Back to Home

Privacy Policy

Last Updated: February 2026

1. Introduction

Grounded Scribe Pty Ltd (ABN 69 695 177 818) ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered clinical documentation platform ("Service").

This policy applies to all users of Grounded Scribe, including individual practitioners, organisational accounts, and any person whose information may be incidentally included in clinical documentation created using our Service.

By using our Service, you consent to the collection, use, and disclosure of your information in accordance with this Privacy Policy.

1.1 About Us

Grounded Scribe is an AI-powered clinical documentation platform designed for health professionals and educators. Our AI Scribe feature enables practitioners to record clinical sessions and automatically generate professional clinical notes.

1.2 Applicable Laws

We comply with:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • Privacy and Data Protection Act 2014 (Vic)
  • Health Records Act 2001 (Vic)
  • Notifiable Data Breaches scheme

2. Definitions

  • Practitioner: A registered health professional or educator who subscribes to and uses Grounded Scribe.
  • Client: An individual whose session is recorded and transcribed using Grounded Scribe (e.g., patient, student, supervisee).
  • Session Data: Audio recordings, transcripts, and clinical notes generated through our service.
  • Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in encrypted form only)
  • Profession/role
  • Organisation name (if applicable)

3.2 Clinical Documentation

When you use our Service to create clinical documentation, we process:

  • Audio recordings of sessions (temporarily, for transcription purposes only)
  • Transcripts generated from audio recordings
  • Clinical notes generated by our AI system
  • Client/patient information you choose to record
  • Session metadata (date, type, duration)

Audio recordings are deleted immediately upon successful transcription and are never permanently stored.

3.3 Technical Information

We automatically collect certain technical information:

  • IP address
  • Browser type and version
  • Device information
  • Usage patterns
  • Session timestamps

3.4 Payment Information

For paid subscriptions, payment processing is handled by a PCI DSS compliant third-party payment processor. We do not store complete credit card details.

3.5 Information We Do NOT Collect

We do not collect:

  • Biometric data (facial recognition, fingerprints, voice biometrics)
  • Location data (GPS tracking, geolocation)
  • Student information directly (we are a tool for practitioners)

4. How We Use Your Information

4.1 Service Delivery

  • Process audio recordings to generate transcriptions
  • Generate AI-powered clinical notes from transcripts
  • Store and retrieve your clinical documentation
  • Provide access to assessment tools and templates

4.2 Account Management

  • Create and manage your user account
  • Authenticate your identity when you log in
  • Process subscription payments
  • Provide customer support

4.3 Service Improvement

  • Analyse aggregate usage patterns to improve our Service
  • Identify and fix technical issues
  • Develop new features and functionality

4.4 Communication

  • Send essential service notifications
  • Respond to your enquiries and support requests
  • Provide important updates about our Service

4.5 What We Do NOT Use Your Information For

We do not:

  • Sell your personal information to third parties
  • Use your data for marketing purposes without consent
  • Create user profiles for advertising
  • Train AI models on your clinical data
  • Share your data with third parties for their own purposes
  • Engage in behavioural profiling or tracking for advertising or third-party data sharing (see Section 11 for the aggregate engagement metrics we collect on our public marketing pages only)

4.6 Marketing Communications

As an account holder, you may occasionally receive emails about new features, product updates, and special offers relating to the Service. We rely on your existing relationship with us as the basis for these messages (consistent with the Spam Act 2003 (Cth)), and every such email includes a one-click unsubscribe link. You can opt out at any time from that link or from Settings → Notifications → Product News & Offers. Opting out never affects essential account emails (billing, security, trial status), which are not marketing and cannot be disabled while your account is active. We never sell your information or share it with third parties for their own marketing.

5. Data Storage and Processing

5.1 Australian Data Storage

All personal information, including clinical notes, transcripts, and user data, is stored in Australia on servers located in Australian data centres. Your data remains under Australian jurisdiction and is protected by Australian privacy laws.

5.2 AI Processing

Audio recordings are briefly processed overseas for transcription by a specialist provider with zero data retention. Clinical note generation, note modification, and AI-assisted documentation are then processed in Australian data centres (Sydney). Transcription data is processed in real-time and not retained.

AI phone reception calls are handled the same way: call audio is processed in real-time and is not retained, and any call recording is transcribed and then immediately and permanently deleted. Only the resulting text transcript and call summary are stored — encrypted, in Australia.

Safeguards we maintain:

  • All AI providers that process your data hold SOC 2 Type II certification
  • Providers operate under zero-retention policies — no audio or data is stored after processing
  • Your data is never used to train, fine-tune, or improve AI models
  • All data is encrypted in transit using TLS 1.3
  • Providers operate under contractual terms (including data processing agreements) that include purpose limitation, security obligations, and breach notification requirements

No audio or clinical data is stored overseas. Note generation is performed in Australia, and clinical notes are stored on encrypted Australian servers.

