Effective date: 2026-05-18 Last substantive revision: 2026-05-18 (initial version 2026-05-07) Controller: Sapience Systems LLP, a limited liability partnership formed in England and Wales (LLP No. OC454938), registered office at Stoney Works, 8 Stoney Lane, London SE19 3BD, United Kingdom Product: Sapience Med — desktop voice-dictation application for healthcare clinicians Privacy contact: team@sapience.systems (subject line "Privacy")
This Privacy Policy explains how Sapience Systems LLP ("Sapience", "we", "us", "our") handles personal information in connection with the Sapience Med application (the "Software") and our website at https://sapience.systems (the "Site"). It is written to give clinicians, clinic compliance officers, procurement reviewers, and regulators a complete and accurate description of our data practices.
Sapience Med is architected so that patient audio, transcripts, and other clinical content remain on the clinician's own device and are never transmitted to us. Most of this policy describes the narrow categories of personal information that do reach us (license email, payment metadata, license-validation pings) and the rights you have with respect to them. We have written this policy in definite, non-hedging language because the U.S. Federal Trade Commission, state attorneys general, and private litigants will hold us to what we say here.
This policy is provided for transparency. It is not legal advice, and it does not create a Business Associate relationship under HIPAA. See §13 HIPAA position and the HIPAA Architecture Brief for our HIPAA classification.
At-a-glance summary
| Question | Answer |
|---|---|
| Do you transmit patient audio, transcripts, or clinical notes to your servers? | No. Never. |
| Do you use customer data to train artificial-intelligence models? | No. Never. |
| Do you sell personal information? | No. |
| Do you "share" personal information for cross-context behavioral advertising (as defined by the CCPA)? | No. |
| Do you use third-party analytics, advertising, or tracking tools in the Software or on the Site? | No. |
| Do you create voiceprints or biometric identifiers from user voice? | No. |
| Are you a HIPAA Business Associate? | No. See HIPAA Architecture Brief. |
| Where is the data you do collect (email, billing, license metadata) stored? | With our payment processor (Stripe, U.S.), our infrastructure provider (Cloudflare, U.S.), and our transactional email provider (Postmark, U.S.). Full sub-processor table in §7. |
| What rights do I have? | All rights under your applicable state, UK, or EU law. See §22 California rights, §23 Other U.S. state rights, and §24 UK / EU rights. |
| How do I exercise a right or make a complaint? | Email team@sapience.systems with subject line "Privacy". |
Table of contents
- Scope and audience
- Definitions
- On-device architecture: the foundation of this policy
- Personal information we collect and receive
- Personal information we do not collect or receive
- How we use personal information
- Disclosures to sub-processors
- We do not sell or share personal information
- We do not use customer data to train AI models
- Biometric data and voiceprints
- Profiling and automated decision-making
- International transfers
- HIPAA position
- 42 CFR Part 2 (substance-use-disorder records)
- FTC Health Breach Notification Rule
- Washington My Health My Data Act and analogous consumer-health-data laws
- Retention
- Security
- Our Site (sapience.systems): cookies, analytics, and tracking
- Marketing communications
- Children
- California rights (CCPA / CPRA)
- Other U.S. state privacy rights
- UK / EU rights
- How to exercise your rights
- Breach notification
- Privacy contact
- Changes to this policy and change log
1. Scope and audience
This policy applies to:
- Clinicians and other healthcare professionals who download, install, trial, or license the Software for use on their own devices;
- Visitors to the Site at
https://sapience.systemsand its subdomains we operate (includingdownloads.sapience.systems,license.sapience.systems, and any subdomain hosting product documentation); - Persons who contact us by email regarding the Software, including for support, sales, or vendor-security review.
We market and sell the Software primarily to clinicians located in the United States. We also accept users located in the United Kingdom and the European Union. Where U.S. and U.K./E.U. obligations differ, this policy describes both. If you live in a U.S. state or another jurisdiction with its own privacy law, §22, §23, and §24 describe your rights and how to exercise them.
This policy does not apply to:
- The clinical content (audio, transcripts, notes) that the Software processes on the clinician's device. That content is not transmitted to us, is not in our possession, and is governed by the clinician's and clinic's own HIPAA, state, and other obligations.
- Third-party websites or services we link to (for example, our payment processor's checkout page). Those services have their own privacy policies, which we link to in §7.
2. Definitions
For clarity, the following terms have the meanings set out below in this policy. Defined terms in U.S. or U.K. statute control over these definitions where applicable law requires.
- Personal information (or personal data) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, consistent with the definitions used in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA") and the UK General Data Protection Regulation ("UK GDPR").
- Protected Health Information (or PHI) has the meaning given in 45 CFR § 160.103.
- Consumer health data has the meaning given in Washington's My Health My Data Act (RCW 19.373) and analogous statutes in Nevada (SB 370), Connecticut (Public Act 23-56), and other states as they take effect.
- Sensitive personal information has the meaning given in CCPA/CPRA § 1798.140(ae).
- Selling and sharing have the meanings given in CCPA/CPRA § 1798.140(ad) and (ah). "Sharing" specifically includes transferring personal information to a third party for cross-context behavioral advertising.
- Processing has the meaning given in the UK GDPR Article 4(2).
- Sub-processor means a third party that processes personal information on our behalf under a written processing agreement.
- Software means the Sapience Med desktop application (Mac and Windows builds), including its installer, bundled assets, and the local data files described in §3.2.
- Site means the websites we operate at
sapience.systemsand its subdomains.
