Privacy Policy
Privacy at a Glance
- Audio is encrypted and securely transmitted to OpenAI for transcription, then immediately discarded — no recordings are ever stored
- After transcription, Protected Health Information (PHI) is automatically redacted before note generation
- Only de-identified text (with patient names, DOBs, and identifiers removed) is used for AI-powered note generation
- OpenAI operates under a Business Associate Agreement (BAA) with Shepard and does not retain, store, or train on your data
- We never sell your data to third parties or share it with advertisers
- You control your data and can delete it at any time
1. Introduction
Shepard Health ("we," "our," or "us") is committed to protecting your privacy and the privacy of your patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Shepard mobile application and related services ("the App").
Shepard serves both clinicians (medical students, residents, attending physicians, nurses, and other healthcare professionals) and patients. As a clinical documentation tool, we understand the critical importance of protecting Protected Health Information (PHI) and maintaining the highest privacy standards. This policy reflects our commitment to privacy by design.
2. Information We Collect
2.1 Information You Provide
- Account Information: Email address, name, professional credentials, specialty, practitioner role (e.g., student, resident, attending), and account type (clinician or patient)
- Patient Profile (Patient Users): Optional personal profile information (education level, occupation, hobbies) used to tailor AI explanations with relatable analogies. This data is stored as part of your user profile and is never shared externally
- Health Data (Patient Users): Health concerns, medications, and visit recordings you choose to enter or record
- Subscription Information: Payment is processed exclusively through Apple's App Store; we receive subscription status and tier but never payment card details
- Preferences: App settings, specialty preferences, theme, and documentation preferences
- Support Messages: Communications sent through in-app support chat
2.2 Information Transmitted for Processing
The following data is transmitted from your device to Shepard's servers and/or OpenAI for processing:
- Audio Recordings: Encounter audio is encrypted (TLS 1.3) and sent to Shepard's server, which forwards it to OpenAI for speech-to-text transcription. OpenAI processes the audio ephemerally and discards it immediately after transcription. No audio is ever stored by Shepard or OpenAI
- De-identified Encounter Text: After transcription, patient identifiers are redacted on Shepard's server. The redacted text (with identifiers replaced by tokens like [PATIENT_NAME], [DOB]) is then sent to OpenAI for note generation. See Section 6 for full details
- Questions to Ask Shepard: Patient questions submitted to our AI Q&A feature are sent to OpenAI for answers
2.4 Information Collected Automatically
- Device Information: Device type, operating system version, unique device identifiers
- Usage Data: Features used, session duration, crash reports (no clinical content is included)
- Log Data: IP address, access times, app version (used for troubleshooting and security only)
3. How We Protect Patient Information
3.1 Secure Audio Transmission & Transcription
Audio recordings are encrypted using TLS 1.3 and transmitted to Shepard's server, which forwards them to OpenAI's transcription API. OpenAI converts speech to text in real-time and immediately discards the audio — no recordings are stored by either Shepard or OpenAI. The complete data flow is: your device sends encrypted audio to Shepard's server, Shepard's server sends it to OpenAI for transcription, OpenAI returns the text and deletes the audio.
3.2 Automatic PHI Redaction
After transcription, Shepard's server automatically identifies and redacts Protected Health Information from the transcript before it is used for note generation. This includes:
- Patient names and identifiers
- Dates of birth and specific ages
- Addresses, phone numbers, and email addresses
- Medical record numbers (MRNs)
- Social Security numbers
- Insurance and account identifiers
- Other identifying information as defined by HIPAA's 18 Safe Harbor identifiers
Redacted information is replaced with bracketed tokens (e.g., [PATIENT_NAME], [DOB], [PHONE]) that preserve clinical context without exposing identifiable data. These tokens are never reverse-engineered, stored, or transmitted in their original form.
3.3 Ephemeral Server Processing
Our server processes de-identified text in real-time and does not permanently store transcripts, clinical notes, or encounter content. Processing is ephemeral and in-memory only. Generated notes are returned to your device immediately after creation.
