browser's local extension storage on your device and transmitted through our backend infrastructure (Supabase Edge Functions), which forwards it to our AI providers for documentation generation.
  • The AI providers return structured documentation fields — including chief complaints, clinical assessments, vital signs, and narrative content — which are stored in chrome.storage.local on your device and used to populate the ePCR form.
  • None of this data is written to NarrateEMS servers or databases at any point. It resides on the local device only and persists until the user manually resets their session.

4. Data Storage and Security

  • Storage infrastructure: Supabase (PostgreSQL).
  • Encryption at rest: AES-256 encryption at the infrastructure level via Supabase platform defaults.
  • Encryption in transit: All data is encrypted using TLS/SSL.
  • Access controls: Database access is restricted to authorized NarrateEMS personnel. Data is isolated by agency.
  • Logging: NarrateEMS does not currently log patient data or transcript content. Any future logging of such data will be conducted exclusively through HIPAA-compliant services with appropriate safeguards.

5. Third-Party Subprocessors

ProviderPurposeData ReceivedPHI Exposure
Microsoft Azure OpenAIField extraction and documentation generationText transcript + system promptYes — HIPAA DPA executed.
GroqPage relevance classificationText transcript + system promptYes — BAA in Groq ToS (eff. Oct 15, 2025).
SupabaseDatabase, auth, API proxyAccount/subscription data; transcript in-memory transit onlyTransit only — not persisted.
StripeBilling and payment processingUser ID, email, subscription metadata onlyNo — no clinical data.

NarrateEMS does not permit subprocessors to use your data for their own purposes or for AI model training.

6. Data Retention

Account and subscription records are retained for the duration of your active account and for a reasonable period thereafter. Transcript content and extracted clinical session data are stored locally on the user's device only and are not held on NarrateEMS servers. Deletion of your NarrateEMS account affects only account and subscription records.

To request deletion of your account and associated records, contact narrateems@gmail.com. Requests are processed within thirty (30) days.

7. HIPAA

  • We implement safeguards to protect PHI during transit, including TLS encryption.
  • We do not persist PHI in our databases.
  • Covered Entities must execute a Business Associate Agreement (BAA) with NarrateEMS before using the Service with any PHI.
  • We will notify you of any confirmed breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule.

8. Your Rights

You may request access to, correction of, or deletion of personal information we hold (account and subscription data). Contact narrateems@gmail.com. We respond within thirty (30) days.

9. Changes to This Policy

Material changes will be communicated by email or a Service notice at least 14 days before taking effect.

10. Contact

NarrateEMS

Email: narrateems@gmail.com

Website: www.narrateems.com

© 2025 NarrateEMS Inc. All rights reserved.