3. On-device architecture: the foundation of this policy
Sapience Med is a desktop application that performs automatic speech recognition entirely on the user's own device, using a locally-loaded neural network model (Whisper-large-v3-turbo, executed via the Metal GPU framework on macOS and the Vulkan GPU framework on Windows). The recognition pipeline does not open a network socket. The application contains no third-party analytics, error-reporting, or telemetry library. These facts are verified by a code-level security audit, published as CODE_AUDIT_REPORT.md, and underpin every other claim in this policy.
The practical consequence is that the categories of personal information we describe in §4 — chiefly your account email, payment metadata, and a license-key identifier transmitted during license validation — are the only categories that reach us. We do not receive an audio recording, a transcript, a learned-correction record, or any usage telemetry tied to clinical content, because no part of the Software is designed to transmit those.
3.1 What runs in the Software
The dictation pipeline operates entirely on the clinician's device:
[ Hotkey held ]
↓
[ Audio captured to RAM via cpal (macOS) / WASAPI (Windows) ]
↓
[ Voice-activity detection trims silence ]
↓
[ Audio resampled (rubato library) and passed to whisper.cpp (GGUF model bundled in installer) ]
↓
[ Output text passes through deterministic post-processing
(filler removal, punctuation cleanup, drug-name spell correction
against a local 21,000-term RxNorm/ICD-10 dictionary,
and user-defined corrections — all in process memory) ]
↓
[ Text written to OS clipboard ]
↓
[ Synthetic Cmd-V / Ctrl-V keystroke pastes into the active application ]
↓
[ Audio buffer and transcript string fall out of scope ]
No file is written to disk during dictation. No network request is made. The Software depends only on the operating system's audio API, clipboard, and keystroke-injection facilities.
3.2 Files the Software stores on your device
The Software stores a small number of JSON files in the operating system's application-data directory:
| File | Contents | Origin |
|---|---|---|
dictionary.json | Words the user has explicitly added to their custom dictionary | User action |
corrections.json | User-confirmed corrections of misheard words | User action ("Learn correction") |
snippets.json | User-defined text-expansion templates | User action |
presets.json | Per-application preferences | User action |
usage.json | Daily word-count counter (number of words dictated each day) | App state |
settings.json | Hotkey bindings, audio device selection, UI preferences | User action |
license.json | Trial start date, license key, device-binding token | License flow |
These files reside on the clinician's device. They are not transmitted to us. They are under the clinician's exclusive control. The Software provides a "Delete all local data" function in Settings for clinicians who wish to wipe these files (for example, before transferring the device).
These files may contain fragments incidentally derived from clinical work (a learned correction may include a patient name's spelling, for example). Such fragments remain on the clinician's device and are subject to the clinician's and the clinic's own HIPAA Security Rule obligations. They are not in our possession.
3.3 Files we do not write
The following are never written to disk by the Software in release builds:
- Audio files (no
.wav, no other audio format) - Full transcripts or transcript history
- Logs containing transcript content (content-revealing log statements are gated behind
#[cfg(debug_assertions)]and excluded from release binaries by the Rust compiler) - Crash dumps containing user content
This is verified by the code audit in CODE_AUDIT_REPORT.md, §5 ("Unintended file writes / log content leakage").
4. Personal information we collect and receive
We collect and receive the categories of personal information listed below. None of them is PHI. Each category is matched to the CCPA/CPRA category framework in brackets to support California rights requests.
4.1 Account information [CCPA category A: identifiers; category B: customer records]
When you sign up for a trial or purchase a license, you provide:
- Email address;
- Name (if you choose to provide it);
- Clinic or practice name (if you choose to provide it);
- Country and time zone of use (we derive this from your IP address at signup; we do not store the IP address beyond a 24-hour transient log window enforced by our infrastructure provider).
Source: directly from you. Legal basis (UK GDPR): Article 6(1)(b) performance of a contract.
4.2 Payment information [CCPA category I: commercial information]
When you purchase a license, our payment processor (Stripe, Inc.) collects your billing details and card number. We do not see or store full card numbers. We do receive from Stripe:
- Card brand (e.g., "Visa");
- Last four digits of the card;
- Billing address;
- Stripe customer ID and subscription ID;
- A Stripe Checkout Session ID at the moment of successful payment (used to issue your license key — see §4.4).
Source: Stripe. Legal basis (UK GDPR): Article 6(1)(b) performance of a contract; Article 6(1)(c) compliance with legal accounting obligations.
4.3 License-validation metadata [CCPA category A: identifiers; category K: inferences — none]
The Software's license validation is active in the current version. When the Software starts, and periodically while it runs, it makes an HTTPS request to our license-validation endpoint (license.sapience.systems). The request transmits:
- The license-key identifier (a UUID issued by us; not your email);
- A salted one-way hash (HMAC) of a stable device identifier;
- The Software's version string (e.g.,
0.1.0); - The operating-system family and architecture string (e.g.,
darwin-arm64,windows-x64).
The response carries only the license status (active, expired, revoked) and a short-lived signed token used to authenticate subsequent requests. The hashed device identifier is not reversible to the device hardware ID; it exists only to enforce per-seat licensing and is not used for any analytics or marketing purpose.
The validation request transmits none of the following: audio data, transcript text, dictionary contents, correction history, snippet contents, usage counters, the names of applications you dictate into, the time, frequency, or duration of dictations, or anything derived from clinical content.
Source: the Software running on your device. Legal basis (UK GDPR): Article 6(1)(b) performance of a contract; Article 6(1)(f) legitimate interests in license enforcement.