5.3 Data Location Summary

ComponentLocation
Database (accounts, notes, transcripts)Australia (Sydney region)
Application hostingAustralia (Sydney region)
Audio processing (transcription)United States (real-time, not stored)
Phone reception audio (AI receptionist)United States (real-time; any recording deleted after transcription)
Call transcripts & summariesAustralia (Sydney region)
AI note generationAustralia (Sydney, real-time, not stored)

5.4 Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for all stored data
  • Passwords: bcrypt hashing with salt (never stored in plain text)

5.5 Service Provider Certifications

Our service providers maintain independently audited security certifications appropriate to their service. Depending on the provider, these may include:

  • SOC 2 Type II (independently audited security controls)
  • ISO 27001 and IRAP (our Australian cloud infrastructure)
  • PCI DSS Level 1 (payment card security, our payment processor)

Not every provider holds every certification, and these certifications are held by the providers — they do not mean Grounded Scribe itself is independently certified.

6. Disclosure of Personal Information

6.1 Third-Party Service Providers

We may disclose personal information to third-party service providers for the purposes of:

  • Speech-to-text transcription services
  • AI-powered note generation services
  • Email delivery services
  • Payment processing services

These providers process data for the specified purpose only and maintain appropriate security certifications. Audio and transcript data is processed in real-time and not retained by these providers. No clinical data is stored by any third-party service provider.

6.2 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities.

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership.

6.4 No Sale of Data

We will not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.5 Service Provider Safeguards

All service providers are bound by data processing agreements that include purpose limitation, security obligations, breach notification requirements, and restrictions on further sub-processing. Audio and transcript data processed by AI and transcription providers is handled in real-time and is not retained after processing. No service provider uses clinical data for model training. Further details about our service providers are available to customers on request.

7. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, or loss. These measures include:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls
  • Strong password requirements with complexity enforcement
  • Session timeout after periods of inactivity
  • Failed login attempt monitoring
  • Audit logging of all data access
  • Regular security assessments
  • Incident response procedures

Our cloud infrastructure provider maintains comprehensive security certifications including ISO 27001, SOC 2, and relevant government compliance certifications.

8. Data Retention

8.1 Retention Periods

Data TypeRetention Period
Audio recordings (clinical sessions and phone reception calls)Deleted immediately after successful transcription
Transcripts, clinical notes, and call summariesDuration of subscription (user-controlled deletion available)
Account informationWhile account is active
Audit logs7 years (legal compliance requirement)

8.2 Subscription Cancellation

If you cancel your paid subscription or choose not to renew, your account reverts to the free plan. All your data (client records, session notes, transcripts, assessments) is retained and accessible within free plan limits. No data is deleted as a result of subscription cancellation.

8.3 Account Deletion

We do not automatically delete accounts or clinical data. Account deletion only occurs when you explicitly request it by emailing us. There are no automated deletion workflows.

When you request permanent account deletion:

  • We confirm your request and provide a 30-day export window
  • You export your own data directly from within the application using self-service export tools (JSON, CSV, PDF formats) — we do not access or handle your clinical data during this process
  • After the 30-day window, we manually and permanently delete all account data
  • We send you written confirmation by email that deletion has been completed
  • Audit logs may be retained for legal compliance purposes

For inactive accounts (12 months with no activity), we may contact you by email to confirm you wish to keep your account active. No data is deleted without your explicit written confirmation. See our Terms of Service for full details.

8.4 User-Controlled Deletion

Users can delete individual sessions, clients, and notes directly within the application at any time. Individual record deletions are processed immediately.

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

9.1 Access

You can request access to the personal information we hold about you. You can view and download your data through the web interface in PDF, JSON, or CSV formats.

9.2 Correction

You can request correction of any inaccurate or incomplete information. You can edit and update information at any time through your account.

9.3 Deletion

You can request deletion of your personal information, subject to legal requirements.

9.4 Data Portability

You can request a copy of your data in commonly used formats.

9.5 Withdrawal of Consent

You can withdraw your consent at any time by closing your account.

9.6 Complaint

You can lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).

10. Practitioner Obligations

Practitioners using Grounded Scribe are responsible for:

  • Obtaining valid informed consent from clients before recording sessions
  • Complying with their own professional and legal obligations regarding health records and privacy
  • Ensuring appropriate use of AI-generated clinical notes in accordance with professional standards
  • Maintaining the confidentiality of login credentials and account access

We provide consent form templates to assist Practitioners in meeting their obligations, but Practitioners remain responsible for ensuring consent is appropriately obtained.

11. Cookies and Analytics

11.1 Essential Cookies

We use essential cookies for authentication, security, and preferences. These are necessary for the Service to function properly.

