Privacy Policy

This Privacy Policy applies to Aduvera's public website, authenticated workspace, support interactions, and related APIs. In most customer deployments, the customer decides what patient, employee, or business information is submitted to the service. In those cases, the customer is the controller or business, and Aduvera acts as a processor or service provider on the customer's behalf.

Aduvera acts as a business associate only where required by law and only after Aduvera and the customer execute a separate business associate addendum for HIPAA-governed workflows. Aduvera's Google Cloud HIPAA BAA is now in place, but HIPAA compliance still depends on the actual workflow, configuration, access controls, and customer practices.

• Account and identity data: name, email address, Firebase or Google account identifiers, profile image URL, and authentication state.
• Workspace and consultation data: patient names, transcripts, manual notes, generated notes, citation mappings, patient summaries, encounter titles, and related clinical workflow content submitted by the customer.
• Audio and transcription inputs: live microphone recordings and temporary uploaded audio objects used to obtain transcription results.
• Security and usage data: request IDs, timestamps, API action metadata, browser/device details, rate-limit events, and hashed IP values in audit records.
• Support and contracting data: information customers provide in security, procurement, or legal communications.

• Directly from users and customers when they sign in, record, type, or upload data.
• Automatically from service use, security monitoring, and authentication events.
• From customer administrators, referral sources, or support contacts acting on behalf of a customer.

• To authenticate users and provide access to the workspace.
• To transcribe visits and generate requested draft documentation and summaries.
• To store, retrieve, update, export, and delete consultation records.
• To secure the service, prevent abuse, investigate incidents, and maintain audit trails.
• To comply with legal obligations and enforce our contracts.
• To communicate with customers about support, privacy, security, and contract matters.

Where GDPR, UK GDPR, or similar laws apply, Aduvera relies on the following legal bases as relevant to the processing activity:

• Performance of a contract with the customer or the user.
• Legitimate interests in securing, administering, and improving the service.
• Compliance with legal obligations, including incident handling and recordkeeping.
• Consent where a specific processing activity legally requires consent.

Aduvera uses Google Vertex AI to process submitted prompts, consultation text, and temporary audio in order to provide transcription, note generation, citation retrieval, and patient-summary features. Aduvera does not sell this data, does not use it for targeted advertising, and does not use customer data to train a proprietary Aduvera model.

Aduvera uses customer data only to provide and secure the requested service. Google documents that customer data sent to Vertex AI is not used to train or fine-tune Google foundation models without customer permission or instruction. Customers remain responsible for deciding whether their own use case requires additional restrictions before uploading regulated data.

Aduvera discloses information to subprocessors and service providers that support hosting, storage, identity, AI processing, logging, and monitoring, as described on the Subprocessors page. Aduvera may also disclose information:

• To comply with law, regulation, court order, or lawful government request.
• To protect rights, safety, security, or prevent fraud or abuse.
• In connection with a merger, financing, acquisition, or other corporate transaction.
• To professional advisers under duties of confidentiality.

Aduvera does not sell personal information and does not share personal information for cross-context behavioral advertising.

Temporary uploaded audio is deleted after successful transcription by default. Persisted consultation records are subject to a documented lifecycle:

• Active consultation records are retained for up to 30 days after the most recent update.
• Records are then soft-deleted and queued for permanent purge.
• Permanent purge occurs after an additional 7-day grace period, unless a legal hold prevents deletion.
• Some residual copies may persist in encrypted backups or disaster-recovery media until those systems rotate out under infrastructure retention rules.

Aduvera does not use advertising cookies. Aduvera uses limited essential browser storage and cookies to support authentication handoff and sign-in continuity, including an auth hint cookie and local-storage values for Firebase sign-in state, pending magic-link email address, and onboarding-dismissal state.

Aduvera is operated from the United States and uses processors that may process data in the United States and other countries where those providers operate. Where required, Aduvera's DPA is designed to incorporate appropriate transfer safeguards, including SCC-based controller-to-processor and processor-to-processor language and UK transfer addendum terms where applicable.

Depending on where you are located and the role Aduvera plays in the processing, you may have rights to access, correct, delete, restrict, object to, or export personal data, and to appeal certain decisions. Customers should submit rights requests involving customer workspace data through their own account administrator first, because Aduvera usually acts as processor for that data.

California and other US state privacy laws may grant rights to know, access, correct, delete, and appeal. EEA, UK, and Swiss laws may grant rights of access, rectification, erasure, restriction, objection, portability, and the right to complain to a supervisory authority.

Aduvera is intended for professional and business use, not for direct use by children. Aduvera does not provide medical advice and does not replace clinician review, patient consent processes, or professional judgment. Customers are responsible for determining whether they have an appropriate legal basis and all necessary notices or consents before recording or uploading information about patients or staff.

Privacy requests and legal notices may be sent to [email protected] or [email protected]. Security reports may be sent to [email protected].