4.4 License-key issuance information
When Stripe confirms a successful purchase, Stripe sends our license server a webhook containing the Checkout Session ID and your email address. We use those two pieces of information to mint a license key, bind it to a license record, and email you the key. We do not retain the Checkout Session ID after license issuance is complete (the Session ID is stored at most 30 days for reconciliation, then deleted).
4.5 Update-check metadata
When the Software's auto-update feature is enabled in a future release (not active in v0.1), the Software will fetch a static update manifest from our update endpoint. The fetch will transmit only the Software version, the operating-system architecture, and standard HTTP headers (User-Agent and Accept-Language). The update endpoint will not log IP addresses beyond a 24-hour transient window enforced by our infrastructure provider. Until that feature ships, the Software does not check for updates and contains no network code paths that would.
4.6 Support correspondence
When you email us for support, we receive the content of your email. Our written policy, codified in the EULA §4.4, is that you must not send PHI in support correspondence. If you nevertheless send PHI, we will delete it on recognition, document the deletion internally, and notify you. We will not retain, store, transmit, or analyze it.
4.7 Information collected through our Site
When you visit sapience.systems, our Cloudflare-fronted hosting infrastructure briefly receives your IP address and standard HTTP request metadata in order to deliver the page. We do not run third-party analytics, advertising, or tracking scripts on the Site. We do not set persistent cookies. We do not currently operate any forms on the Site that collect personal information from visitors; all sales inquiries arrive by email at team@sapience.systems. See §19 for the full Site privacy description.
5. Personal information we do not collect or receive
The categories of information listed in this section are never transmitted to us. We affirmatively commit that we will not begin collecting any of them without first publishing a revised version of this policy and notifying active customers under contract at least 30 days in advance.
- Patient audio recordings;
- Patient transcripts (in whole or in fragment);
- The contents of your local dictionary, correction history, snippet templates, presets, settings, or license file;
- The names, identifiers, or window titles of the applications you dictate into;
- Per-user dictation timestamps, frequency, duration, or word counts at any granularity that ties to clinical content;
- Crash dumps containing memory state, or any crash-reporting telemetry;
- Telemetry, analytics, or product-usage data of any kind;
- Voiceprints, voice biometric templates, or speaker-identification features derived from audio (see §10);
- Inferred profiles, preferences, behavioral attributes, or any data we would resell or use for advertising;
- Children's data, except incidentally if a clinician under 18 contacts us (we expect all licensees to be adult professionals; see §21).
This list is not narrowing — it is a complete commitment that the Software's data-handling boundary lies at the categories disclosed in §4.
6. How we use personal information
We use the categories of personal information listed in §4 only for the following purposes:
| Category | Purpose | Legal basis (UK GDPR) |
|---|---|---|
| Account information | Create and maintain your license record; deliver transactional email (license key, renewal reminders, security notices); respond to support requests | Article 6(1)(b) contract performance |
| Payment information | Process subscription payments, handle refunds and chargebacks, maintain accounting records as required by U.K. tax law | Article 6(1)(b) contract; Article 6(1)(c) legal obligation |
| License-validation metadata | Determine whether your license is active before allowing the Software to continue functioning; enforce per-seat licensing | Article 6(1)(b) contract; Article 6(1)(f) legitimate interests |
| License-key issuance information | Issue your license key on payment | Article 6(1)(b) contract |
| Update-check metadata (when active) | Determine whether your installed version is current; deliver signed update manifest | Article 6(1)(b) contract |
| Support correspondence | Respond to your inquiry; resolve issues | Article 6(1)(b) contract; Article 6(1)(a) consent for non-essential inquiries |
| Site information | Operate the website; respond to form submissions | Article 6(1)(f) legitimate interests (minimum necessary to deliver content) |
We do not use personal information for any purpose other than those listed above. In particular, we do not:
- Sell personal information to any third party (see §8);
- Share personal information for cross-context behavioral advertising (see §8);
- Use personal information to train, fine-tune, or evaluate artificial-intelligence or machine-learning models (see §9);
- Use personal information to build behavioral, marketing, or risk profiles about you;
- Use personal information for any "secondary" purpose materially different from the primary purpose disclosed at collection without first obtaining your additional consent.
7. Disclosures to sub-processors
We disclose limited categories of personal information to the third-party processors listed below, each of which acts on our behalf under a written data-processing agreement (a Data Processing Addendum or equivalent) and uses the disclosed information only for the purpose described. None of these sub-processors receives clinical content, audio, transcripts, or PHI, because no such information is in our possession.
| Sub-processor | Role | Headquartered | Data shared | Privacy policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, tax calculation | United States | Email, billing address, card metadata, IP at checkout | https://stripe.com/privacy |
| Cloudflare, Inc. | DNS, CDN, hosting of the license-validation endpoint, hosting of sapience.systems (Cloudflare Pages), hosting of installer downloads (Cloudflare R2), Web Application Firewall | United States | IP address (transient), HTTP request metadata, license-validation request payload (license key ID, hashed device ID, Software version, OS arch) | https://www.cloudflare.com/privacypolicy/ |
| Postmark (ActiveCampaign LLC) | Transactional email delivery (license key delivery, billing receipts, security notices) | United States | Email address, email content (license keys and receipts) | https://postmarkapp.com/eu-privacy |
| GitHub, Inc. (a subsidiary of Microsoft Corporation) | Source-code hosting and CI/CD | United States | None directly related to end users; GitHub holds our source code and build outputs | https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement |
We will update this table when we add or change a sub-processor. We treat the addition of a new sub-processor that receives any new category of personal information as a material change subject to advance notice under §28.
