NovateScribe ("we", "our" or "the Company") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the NovateScribe platform.
This Privacy Policy, together with the Terms and Conditions and Refund Policy, forms part of the Agreement. Updates will be posted on our website, and continued use constitutes acceptance.
NovateScribe is a semi-autonomous AI platform that transcribes voice into structured medical notes, applies ICD-11 coding via a large language model (LLM), and provides analytics and labeled medical image generation. Users include healthcare professionals (such as doctors, nurses, and other licensed practitioners), patients, and medical students.
Healthcare Professional Verification:
For healthcare professionals such as doctors, we require a valid practicing certificate or license to verify that the user is certified to practice medicine. This verification is compulsory. If such documentation is not provided, the account may still be created, but it will be restricted, and all medical notes generated under that account will contain a visible watermark indicating the user has not been verified.
We operate in multiple jurisdictions, including Malaysia, the European Union (with a focus on Germany), and the United Arab Emirates. We comply with all applicable data protection laws, including Malaysia's Personal Data Protection Act 2010 (PDPA), the EU General Data Protection Regulation (GDPR), and the UAE Federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, PDPL).
By using NovateScribe, you agree to the practices described in this Policy. If you do not agree, please do not use the platform.
Personal Data We Collect
We collect the following categories of personal data:
Identity and Contact Information: Name, email, phone number, role (doctor, patient, student), organization/clinic (if applicable).
Account and Subscription Data: Login credentials, subscription plan, billing info, transaction history.
Professional Information: Medical specialization, license/practicing certificate details, hospital or clinic affiliation. Healthcare professionals must provide a valid practicing certificate or license for verification. Non-verified accounts will be marked with a watermark on all medical notes.
Audio Recordings: Voice input provided for transcription (e.g., doctor-patient consultations). These may include sensitive health data.
Transcribed Medical Notes and Content: Text transcripts, ICD-11 codes, labeled images, and related metadata.
Medical Student Version: All patient-identifying data is automatically anonymized, regardless of patient age. Students only access anonymized notes for educational use and are prohibited from re-identification attempts.
Usage Data and Analytics: Device/browser info, IP address, log data, location (city/country), error reports.
Cookies and Tracking Technologies: Authentication, functional, and analytics cookies.
Support and Communication Data: Messages sent to our support or administrative team.
Children and Patient Accounts:
We do not knowingly collect data from children under 13, unless a parent/legal guardian provides verified informed consent. If local law requires a higher consent age (e.g., up to 16 in the EU), that higher threshold applies. Without parental consent, accounts for children under the relevant age will not be permitted.
Cookies and Tracking
We use cookies to:
Authenticate users,
Remember preferences,
Analyze usage (e.g., via Google Analytics or equivalent).
You may disable non-essential cookies in your browser. Essential cookies are required for core functionality (e.g., login).
Educational Use (Medical Student Accounts): All data is anonymized before students access it. Identifiers are stripped automatically, ensuring compliance and confidentiality.
AI Transparency:
AI-generated notes, codes, images, and analytics are created automatically by large language models and automated speech recognition systems. These processes are probabilistic and may generate errors or omissions. Users should not rely on AI outputs without verification by a qualified professional.
We do not sell personal data.
Legal Bases for Processing
We rely on:
Consent (required in Malaysia & UAE for most processing, and for sensitive health data).
Contractual necessity (to deliver the subscribed service).
Legal obligation (e.g., financial records, responding to regulators).
Vital interests (rare, life-critical cases).
Public/medical interest (where allowed by GDPR/PDPA/PDPL for healthcare purposes).
Legitimate interests (EU only, for service improvement and fraud prevention, when not overridden by user rights).
Disclosure of Personal Data
We share personal data only with:
Service providers (processors): Cloud hosting, AI engines (ASR/LLM), analytics, support platforms — under strict contracts.
Corporate affiliates: Within NovateScribe group companies.
Business transfers: In case of mergers, acquisitions, or restructuring.
Legal compliance: When required by law or to protect rights/safety.
Integrations (future): Only if explicitly authorized by the user (e.g., syncing with a clinic's EMR).
We never sell personal data to third parties.
International Data Transfers
Malaysia (PDPA): Transfers permitted if adequate protections or consent are in place.
EU/Germany (GDPR): Safeguards include Standard Contractual Clauses (SCCs).
UAE (PDPL): Transfers only to adequate jurisdictions or with contractual/consent safeguards.
Nothing in this Policy limits your rights to exercise consumer or data protection claims under mandatory local laws in your place of residence.
Data Retention
Accounts: Retained while active; deleted/anonymized after closure unless legally required.
Transcriptions/Notes: Retained until deleted by user; anonymized versions may be retained for research/training.
Audio: Typically deleted after transcription or within a short default period (e.g., 30 days), unless user requests retention.
Analytics: Retained up to 24 months.
Support records: Retained as needed for service quality and compliance.
Children & Minors (Parental Informed Consent)
Under 13 (or higher local consent age): Parental/legal guardian informed consent is required for patient accounts.
Verification: We may use signed consent forms, ID checks, or in-clinic verification.
Parent rights: Parents/guardians may access, correct, delete, or withdraw consent for their child's data.
Medical student anonymization: Even if children's data is transcribed, it is automatically anonymized before being available to medical student accounts.
Non-compliance: Accounts discovered without valid parental consent will be suspended and deleted (subject to clinical/legal obligations).
Data Security
We implement:
Encryption (in transit and at rest),
Role-based access controls,
Regular audits and vulnerability checks,
Backup and disaster recovery plans.
Despite safeguards, no system is 100% secure. Users must protect their account credentials. We notify users and authorities of breaches as required by law.
Your Privacy Rights
Depending on jurisdiction, you may exercise rights to:
Access your data,
Rectify inaccuracies,
Erase data,
Restrict processing,
Data portability,
Object to certain processing (e.g., marketing),
Withdraw consent at any time.
Parents/Guardians: May exercise these rights on behalf of minors with verified consent.
To exercise rights, contact us (see below).
Contact Us
For privacy-related questions or to exercise your rights: