Privacy Policy
Last Updated: February 2026
1. Introduction
Grounded Scribe Pty Ltd (ABN 69 695 177 818) ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered clinical documentation platform ("Service").
This policy applies to all users of Grounded Scribe, including individual practitioners, organisational accounts, and any person whose information may be incidentally included in clinical documentation created using our Service.
By using our Service, you consent to the collection, use, and disclosure of your information in accordance with this Privacy Policy.
1.1 About Us
Grounded Scribe is an AI-powered clinical documentation platform designed for health professionals and educators. Our AI Scribe feature enables practitioners to record clinical sessions and automatically generate professional clinical notes.
1.2 Applicable Laws
We comply with:
- Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
- Privacy and Data Protection Act 2014 (Vic)
- Health Records Act 2001 (Vic)
- Notifiable Data Breaches scheme
2. Definitions
- Practitioner: A registered health professional or educator who subscribes to and uses Grounded Scribe.
- Client: An individual whose session is recorded and transcribed using Grounded Scribe (e.g., patient, student, supervisee).
- Session Data: Audio recordings, transcripts, and clinical notes generated through our service.
- Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored in encrypted form only)
- Profession/role
- Organisation name (if applicable)
3.2 Clinical Documentation
When you use our Service to create clinical documentation, we process:
- Audio recordings of sessions (temporarily, for transcription purposes only)
- Transcripts generated from audio recordings
- Clinical notes generated by our AI system
- Client/patient information you choose to record
- Session metadata (date, type, duration)
Audio recordings are deleted immediately upon successful transcription and are never permanently stored.
3.3 Technical Information
We automatically collect certain technical information:
- IP address
- Browser type and version
- Device information
- Usage patterns
- Session timestamps
3.4 Payment Information
For paid subscriptions, payment processing is handled by a PCI DSS compliant third-party payment processor. We do not store complete credit card details.
3.5 Information We Do NOT Collect
We do not collect:
- Biometric data (facial recognition, fingerprints, voice biometrics)
- Location data (GPS tracking, geolocation)
- Student information directly (we are a tool for practitioners)
4. How We Use Your Information
4.1 Service Delivery
- Process audio recordings to generate transcriptions
- Generate AI-powered clinical notes from transcripts
- Store and retrieve your clinical documentation
- Provide access to assessment tools and templates
4.2 Account Management
- Create and manage your user account
- Authenticate your identity when you log in
- Process subscription payments
- Provide customer support
4.3 Service Improvement
- Analyse aggregate usage patterns to improve our Service
- Identify and fix technical issues
- Develop new features and functionality
4.4 Communication
- Send essential service notifications
- Respond to your enquiries and support requests
- Provide important updates about our Service
4.5 What We Do NOT Use Your Information For
We do not:
- Sell your personal information to third parties
- Use your data for marketing purposes without consent
- Create user profiles for advertising
- Train AI models on your clinical data
- Share your data with third parties for their own purposes
- Engage in behavioural profiling or tracking for advertising or third-party data sharing (see Section 11 for the aggregate engagement metrics we collect on our public marketing pages only)
4.6 Marketing Communications
As an account holder, you may occasionally receive emails about new features, product updates, and special offers relating to the Service. We rely on your existing relationship with us as the basis for these messages (consistent with the Spam Act 2003 (Cth)), and every such email includes a one-click unsubscribe link. You can opt out at any time from that link or from Settings → Notifications → Product News & Offers. Opting out never affects essential account emails (billing, security, trial status), which are not marketing and cannot be disabled while your account is active. We never sell your information or share it with third parties for their own marketing.
5. Data Storage and Processing
5.1 Australian Data Storage
All personal information, including clinical notes, transcripts, and user data, is stored in Australia on servers located in Australian data centres. Your data remains under Australian jurisdiction and is protected by Australian privacy laws.
5.2 AI Processing
Audio recordings are briefly processed overseas for transcription by a specialist provider with zero data retention. Clinical note generation, note modification, and AI-assisted documentation are then processed in Australian data centres (Sydney). Transcription data is processed in real-time and not retained.
AI phone reception calls are handled the same way: call audio is processed in real-time and is not retained, and any call recording is transcribed and then immediately and permanently deleted. Only the resulting text transcript and call summary are stored — encrypted, in Australia.
Safeguards we maintain:
- All AI providers that process your data hold SOC 2 Type II certification
- Providers operate under zero-retention policies — no audio or data is stored after processing
- Your data is never used to train, fine-tune, or improve AI models
- All data is encrypted in transit using TLS 1.3
- Providers operate under contractual terms (including data processing agreements) that include purpose limitation, security obligations, and breach notification requirements
No audio or clinical data is stored overseas. Note generation is performed in Australia, and clinical notes are stored on encrypted Australian servers.