We do not disclose personal information to any other third party except: (a) where required by valid legal process (subpoena, court order, lawful regulatory inquiry); (b) where reasonably necessary to protect our rights, our property, or the safety of any person; (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case we will give 30 days' advance notice and will require the acquirer to honor the commitments in this policy. We have never received a National Security Letter or analogous classified government data-disclosure demand. We will update this representation if that ever changes (consistent with applicable law).
8. We do not sell or share personal information
We do not sell personal information for monetary or other valuable consideration. We do not share personal information with any third party for cross-context behavioral advertising. These terms have the meanings given in CCPA/CPRA § 1798.140(ad) and (ah).
We have not sold or shared personal information in the preceding twelve months and do not have any current plan to do so.
If you are a California resident, you do not need to opt out of selling or sharing because we do not engage in either. If our practices ever change, we will update this section before that change takes effect and will provide a clear "Do Not Sell or Share My Personal Information" link as required by California law.
9. We do not use customer data to train AI models
We do not use any personal information — and we do not use any clinical content, because we never receive any — to train, fine-tune, evaluate, develop, or improve any artificial-intelligence or machine-learning model. This includes:
- The speech-recognition model bundled in the Software (Whisper-large-v3-turbo). It is shipped as a fixed weights file. We do not collect data to retrain or further fine-tune it on the back of customer use.
- The post-processing drug dictionary and correction logic in the Software. These are deterministic rules and a fixed RxNorm/ICD-10 lookup table. They are improved by us in our internal development environment using publicly licensed reference data — never by reading customer files.
- Any third-party model. We do not pipe personal information into any third-party AI service (OpenAI, Anthropic, Google, Amazon Bedrock, or otherwise).
We treat this commitment as material. If we ever intend to use customer data in any AI training, fine-tuning, or evaluation pipeline — including for our own benefit or under a contract with a customer who wants to provide training data — we will publish a revised policy and seek express opt-in consent before doing so. We will not bury such a change in an updated policy or claim "improved services" as a basis under the UK GDPR for that processing.
This commitment is reinforced contractually in the EULA and architecturally by the no-PHI-in-transit design.
10. Biometric data and voiceprints
A voice recording is not, by itself, a biometric identifier. A biometric identifier is created when an algorithm produces a template that uniquely identifies a specific speaker (a "voiceprint"). Sapience Med does not generate, store, or transmit such a template. The Software performs speech-to-text transcription; it does not perform speaker identification, speaker verification, voice authentication, voice cloning, or any other operation that depends on speaker biometrics. The Whisper model bundled in the Software is speaker-agnostic by construction.
We make this commitment explicitly for the purpose of compliance with:
- The Illinois Biometric Information Privacy Act, 740 ILCS 14 ("BIPA"), including its requirements of informed consent, written disclosure, and limits on storage and disclosure of "biometric identifiers" (including "voiceprints");
- The Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001 ("CUBI");
- Washington Biometric Identifier law (RCW 19.375);
- Analogous state biometric laws as they are enacted.
Because we do not collect or create biometric identifiers, the substantive consent and retention obligations of these statutes do not attach to us. If we ever introduce a feature that depends on speaker biometrics, we will: (a) publish a revised policy disclosing the feature and its data flows; (b) obtain prior written consent in the form required by BIPA from each affected user before activation; and (c) commit in writing to a retention schedule that complies with BIPA § 15(a). Until then, our position is that the speech-to-text pipeline in Sapience Med is not subject to BIPA, CUBI, or the analogous state statutes because no biometric identifier is created.
11. Profiling and automated decision-making
We do not engage in profiling or automated decision-making within the meaning of the UK GDPR Article 22 or CCPA/CPRA. Specifically:
- We do not make decisions about you that produce legal or similarly significant effects on you using solely automated means.
- The license-validation system makes a single deterministic check (is this license key currently marked active?) and is not a profile in any meaningful sense.
- Speech-to-text transcription on your device is fully under your control and supervision; you review and edit the output before relying on it (see EULA §8).
You therefore do not need to invoke the right to opt out of automated decision-making under U.S. state law or the right against solely automated decisions under UK GDPR Article 22 — neither applies to our operations.
12. International transfers
Sapience Systems LLP is established in the United Kingdom. Our sub-processors listed in §7 operate primarily in the United States. When personal information is transferred from the United Kingdom or the European Economic Area to a sub-processor located in the United States, we rely on the following safeguards:
- The UK-U.S. Data Bridge (the U.K. extension to the EU-U.S. Data Privacy Framework), where the receiving sub-processor self-certifies under the framework and the categories of data are within scope;
- The EU Standard Contractual Clauses (Module 2: controller-to-processor) as incorporated by reference into our Data Processing Addendum with each sub-processor, with the UK Addendum (the International Data Transfer Addendum, IDTA) attached for U.K. data subjects;
- Documented transfer-risk assessments (TRAs) for each material sub-processor on file with us, made available to data-protection regulators on request.
If you are located in the United States, transfers between U.S. sub-processors are not "international transfers" within the meaning of the UK GDPR. They remain subject to applicable U.S. federal and state law as described in this policy.
13. HIPAA position
Sapience Systems LLP is not a Business Associate of any clinic, hospital, or other Covered Entity that uses the Software. This determination is grounded in the plain text of 45 CFR § 160.103 and HHS guidance, and is verified by an architectural review and code audit. The full reasoning is in our HIPAA Architecture Brief.
A short summary: HIPAA defines a Business Associate as a person who, on behalf of a Covered Entity, "creates, receives, maintains, or transmits" PHI. The Software's architecture is such that we — Sapience Systems LLP — do none of the four with respect to PHI generated on a clinician's device. The reference comparators are Microsoft Word and Apple Notes: a clinician dictates or types clinical content into either, and neither Microsoft nor Apple is the clinician's Business Associate, because the software runs locally and the vendor never accesses the content. Sapience Med occupies the same legal lane.
We do not sign Business Associate Agreements, because doing so would misrepresent the relationship and would not benefit your patients' privacy. We offer a Limited-Scope Vendor Agreement that contractually codifies the no-PHI architecture for procurement reviewers who require a written contract. Contact us to request the template.
You — the clinician or the clinic — remain a Covered Entity (or Business Associate of one) with all of your own HIPAA Privacy Rule, Security Rule, and Breach Notification Rule obligations. Those obligations include workforce training, device-level security controls (FileVault / BitLocker disk encryption, OS-level password screen lock, auto-lock after inactivity), patient consent, and clinic-level incident response. The Software is one tool on the device the clinic governs.
14. 42 CFR Part 2 (substance-use-disorder records)
A subset of our clinician users may operate "federally assisted programs" subject to the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2. Part 2 imposes stricter consent and disclosure requirements than HIPAA for records identifying a patient as having received treatment for substance use disorder.
Because the Software does not transmit clinical content to us, we do not "receive" or "maintain" Part 2 records on behalf of any program. We are not a "qualified service organization" of any Part 2 program for purposes of 42 CFR § 2.11. If your Part 2 program nevertheless requires a Qualified Service Organization Agreement ("QSOA") as a matter of internal policy, contact us; our Limited-Scope Vendor Agreement can be adapted to acknowledge Part 2's confidentiality posture without misrepresenting our actual role.
15. FTC Health Breach Notification Rule
The Federal Trade Commission has revised the Health Breach Notification Rule, 16 CFR Part 318, to clarify that it applies to vendors of "personal health records" and to certain "PHR related entities" that handle "PHR identifiable health information." The Rule applies to vendors that are not HIPAA-covered Business Associates.
We have evaluated the Software and our operations against the Rule and conclude:
- We do not maintain a "personal health record" within the meaning of the Rule, because the Software does not maintain identifiable health information drawn from multiple sources for an individual consumer's use. Audio, transcripts, and clinical content remain entirely on the clinician's device.
- We do not function as a "PHR related entity," because we do not offer services to vendors of personal health records or interact with PHRs of others.
- The categories of personal information we do collect (email, billing, license metadata) are not "PHR identifiable health information," because they do not relate to the past, present, or future physical or mental health of an individual.
We therefore conclude that the Rule does not impose a separate breach-notification obligation on us in addition to U.K. data-protection law and U.S. state breach-notification statutes. We will reassess this analysis annually and on any material change to our data-handling practices. If we determine that we have become subject to the Rule, we will update this policy and comply with the Rule's notification timelines.
16. Washington My Health My Data Act and analogous consumer-health-data laws
Washington's My Health My Data Act ("MHMD", RCW 19.373), Nevada SB 370 (Chapter 603A.300–.360), and the consumer-health-data provisions of the Connecticut Data Privacy Act (Public Act 23-56) impose specific consent, disclosure, and authorization requirements on entities that collect "consumer health data" about residents of those states.
Our position with respect to those statutes is as follows:
- Consumer-health-data collection. The Software is architected so that we do not collect "consumer health data" as defined in MHMD § 19.373.020(8). We do not receive audio, transcripts, treatment information, prescription information, biometric data, location-of-care information, or any information that identifies a consumer's past, present, or future physical or mental health status.
- The categories we do receive — account email, payment metadata, license-validation metadata — are not "consumer health data" because they do not identify any consumer's health status. A purchase of a software license is a commercial transaction; the existence of that transaction does not by itself reveal that the buyer or anyone else has sought, received, or is contemplating health services.
- Geofencing. We do not engage in geofencing of any kind, and specifically do not use geofencing to identify or track consumers near healthcare facilities, in violation of MHMD § 19.373.045.
- Sale of consumer health data. We do not sell consumer health data, because we do not collect it. MHMD's separate written-authorization requirement for sale of consumer health data therefore does not apply to us.
- Consumer rights. If you are a Washington, Nevada, or Connecticut resident and believe we have collected "consumer health data" about you (we do not believe we have), you may invoke your statutory rights of confirmation, access, deletion, and (in Washington) private right of action via the Washington Consumer Protection Act. Contact us at team@sapience.systems with subject line "MHMD" (or analogous, for other states).
If we ever begin processing "consumer health data," we will publish a revised policy disclosing the collection, obtain affirmative consent in the statutorily required form, and provide the statutorily required mechanism for revocation.
17. Retention
We retain personal information only as long as necessary for the purpose for which it was collected, subject to legal retention obligations:
| Category | Retention period | Reason |
|---|---|---|
| Account email and name | Duration of the customer relationship + 7 years after the last transaction | U.K. accounting and tax record-keeping (Companies Act 2006; HMRC requirements) |
| Billing and payment records (in our systems) | Duration of the customer relationship + 7 years after the last transaction | Same as above |
| License-validation logs | No more than 30 days | Operational troubleshooting; license abuse detection |
| Stripe Checkout Session IDs (used to issue a license key) | No more than 30 days after license issuance | Reconciliation in case of disputed issuance |
| Update-check logs (when feature active) | No more than 30 days | Operational; never longer than necessary |
| Support correspondence | Until the support matter is resolved + 90 days | Customer service quality |
| Marketing list (if you opted in) | Until you unsubscribe | Express consent |
| Site visitor logs (Cloudflare-side) | Per Cloudflare retention defaults — typically up to 24 hours for transient request logs | Operational; we do not maintain a separate copy |
After the retention period, we delete or de-identify personal information. De-identified data (statistical aggregates with no link to individuals) may be retained without time limit for operational planning.
You may at any time request earlier deletion under the rights described in §22, §23, and §24. We will honor the request unless we are required by law to retain the information for the periods stated above; in such cases we will tell you which records we have retained and on what legal basis, and will delete the rest.
18. Security
We maintain administrative, technical, and physical safeguards reasonably designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specific controls include:
- Encryption in transit: all communication between the Software, the Site, the license endpoint, and our sub-processors uses TLS 1.2 or higher with certificates managed by Cloudflare.
- Encryption at rest: account and billing data are encrypted at rest in Stripe's and Cloudflare's infrastructure under their respective certifications (Stripe: PCI-DSS Level 1, SOC 2 Type II; Cloudflare: SOC 2 Type II, ISO 27001).
- Access control: multi-factor authentication is required for all administrative access to GitHub, Cloudflare, Stripe, Postmark, and our domain registrar. Access is granted on a least-privilege basis and is reviewed quarterly.
- Code-level safeguards: the Software's source code is reviewed by our engineering team, scanned for vulnerable dependencies (
cargo audit,npm audit) on every CI build, and was subjected to a code audit on 2026-05-07 published as CODE_AUDIT_REPORT.md. - No customer-data warehouse: there is no central database of clinical content, transcripts, or usage, because no such data is in our possession.
- Operational separation: production and development environments are isolated (separate Stripe accounts, separate Cloudflare Worker environments).
- Backups: company billing and source-code records are backed up; backups are tested quarterly. There are no clinical-content backups because there is no clinical content to back up.
We do not claim that any security control is impenetrable. We acknowledge that the FTC and state attorneys general have brought enforcement actions against companies that made unqualified security guarantees in the past (for example, the FTC's actions against Equifax, Drizly, GoodRx, and Cerebral). We make only the specific, verifiable representations above.
Independent third-party penetration testing and SOC 2 Type II audit are scheduled for v1.5 of the Software (target Q4 2026). We will publish the resulting attestation summaries when they are available.
19. Our Site (sapience.systems): cookies, analytics, and tracking
The Site at sapience.systems is a statically rendered website hosted on Cloudflare Pages. It does not load third-party advertising, analytics, or tracking scripts. It does not set persistent cookies. It does not embed social-media pixels (no Facebook Pixel, no LinkedIn Insight Tag, no X/Twitter Pixel). It does not embed marketing-automation scripts (no HubSpot tracking, no Marketo Munchkin, no Segment).
The Site is delivered through Cloudflare's CDN, which by virtue of operating the CDN sees the IP address of each visitor and standard HTTP request metadata. Cloudflare may set short-lived cookies (e.g., __cf_bm) for bot management; we have not enabled Cloudflare Web Analytics or Cloudflare Bot Management at a level that creates persistent fingerprints. We do not have access to a per-visitor analytics dashboard.
We comply with the California Online Privacy Protection Act, Bus. & Prof. Code § 22575 et seq. ("CalOPPA"), by publishing this policy and honoring "Do Not Track" signals to the extent we collect data subject to such signals (we do not, because we do not maintain a per-visitor tracking surface). We comply with the analogous Delaware Online Privacy and Protection Act and Nevada SB 220 by the same approach.
We do not engage in "tracking technologies" within the meaning of HHS Office for Civil Rights' guidance on Tracking Technology (Dec 2022, updated 2024). The Site does not log information that, in combination with any other information, would link a visitor's identity to any specific PHI.
20. Marketing communications
We send transactional email — license-key delivery, billing receipts, renewal reminders, security notices — to all licensees. These are necessary to the operation of the Software and the service; you cannot unsubscribe from them while your license is active. They are not subject to the CAN-SPAM Act's commercial-message provisions because their primary purpose is transactional within the meaning of 15 U.S.C. § 7702(2).
We may send commercial email — product news, feature announcements, or industry updates — only to recipients who have expressly opted in through a form on the Site or by replying to a confirmation prompt. Each such message contains a working unsubscribe link and our postal address as required by the CAN-SPAM Act, 15 U.S.C. § 7704, and the relevant U.K. PECR rules. You may unsubscribe at any time; we will honor the unsubscribe within 10 business days, as required by CAN-SPAM. We do not engage in pretextual or deceptive subject lines.
We do not send SMS messages and do not contact licensees by automated dialing system. The U.S. Telephone Consumer Protection Act, 47 U.S.C. § 227 ("TCPA"), does not apply to our outreach as a result.
21. Children
The Software and the Site are not directed to children. We do not knowingly collect personal information from children under the age of 16. Sapience Med is a professional clinical tool intended for licensed adult healthcare practitioners. If you are a parent or guardian and believe that a child has nevertheless provided personal information to us, contact us at team@sapience.systems and we will delete it.
We do not knowingly collect personal information that would be subject to the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 ("COPPA"), because we do not target users under 13. We do not engage in marketing to minors.
22. California rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights regarding personal information about you that we hold. This section is structured to satisfy the disclosure requirements of CCPA/CPRA § 1798.100, § 1798.105, § 1798.106, § 1798.110, § 1798.115, § 1798.120, § 1798.121, § 1798.125, and § 1798.130.