3.4 Encryption
- In Transit: All data transmitted between your device and our servers, and between our servers and OpenAI, is encrypted using TLS 1.3
- At Rest: Cloud-saved notes (for paid subscribers) and account data are encrypted using AES-256-GCM
- On Device: Sensitive credentials (authentication tokens) are stored using iOS Secure Enclave / Expo SecureStore
4. Data Storage and Retention
| Data Type | Storage Location | Retention Period |
|---|---|---|
| Audio recordings (local copy) | Your device | Until you delete them |
| Audio sent to OpenAI for transcription | Not stored (ephemeral processing) | Discarded immediately after transcription by OpenAI |
| Local notes (all users) | Your device only | Until you delete them (auto-delete available) |
| Cloud-saved notes (paid tiers) | Encrypted cloud storage (AES-256-GCM) | Until you delete them or close your account |
| Account information | Our secure servers | Until account deletion + 60-day grace period |
| De-identified text sent to OpenAI | Not stored (ephemeral processing) | Not retained by OpenAI or by us after response generation |
| Health concerns & medications (patients) | Our secure servers (encrypted) | Until you delete them or close your account |
| Usage analytics | Our secure servers | 24 months |
5. How We Use Information
We use the information we collect to:
- Provide and maintain the App's core functionality (note generation, clinical summaries, patient education)
- Process your subscription and provide customer support
- Generate AI-powered clinical notes, safety suggestions, and educational content using de-identified data only
- Personalize patient explanations using your optional personal profile (occupation, hobbies) to create relatable analogies
- Send important service updates, security alerts, and (for waitlist members) informational emails about Shepard
- Monitor for abuse, security threats, and service integrity
- Comply with legal obligations
We never:
- Sell your personal data, health data, or clinical data to any third party
- Share your data with advertisers or ad networks
- Use your data to build marketing profiles
- Use identifiable patient data for any purpose other than providing you the Shepard service
- Allow OpenAI or any third party to use your data for AI model training
6. Third-Party AI Processing (OpenAI)
Shepard uses OpenAI's API services as our AI processing provider for two distinct purposes:
- Audio Transcription: Using OpenAI's gpt-4o-mini-transcribe model to convert encounter audio into text
- Note Generation & AI Features: Using GPT-4.1-mini to generate clinical notes, summaries, safety suggestions, educational content, and patient Q&A responses from de-identified text
6.1 What Data is Sent to OpenAI
- Encrypted audio recordings are sent to OpenAI for speech-to-text transcription. OpenAI processes the audio ephemerally and discards it immediately after returning the transcript
- De-identified encounter text — after transcription, all patient names, dates of birth, addresses, phone numbers, and other PHI identifiers are redacted on Shepard's server before the text is sent to OpenAI for note generation
- Patient questions submitted through the "Ask Shepard" feature
- No raw transcripts with identifiable information are ever sent to OpenAI for note generation — PHI is always redacted first
6.2 How OpenAI Handles Your Data
Business Associate Agreement (BAA): Shepard Health maintains a signed Business Associate Agreement (BAA) with OpenAI. Under this agreement, OpenAI is contractually obligated to handle any data it receives from Shepard in compliance with HIPAA requirements, including maintaining appropriate administrative, physical, and technical safeguards.
Under our agreement with OpenAI:
- No Data Retention: OpenAI processes data ephemerally (in real-time) and does not store input or output data after generating the response. Data is processed and immediately discarded
- No Model Training: Your data is never used to train, improve, or fine-tune OpenAI's models. This is contractually guaranteed under both our BAA and OpenAI's API data usage policy
- No Third-Party Sharing: OpenAI does not share, sell, or distribute your data to any third party
- Encrypted Transmission: All data transmitted between Shepard's servers and OpenAI's API is encrypted using TLS 1.3
- SOC 2 Type II Certified: OpenAI maintains SOC 2 Type II certification, demonstrating adherence to rigorous security, availability, and confidentiality standards
6.3 Why We Use OpenAI
We selected OpenAI as our AI processing provider because of their commitment to enterprise data privacy, their willingness to execute a BAA for healthcare use cases, their zero-data-retention API policy, and the quality of their clinical text processing capabilities. We continuously evaluate our AI provider relationships to ensure they meet the highest standards of data protection.
