Plexura AI ScribeBack to home

Legal

Privacy Policy

Effective: May 2, 2026Last updated: May 2, 2026

Plexura AI Scribe (“Plexura,” “we,” “us,” or “our”) operates a clinical-documentation platform for licensed mental and behavioral health professionals. This Privacy Policy describes how we collect, use, disclose, and protect personal information — including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) — when you visit plexura.ai, install our browser extension, or use the Plexura AI Scribe service (collectively, the “Service”).

This Privacy Policy applies in addition to our Terms of Service and HIPAA Compliance Statement. If you are a covered-entity provider (“Covered Entity”) using Plexura to create, receive, maintain, or transmit PHI on behalf of your patients, our handling of PHI is also governed by the Business Associate Agreement (“BAA”) executed between you and Plexura. Where this Privacy Policy and the BAA conflict, the BAA controls with respect to PHI.

1. Scope and Roles

Plexura processes personal information in two distinct capacities:

  • As a Business Associate. When you upload session audio, generate transcripts, or store clinical notes about your patients, you (the clinician or practice) are the Covered Entity and Plexura is your Business Associate under 45 C.F.R. § 160.103. We process PHI only on your documented instructions and for the limited purposes set out in your BAA with us.
  • As a Data Controller. When you visit our marketing site, sign up for an account, request a sales demo, or interact with our customer-support channels, Plexura determines the purposes and means of processing your information. This Privacy Policy describes that processing.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information — full name, email address, hashed password (bcrypt with random per-user salt), professional role, time zone, organization name, NPI number (if submitted), and billing address.
  • Practice and team metadata — practice name, member roster, owner identity, invite tokens, EHR template selections, and EHR-extension custom configurations.
  • Patient records you create — patient identifiers (name, MRN if entered), demographics, session metadata, audio recordings (transient), AI-generated transcripts, clinical notes (SOAP, psychotherapy progress notes, psychiatric evaluations), diagnostic codes (ICD-10, DSM-5), and billing codes (CPT, E/M).
  • Communications — emails, support tickets, feedback you send to us, and free-text messages submitted through “Contact Sales” or other forms.
  • Payment information — payment-card details are submitted directly to Stripe, Inc. We do not store full card numbers on our servers; we receive a tokenized customer ID, the card brand, and the last four digits for display purposes.

2.2 Information Collected Automatically

  • Device and technical data — IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, session duration, click events, and HTTP request headers.
  • Usage telemetry — feature interactions, template selections, EHR-push events (date, time, target EHR, success/failure), audit-log entries, and error reports.
  • Cookies and similar technologies — we use a minimal set of strictly-necessary cookies (session, authentication) and a single first-party analytics cookie. We do not use third-party advertising trackers, fingerprinting libraries, or session-replay tools that capture PHI fields.

2.3 Information Collected by the Browser Extension

Our browser extension, when installed and explicitly invoked by you, reads the DOM of the EHR tab solely to insert the note text into the active note field. It does not transmit EHR DOM content back to Plexura beyond the metadata required to confirm a successful push (target URL host, field selector key, success or error status). The extension never reads, exports, or transmits existing chart contents from the EHR.

3. How We Use Information

We use the information we collect for the following purposes:

  • Service delivery — to authenticate users, process audio into transcripts, generate AI-powered clinical notes, render previews, push notes to EHR systems via your browser extension, and store the resulting records under your account.
  • Account management — to create and maintain your account, deliver password-reset and magic-link emails, manage practice memberships, and process invitations.
  • Billing and subscription management — to create Stripe Checkout Sessions, manage recurring subscriptions, send invoice receipts and renewal confirmations, and handle dunning when payments fail.
  • Customer support — to respond to your support requests, troubleshoot errors, and fulfill individual rights requests.
  • Service improvement — to analyze aggregate, de-identified usage patterns. We do not use PHI to train AI models. Any model fine-tuning we perform uses only synthetic or fully anonymized data per 45 C.F.R. § 164.514(b).
  • Legal compliance and security — to maintain audit logs as required by HIPAA § 164.312(b), detect and investigate fraud or abuse, enforce our Terms of Service, and comply with subpoenas, court orders, and regulatory requests.

4. Legal Bases for Processing (EEA / UK Visitors)

For visitors located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:

  • Performance of a contract (Art. 6(1)(b)) for account creation, subscription billing, and core Service delivery.
  • Legitimate interests (Art. 6(1)(f)) for fraud prevention, security, audit logging, and Service analytics, balanced against your interests and rights.
  • Legal obligation (Art. 6(1)(c)) for tax recordkeeping, breach notification, and lawful production requirements.
  • Consent (Art. 6(1)(a)) for non-essential marketing communications, where required.
  • For special-category health data (Art. 9), we rely on Art. 9(2)(h) (provision of health or social care under a professional’s responsibility) as the operative condition, with safeguards described in this policy and the BAA.

5. How We Share Information

We disclose information only as described below. We do not sell, rent, or trade personal information or PHI.

5.1 Sub-processors

We rely on a limited set of trusted sub-processors to deliver the Service. Each sub-processor with PHI access has executed a HIPAA Business Associate Agreement with Plexura.