22.1 Categories of personal information we collect
In the preceding twelve months, we have collected the following CCPA categories of personal information about California residents:
| CCPA category | Examples we collect |
|---|---|
| (A) Identifiers | Email address; name; license key ID; salted hash of device identifier |
| (B) Customer records (Cal. Civ. Code § 1798.80(e)) | Email; name; clinic name |
| (D) Commercial information | Stripe customer/subscription IDs; purchase history; card brand; last-4 digits |
| (F) Internet or other electronic network activity information | Transient IP at signup; Software version and OS architecture sent during license validation; HTTP request metadata in support correspondence |
| (G) Geolocation data | Country and time zone derived at signup (coarse) |
| (I) Professional or employment-related information | Clinic or practice name if you provide it |
| Sensitive personal information (CCPA § 1798.140(ae)) | None routinely collected. We do not collect government IDs, financial-account numbers, precise geolocation, racial or ethnic origin, religion, union membership, mail or message contents, biometric identifiers, "consumer health data," sex-life or sexual-orientation information, citizenship or immigration status, genetic data, or precise mental-health information from you. |
The full purposes for which we use each category are described in §6.
22.2 Categories sold or shared in the preceding twelve months
We have not sold or shared any personal information in the preceding twelve months. We do not sell. We do not share for cross-context behavioral advertising. We do not have a "Do Not Sell or Share" link because there is nothing to opt out of. If our practices change, we will update this section and provide the required link before the change takes effect.
22.3 Categories disclosed for a business purpose
In the preceding twelve months, we have disclosed personal information to the sub-processors listed in §7 for the operational purposes listed in that table. We have not disclosed personal information to any third party that is not a service provider or contractor acting on our behalf, except where required by law.
22.4 Your rights under California law
You have the following rights:
- Right to know. Confirm whether we process personal information about you; obtain a copy in a portable format covering the preceding twelve months (or longer, on request) of the specific pieces of personal information we hold, the categories collected, the sources, the categories of recipients, and the purposes.
- Right to delete. Request deletion of personal information we have collected from you, subject to statutory exceptions (e.g., transactional records required for tax compliance).
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of sale or sharing. Not currently exercisable because we do not sell or share. If this changes, we will provide the required mechanism.
- Right to limit use of sensitive personal information. Not currently exercisable because we do not collect sensitive personal information beyond what is necessary to perform the service requested.
- Right to non-discrimination. We will not deny goods or services, charge different prices, or provide a different level or quality of goods or services to a California resident because the resident exercised any CCPA right. We do not offer financial incentives in exchange for personal information.
- Right to designate an authorized agent. You may designate an authorized agent to make a request on your behalf. We will verify the agent's authority and your identity (see §25).
To exercise any right, email team@sapience.systems with subject line "California Privacy". We will acknowledge receipt within 10 business days and respond substantively within 45 days, extendable once by an additional 45 days where reasonably necessary (as permitted by CCPA § 1798.130(a)(2)).
22.5 California Shine the Light
California Civil Code § 1798.83 ("Shine the Light") gives California residents the right to request information about the categories of personal information we have disclosed to third parties for those third parties' direct-marketing purposes in the preceding calendar year. We have not disclosed personal information to any third party for that third party's direct-marketing purposes, and we do not anticipate doing so.
22.6 Notice at Collection
This policy serves as the "Notice at Collection" required by CCPA/CPRA § 1798.100(b) at or before the point we collect personal information. The categories of personal information we collect, the purposes for which we use each category, the categories of recipients, and the retention periods are described in §4, §6, §7, and §17.
23. Other U.S. state privacy rights
The following states have enacted comprehensive privacy statutes that grant some or all of the rights below to their residents: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Florida (FDBR), Oregon (OCPA), Montana (MCPA), Tennessee (TIPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Indiana (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Nebraska (NDPA), Rhode Island (RIPA), and others that have taken effect since this policy was last revised. The specific applicability threshold differs by state.
Residents of those states have, at minimum, the following rights with respect to personal information we hold about them:
- Right to confirm processing and to access the personal information we hold;
- Right to correct inaccurate personal information;
- Right to delete personal information;
- Right to data portability (a copy in a portable, structured format);
- Right to opt out of sale of personal data (not exercisable because we do not sell);
- Right to opt out of targeted advertising (not exercisable because we do not engage in targeted advertising);
- Right to opt out of profiling in furtherance of solely automated decisions (not exercisable because we do not profile — see §11);
- Right to appeal a denial of a privacy request (where the applicable state law requires an appeal mechanism, such as Virginia, Colorado, Connecticut, and others).
To exercise any right, email team@sapience.systems with subject line "Privacy Request" naming your state. We will acknowledge receipt within 10 business days and respond substantively within the state-specific statutory window (typically 45 days, extendable once by 45 days). If we deny a request, we will notify you of the basis and inform you of the appeal mechanism where one exists.
Sensitive data. Several state statutes (e.g., VCDPA, CPA, CTDPA, MODPA) require affirmative opt-in consent before processing certain categories of "sensitive data," including data revealing physical or mental health diagnosis. We do not process such data in the categories we collect (see §4 and §22.1); the opt-in obligation therefore does not attach to our current operations.
24. UK / EU rights
If you are located in the United Kingdom or the European Economic Area, the UK General Data Protection Regulation and the EU General Data Protection Regulation (collectively, "GDPR") give you the following rights with respect to personal data we process about you:
- Right of access (GDPR Article 15) — to obtain confirmation that we process your personal data and a copy of that data;
- Right to rectification (Article 16) — to correct inaccurate personal data;
- Right to erasure (Article 17, "right to be forgotten") — to delete personal data, subject to legal-obligation exceptions;
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format;
- Right to object (Article 21) — to object to processing carried out on the basis of legitimate interests;
- Right not to be subject to a decision based solely on automated processing (Article 22) — see §11; we do not engage in such processing;
- Right to withdraw consent at any time where processing is based on consent (Article 7(3));
- Right to lodge a complaint with the U.K. Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/, or, for E.E.A. residents, with the data-protection authority of your country.