7. Other Third-Party Services
In addition to OpenAI, we use the following third-party services:
- Apple App Store: For app distribution and subscription payment processing. Apple processes your payment information directly; we receive only subscription status and tier, never payment card details
- Resend: For transactional email delivery (account confirmations, waitlist communications). We share only your email address and first name for email delivery purposes
- Cloud Infrastructure (Replit/Neon): For secure, encrypted hosting and database storage. All data at rest is encrypted using AES-256-GCM
All third-party service providers are bound by data processing agreements and are required to maintain appropriate security measures consistent with industry standards.
8. Data Sharing Summary
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| OpenAI | Encrypted audio (for transcription) and de-identified text (for note generation). No PHI in text transmissions | Audio transcription, AI note generation, clinical summaries, patient Q&A | BAA, zero retention, no model training, TLS 1.3, SOC 2 Type II |
| Apple | Subscription purchase data | Payment processing | Apple's privacy standards, no clinical data shared |
| Resend | Email address, first name | Transactional email delivery | Data processing agreement, TLS encryption |
| Advertisers | None. We do not share any data with advertisers. Ever. | ||
9. Your Rights and Choices
You have the right to:
- Access: Request a copy of your personal data at any time through the App's Settings screen or by contacting us
- Correction: Update or correct inaccurate information through the App or by contacting us
- Deletion: Delete your account and all associated data. Account deletion includes a 60-day grace period during which you can reactivate by logging in. After 60 days, all data is permanently erased
- Data Export: Export your data in a machine-readable format through the App's privacy settings
- Withdraw Consent: You may withdraw consent for AI processing at any time by discontinuing use of the App. Previously processed data (which was de-identified) cannot be attributed back to you
- Opt Out of Communications: Unsubscribe from non-essential emails at any time
To exercise these rights, contact us at privacy@shepardhealth.ai. We will respond to all requests within 30 days.
10. Security Measures
We implement comprehensive security measures including:
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for all data at rest
- JWT-based authentication with secure token management
- iOS Secure Enclave / Expo SecureStore for on-device credential storage
- Tamper-evident audit logging for security and compliance monitoring
- Role-based access controls
- Automatic session management and token expiration
- HTML injection protection and input sanitization on all endpoints
- Rate limiting on API endpoints to prevent abuse
11. HIPAA Compliance
Shepard is designed with privacy-first principles that minimize PHI exposure. Our architecture ensures that PHI is redacted on-device before any data is transmitted, and our BAA with OpenAI provides contractual HIPAA compliance for the AI processing layer.
Key compliance features:
- Client-side PHI redaction using HIPAA's 18 Safe Harbor identifiers
- Business Associate Agreement (BAA) with OpenAI
- Encryption at rest (AES-256-GCM) and in transit (TLS 1.3)
- Tamper-evident audit logging
- Data retention policies with automatic cleanup
- Account deletion with verified data purge
For organizations requiring additional compliance documentation, please contact us at compliance@shepardhealth.ai.
12. Children's Privacy
The App is intended for use by healthcare professionals (18+) and adult patients. We do not knowingly collect personal information from individuals under 18 years of age. If we discover that we have inadvertently collected data from a minor, we will promptly delete it.
13. International Data Transfers
Your information may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required by applicable law (e.g., GDPR).
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes through the App, by email, or by posting a prominent notice on our website. The "Last updated" date at the top of this policy indicates when it was most recently revised. Your continued use of the App after such changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us:
Privacy Inquiries: privacy@shepardhealth.ai
Compliance: compliance@shepardhealth.ai
General Support: support@shepardhealth.ai