  • MongoDB, Inc. — managed Atlas database (United States). All collections are encrypted at rest with AES-256 and in transit with TLS 1.2+. BAA executed.
  • Stripe, Inc. — payment processing, subscription management, Billing Portal, invoicing, and PCI-DSS scope handling. We share customer email and billing address. We do not share PHI with Stripe. BAA on file.
  • OpenAI, L.L.C. — speech-to-text (Whisper) and large-language-model inference for AI-generated clinical notes. PHI is transmitted in encrypted transit only for the purpose of generating your note and is not used to train OpenAI’s public models per Plexura’s API agreement and zero-retention BAA terms.
  • Resend, Inc. — transactional email (welcome, dunning, password-reset, invoice-receipt). We share recipient email, display name, and email body. We do not embed PHI in marketing or transactional emails. BAA on file.
  • Emergent Cloud / Kubernetes infrastructure provider — container hosting, ingress load-balancing, and TLS termination. BAA on file.
  • Google Cloud Platform (where used by our underlying infrastructure provider) — storage and compute. BAA in place via the host provider’s contractual chain.

A current and complete sub-processor list is available upon request to info@plexura.ai. We will provide reasonable advance notice before adding a new sub-processor that handles PHI.

5.2 Within Your Practice

If you are a member of a practice on the Enterprise plan, information you create within that practice (patient records, sessions, notes, EHR templates) is visible to other members of the same practice in accordance with the role-based permissions your practice owner configures. Inviting a clinician adds them to the practice’s member roster and grants them visibility to patient records assigned to them.

5.3 Legal Disclosures

We may disclose information when required by law — for example, in response to a subpoena, court order, or other compulsory legal process, or where we have a good-faith belief that disclosure is necessary to (a) comply with a legal obligation, (b) protect the rights, property, or safety of Plexura, our users, patients, or the public, or (c) detect, prevent, or address fraud, security, or technical issues. Where the disclosure is of PHI, we will follow the minimum-necessary rule and notify the affected Covered Entity unless prohibited from doing so.

5.4 Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred to the acquirer subject to the same protections described in this Privacy Policy and the BAA. We will notify you of any such change and your options.

6. Data Retention

We retain different categories of data for different periods:

  • Audio recordings — processed in memory for transcription and deleted from disk within minutes of upload completion. We do not persist audio beyond the time required to produce the transcript.
  • Transcripts and clinical notes — retained for the life of your account and for the minimum-necessary period required by your applicable state-law medical-records retention rule (commonly 6–10 years for adults, longer for minors). At account closure, you may request export and we will then delete records per your written instructions, subject to any legal-hold or regulatory-retention obligations.
  • Account and billing records — retained for the duration of the contractual relationship plus up to seven (7) years for tax and audit purposes.
  • Audit logs — retained for at least six (6) years per HIPAA § 164.316(b)(2)(i).
  • Marketing-form submissions — retained for up to twenty-four (24) months and then purged unless you become a paying customer.

7. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information and PHI consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and commercially reasonable industry practice. These include:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption at rest in MongoDB Atlas.
  • Bcrypt hashing of all user passwords with a per-user random salt; passwords are never stored or logged in plaintext.
  • A HIPAA-aligned password policy: minimum 12 characters, at least three of four character classes, blocked common-breach stems, and rejected sequential or repeated character runs.
  • JSON Web Tokens (JWT) signed with a 64-character random secret; token expiration set to 120 minutes by default.
  • Strict-Transport-Security (HSTS), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Referrer-Policy headers on all responses.
  • A least-privilege CORS allowlist (no wildcard credentialed-origin combinations).
  • Role-based access controls (RBAC) at the practice and organization level.
  • Rate-limiting and brute-force protection on authentication endpoints.
  • Comprehensive audit logging of every PHI access, modification, deletion, and export event.
  • Secure software-development lifecycle: dependency-scanning, secret-scanning, code review, and pull-request approvals before merging any change touching PHI paths.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at info@plexura.ai.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — request deletion of your personal information, subject to legal-retention obligations. Deletion of PHI is governed by the BAA and applicable state law, which may require us to return PHI to the Covered Entity rather than delete it.
  • Portability — receive a copy of your personal data in a structured, commonly used, machine-readable format.
  • Restriction or objection — request that we limit or stop certain processing.
  • Withdraw consent — where processing relies on your consent, withdraw consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint — with your local data protection authority or the U.S. Department of Health & Human Services Office for Civil Rights.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect and the right to direct us not to sell or share it. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

To exercise any of these rights, email info@plexura.ai. We will verify your identity before responding and will respond within thirty (30) days, or such other period required by law.

9. Children’s Privacy

The Service is intended for use by licensed clinicians who are at least eighteen (18) years old. We do not knowingly collect personal information directly from children under thirteen (13). Clinical records about minor patients may be created by the clinician on the minor’s behalf in the course of treatment; such records are PHI handled under the BAA, not direct collection from children.

10. International Transfers

Plexura’s primary infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission and (for UK transfers) the UK Information Commissioner’s addendum.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and post a banner on the Service at least thirty (30) days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

12. Contact Us

Plexura AI Scribe
Attn: Privacy Officer
Email: info@plexura.ai

Use the same address for legal, privacy, individual-rights, HIPAA, and security matters. For data-protection matters under EU/UK law, our representative contact is the same email address above.

Other legal documents

Privacy PolicyTerms of ServiceHIPAA Compliance

Questions, requests, or concerns regarding this document — including legal, privacy, individual-rights, security, and HIPAA matters — can be sent to info@plexura.ai.

© 2026 Plexura AI Scribe. All rights reserved.

HIPAA Compliant · Encrypted · Secure