5.3 Data Location Summary
| Component | Location |
|---|---|
| Database (accounts, notes, transcripts) | Australia (Sydney region) |
| Application hosting | Australia (Sydney region) |
| Audio processing (transcription) | United States (real-time, not stored) |
| Phone reception audio (AI receptionist) | United States (real-time; any recording deleted after transcription) |
| Call transcripts & summaries | Australia (Sydney region) |
| AI note generation | Australia (Sydney, real-time, not stored) |
5.4 Encryption
- In Transit: TLS 1.3 encryption for all data transmission
- At Rest: AES-256 encryption for all stored data
- Passwords: bcrypt hashing with salt (never stored in plain text)
5.5 Service Provider Certifications
Our service providers maintain independently audited security certifications appropriate to their service. Depending on the provider, these may include:
- SOC 2 Type II (independently audited security controls)
- ISO 27001 and IRAP (our Australian cloud infrastructure)
- PCI DSS Level 1 (payment card security, our payment processor)
Not every provider holds every certification, and these certifications are held by the providers — they do not mean Grounded Scribe itself is independently certified.
6. Disclosure of Personal Information
6.1 Third-Party Service Providers
We may disclose personal information to third-party service providers for the purposes of:
- Speech-to-text transcription services
- AI-powered note generation services
- Email delivery services
- Payment processing services
These providers process data for the specified purpose only and maintain appropriate security certifications. Audio and transcript data is processed in real-time and not retained by these providers. No clinical data is stored by any third-party service provider.
6.2 Legal Requirements
We may disclose your information if required by law or in response to valid requests by public authorities.
6.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership.
6.4 No Sale of Data
We will not sell, rent, or trade your personal information to third parties for their marketing purposes.
6.5 Service Provider Safeguards
All service providers are bound by data processing agreements that include purpose limitation, security obligations, breach notification requirements, and restrictions on further sub-processing. Audio and transcript data processed by AI and transcription providers is handled in real-time and is not retained after processing. No service provider uses clinical data for model training. Further details about our service providers are available to customers on request.
7. Data Security
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, or loss. These measures include:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls
- Strong password requirements with complexity enforcement
- Session timeout after periods of inactivity
- Failed login attempt monitoring
- Audit logging of all data access
- Regular security assessments
- Incident response procedures
Our cloud infrastructure provider maintains comprehensive security certifications including ISO 27001, SOC 2, and relevant government compliance certifications.
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Audio recordings (clinical sessions and phone reception calls) | Deleted immediately after successful transcription |
| Transcripts, clinical notes, and call summaries | Duration of subscription (user-controlled deletion available) |
| Account information | While account is active |
| Audit logs | 7 years (legal compliance requirement) |
8.2 Subscription Cancellation
If you cancel your paid subscription or choose not to renew, your account reverts to the free plan. All your data (client records, session notes, transcripts, assessments) is retained and accessible within free plan limits. No data is deleted as a result of subscription cancellation.
8.3 Account Deletion
We do not automatically delete accounts or clinical data. Account deletion only occurs when you explicitly request it by emailing us. There are no automated deletion workflows.
When you request permanent account deletion:
- We confirm your request and provide a 30-day export window
- You export your own data directly from within the application using self-service export tools (JSON, CSV, PDF formats) — we do not access or handle your clinical data during this process
- After the 30-day window, we manually and permanently delete all account data
- We send you written confirmation by email that deletion has been completed
- Audit logs may be retained for legal compliance purposes
For inactive accounts (12 months with no activity), we may contact you by email to confirm you wish to keep your account active. No data is deleted without your explicit written confirmation. See our Terms of Service for full details.
8.4 User-Controlled Deletion
Users can delete individual sessions, clients, and notes directly within the application at any time. Individual record deletions are processed immediately.
9. Your Rights
Under the Australian Privacy Principles, you have the right to:
9.1 Access
You can request access to the personal information we hold about you. You can view and download your data through the web interface in PDF, JSON, or CSV formats.
9.2 Correction
You can request correction of any inaccurate or incomplete information. You can edit and update information at any time through your account.
9.3 Deletion
You can request deletion of your personal information, subject to legal requirements.
9.4 Data Portability
You can request a copy of your data in commonly used formats.
9.5 Withdrawal of Consent
You can withdraw your consent at any time by closing your account.
9.6 Complaint
You can lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).
10. Practitioner Obligations
Practitioners using Grounded Scribe are responsible for:
- Obtaining valid informed consent from clients before recording sessions
- Complying with their own professional and legal obligations regarding health records and privacy
- Ensuring appropriate use of AI-generated clinical notes in accordance with professional standards
- Maintaining the confidentiality of login credentials and account access
We provide consent form templates to assist Practitioners in meeting their obligations, but Practitioners remain responsible for ensuring consent is appropriately obtained.
11. Cookies and Analytics
11.1 Essential Cookies
We use essential cookies for authentication, security, and preferences. These are necessary for the Service to function properly.
11.2 Analytics
We use Google Analytics 4 (GA4) on our public marketing pages (groundedscribe.com homepage, blog, pricing, tools, resources, vertical landing pages, and similar). GA4 collects standard web analytics signals — page views, traffic source, country, device category — plus a small set of engagement events we instrument ourselves: scroll depth, outbound link clicks, blog read progress, and conversion CTA clicks. None of this data is linked to an individual user's identity.
We do not run GA4 on authenticated pages or any page displaying client information. Pages under our application surface (dashboard, clients, sessions, admin, portal, settings, supervision, and other authenticated areas) are excluded from public-site analytics by a route guard in our application code.
We also collect Core Web Vitals (LCP, INP, CLS, FCP, TTFB) on all pages to monitor performance. These are anonymous performance measurements and do not identify users.
11.3 No Third-Party Advertising
We do not use third-party advertising cookies or any advertising tracking technology.
12. Children's Privacy
Grounded Scribe is designed for use by adult professionals and is not intended for use by children under 18 years of age.
Practitioners using our Service to document sessions involving minors are responsible for ensuring appropriate consent has been obtained in accordance with their professional obligations and applicable legislation.
13. Third-Party Service Providers (APP 8)
Clinical note generation is performed in Australian data centres. Audio is briefly sent overseas for transcription only (with zero data retention) and is then deleted — no audio or clinical records are stored overseas. Some non-clinical services — email delivery and payment processing — are provided by sub-processors based in the United States, so limited personal information (such as your email address and billing details) may be disclosed to recipients in the United States.
We take reasonable steps to ensure all service providers handle personal information in accordance with the Australian Privacy Principles. These steps include:
- Selecting providers with independently audited security controls (SOC 2 Type II)
- Ensuring contractual protections are in place, including data processing agreements with purpose limitation, zero-retention, and breach notification obligations
- Verifying that no clinical data is retained by providers after processing
- Conducting due diligence on provider security practices and certifications
- Ensuring no clinical data is used for AI model training by any provider
A complete list of our sub-processors and their data handling practices is available to customers on request by contacting privacy@groundedscribe.com.
14. Data Breach Notification
In the event of a data breach that is likely to result in serious harm, we will:
- Notify affected users within 24 hours of becoming aware of the breach
- Provide a detailed assessment report within 72 hours
- Notify the Office of the Australian Information Commissioner as soon as practicable, and complete assessment within 30 days of becoming aware (as required under the Notifiable Data Breaches scheme)
- Take immediate steps to contain and remediate the breach
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our service. The updated policy will be effective from the date stated at the top of the policy.
16. Complaints
If you believe we have breached the Australian Privacy Principles or have a complaint about our handling of your personal information, please contact us using the details below. We will investigate your complaint and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
17. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, please contact us:
Grounded Scribe Pty Ltd
ABN: 69 695 177 818
Privacy Enquiries: privacy@groundedscribe.com
General Enquiries: support@groundedscribe.com
Phone: (03) 4422 2255
Website: www.groundedscribe.com
Appendix A: Client Consent Form Template
The following template is provided to assist Practitioners in obtaining informed consent from clients. Practitioners should adapt this template to suit their specific practice requirements and professional obligations.
AI RECORDING & DOCUMENTATION CONSENT
This practice uses an AI tool called Grounded Scribe to help write clinical notes. Please read the points below before signing.
With your consent
- Your session will be audio recorded.
- The recording is sent securely to an AI service for transcription, then deleted within minutes — the audio is not kept.
- The AI helps your practitioner draft your clinical notes from the transcript.
- Your practitioner reviews every note before it goes into your record.
- Your practitioner may also ask the AI questions about your care — for example, to summarise progress or draft a letter. The AI reads only notes your practitioner has already finalised.
- Your data is never used to train AI models.
- All clinical decisions stay with your practitioner.
Where your information is stored
Transcription happens overseas with a trusted provider, and the audio is deleted straight after. Your clinical notes and records are stored only on Australian servers.
Your Rights
- Withdraw consent at any time. Your care will not be affected.
- Request alternative recording or note-keeping methods.
- Request access to your information under the Australian Privacy Principles.
I consent to audio recording and AI-assisted documentation as described above
I do not consent
Client Name:
Signature:
Date:
Version 3.0
Appendix B: Data Flow Summary
This appendix provides a visual summary of how data flows through Grounded Scribe.
| Stage | Location | Duration | Data Retained |
|---|---|---|---|
| 1. Recording | Practitioner device | During session | Temporary |
| 2. Upload | Australia (encrypted) | Seconds | No |
| 3. Transcription | United States | Minutes | No (zero retention) |
| 4. Note Generation | Australia (Sydney) | Seconds | No (zero retention) |
| 5. Storage | Australia | Persistent | Yes (encrypted) |
Key Points
- All persistent data storage is in Australia
- Overseas processing is transient only (zero retention)
- All transfers encrypted with TLS 1.3
- Service providers are SOC 2 Type II certified with zero data retention