11.2 Analytics

We use Google Analytics 4 (GA4) on our public marketing pages (groundedscribe.com homepage, blog, pricing, tools, resources, vertical landing pages, and similar). GA4 collects standard web analytics signals — page views, traffic source, country, device category — plus a small set of engagement events we instrument ourselves: scroll depth, outbound link clicks, blog read progress, and conversion CTA clicks. None of this data is linked to an individual user's identity.

We do not run GA4 on authenticated pages or any page displaying client information. Pages under our application surface (dashboard, clients, sessions, admin, portal, settings, supervision, and other authenticated areas) are excluded from public-site analytics by a route guard in our application code.

We also collect Core Web Vitals (LCP, INP, CLS, FCP, TTFB) on all pages to monitor performance. These are anonymous performance measurements and do not identify users.

11.3 No Third-Party Advertising

We do not use third-party advertising cookies or any advertising tracking technology.

12. Children's Privacy

Grounded Scribe is designed for use by adult professionals and is not intended for use by children under 18 years of age.

Practitioners using our Service to document sessions involving minors are responsible for ensuring appropriate consent has been obtained in accordance with their professional obligations and applicable legislation.

13. Third-Party Service Providers (APP 8)

Clinical note generation is performed in Australian data centres. Audio is briefly sent overseas for transcription only (with zero data retention) and is then deleted — no audio or clinical records are stored overseas. Some non-clinical services — email delivery and payment processing — are provided by sub-processors based in the United States, so limited personal information (such as your email address and billing details) may be disclosed to recipients in the United States.

We take reasonable steps to ensure all service providers handle personal information in accordance with the Australian Privacy Principles. These steps include:

  • Selecting providers with independently audited security controls (SOC 2 Type II)
  • Ensuring contractual protections are in place, including data processing agreements with purpose limitation, zero-retention, and breach notification obligations
  • Verifying that no clinical data is retained by providers after processing
  • Conducting due diligence on provider security practices and certifications
  • Ensuring no clinical data is used for AI model training by any provider

A complete list of our sub-processors and their data handling practices is available to customers on request by contacting privacy@groundedscribe.com.

14. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will:

  • Notify affected users within 24 hours of becoming aware of the breach
  • Provide a detailed assessment report within 72 hours
  • Notify the Office of the Australian Information Commissioner as soon as practicable, and complete assessment within 30 days of becoming aware (as required under the Notifiable Data Breaches scheme)
  • Take immediate steps to contain and remediate the breach

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our service. The updated policy will be effective from the date stated at the top of the policy.

16. Complaints

If you believe we have breached the Australian Privacy Principles or have a complaint about our handling of your personal information, please contact us using the details below. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

17. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Grounded Scribe Pty Ltd

ABN: 69 695 177 818

Privacy Enquiries: privacy@groundedscribe.com

General Enquiries: support@groundedscribe.com

Phone: (03) 4422 2255

Website: www.groundedscribe.com

Appendix A: Client Consent Form Template

The following template is provided to assist Practitioners in obtaining informed consent from clients. Practitioners should adapt this template to suit their specific practice requirements and professional obligations.

AI RECORDING & DOCUMENTATION CONSENT

This practice uses an AI tool called Grounded Scribe to help write clinical notes. Please read the points below before signing.

With your consent

  • Your session will be audio recorded.
  • The recording is sent securely to an AI service for transcription, then deleted within minutes — the audio is not kept.
  • The AI helps your practitioner draft your clinical notes from the transcript.
  • Your practitioner reviews every note before it goes into your record.
  • Your practitioner may also ask the AI questions about your care — for example, to summarise progress or draft a letter. The AI reads only notes your practitioner has already finalised.
  • Your data is never used to train AI models.
  • All clinical decisions stay with your practitioner.

Where your information is stored

Transcription happens overseas with a trusted provider, and the audio is deleted straight after. Your clinical notes and records are stored only on Australian servers.

Your Rights

  • Withdraw consent at any time. Your care will not be affected.
  • Request alternative recording or note-keeping methods.
  • Request access to your information under the Australian Privacy Principles.

I consent to audio recording and AI-assisted documentation as described above

I do not consent

Client Name:

Signature:

Date:

Version 3.0

Appendix B: Data Flow Summary

This appendix provides a visual summary of how data flows through Grounded Scribe.

StageLocationDurationData Retained
1. RecordingPractitioner deviceDuring sessionTemporary
2. UploadAustralia (encrypted)SecondsNo
3. TranscriptionUnited StatesMinutesNo (zero retention)
4. Note GenerationAustralia (Sydney)SecondsNo (zero retention)
5. StorageAustraliaPersistentYes (encrypted)

Key Points

  • All persistent data storage is in Australia
  • Overseas processing is transient only (zero retention)
  • All transfers encrypted with TLS 1.3
  • Service providers are SOC 2 Type II certified with zero data retention
Privacy Policy — Data Protection & Compliance | Grounded Scribe