The legal basis for each category of processing is described in §6.
We will respond to GDPR rights requests within one month of receipt, extendable by two further months for complex or numerous requests (Article 12(3)). We will inform you of any extension within the first month.
25. How to exercise your rights
To exercise any right described in §22, §23, or §24:
- Email team@sapience.systems with the subject line "Privacy Request".
- Tell us which right you wish to exercise and which jurisdiction's law you are invoking (this helps us apply the correct statutory timeline).
- Provide enough information to allow us to verify your identity. Typically, this is the email address on your license record. We may ask for one additional piece of information to corroborate (e.g., the date of your most recent payment). We will not request more identifying information than is necessary, consistent with CCPA § 1798.130(a)(7).
If you are using an authorized agent, the agent must provide either: (a) a power-of-attorney pursuant to Cal. Prob. Code §§ 4000–4465, or (b) signed written permission from you naming the agent and the specific request. We will additionally verify your identity directly to confirm that the request was authorized.
We do not charge a fee for processing the first request you make in any 12-month period. We may charge a reasonable fee or refuse a request if it is manifestly unfounded or excessive, consistent with applicable law.
If we cannot verify your identity to a degree of certainty sufficient to comply with the request, we will tell you and explain what additional information would resolve the issue. We will not disclose personal information to a person we cannot verify is the subject.
26. Breach notification
If we discover a personal-data breach, we will respond as follows:
- UK GDPR / EU GDPR: We will notify the U.K. ICO (or the relevant E.E.A. data-protection authority) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). Where the breach is likely to result in a high risk, we will notify affected individuals without undue delay (Article 34(1)).
- U.S. state breach-notification laws: We will notify affected individuals and, where required, state attorneys general and credit-reporting agencies, in compliance with each applicable state's breach-notification statute (including without limitation Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, Tex. Bus. & Com. Code § 521.053, and analogous statutes in the other 47 states and the District of Columbia). We will use the most generous of (a) the statutory window in the affected state, (b) "without unreasonable delay," or (c) 30 days from confirmation, whichever results in faster notification.
- HIPAA Breach Notification Rule (45 CFR § 164.400 et seq.): not applicable to us, because we are not a Business Associate and do not hold PHI. If our position changes, this section will be updated.
- FTC Health Breach Notification Rule (16 CFR Part 318): we have evaluated our applicability and concluded the Rule does not apply (see §15). If our position changes, we will notify affected individuals within the Rule's required timelines (no later than 60 calendar days from the date of discovery).
Notifications will include, at minimum: (a) a description of what happened, (b) the categories of personal information involved, (c) the steps we are taking to mitigate, (d) the steps you can take to protect yourself, and (e) contact information for further inquiries.
27. Privacy contact
For any question about this policy, to exercise a right, to file a complaint, or to request the Limited-Scope Vendor Agreement template:
- Email: team@sapience.systems (subject line "Privacy")
- Postal address: Sapience Systems LLP, Stoney Works, 8 Stoney Lane, London SE19 3BD, United Kingdom (Limited Liability Partnership No. OC454938)
- Designated privacy contact (CCPA § 1798.130(a)(1)): Mikhail Mogulkin, Designated Member
- Security officer: Mikhail Mogulkin, Designated Member
Because Sapience Systems LLP does not process personal data at a scale that triggers the mandatory Data Protection Officer requirement under UK GDPR Article 37(1), we have not appointed a Data Protection Officer. The Managing Partner serves as the responsible privacy contact and answers privacy correspondence personally.
If you have raised a concern with us and are not satisfied with our response, you may lodge a complaint with the U.K. Information Commissioner's Office (https://ico.org.uk/make-a-complaint/), your local data-protection authority, or the appropriate U.S. state attorney general's office.
28. Changes to this policy and change log
We will revise this policy when our practices materially change. We will not retroactively apply a less-protective version of this policy to personal information previously collected without your express consent.
For material changes — meaning any change to the categories of personal information we collect or receive, the categories of recipients, the purposes of processing, or our position under HIPAA or the AI-training commitment in §9 — we will: (a) post the revised policy with an updated "Last substantive revision" date; (b) email active licensees at the email address on their license record at least 30 days before the change takes effect; and (c) record the change in the change log below. For non-material changes (typographical corrections, minor clarifications, sub-processor table updates that do not introduce a new category of data), we will update the "Last substantive revision" date but will not necessarily notify by email.
Change log
| Date | Version | Summary of change |
|---|---|---|
| 2026-05-07 | 1.0 | Initial publication. Short-form policy describing on-device architecture and minimal vendor-side data. |
| 2026-05-17 | 2.0 | Comprehensive rewrite. Corrects factual inaccuracies (license validation is active, not "planned"; ASR engine is Whisper-large-v3-turbo, not MedASR). Adds: California CCPA/CPRA rights matrix; multi-state privacy rights (§23); Washington My Health My Data Act analysis (§16); FTC Health Breach Notification Rule analysis (§15); BIPA / CUBI voiceprint disclaimer (§10); 42 CFR Part 2 stance (§14); explicit AI-training prohibition (§9); "no sale, no sharing" statement (§8); sub-processor table with links (§7); breach-notification commitment timelines (§26). |
| 2026-05-18 | 2.1 | Address fields filled with Companies House record (LLP No. OC454938, registered office Stoney Works, 8 Stoney Lane, London SE19 3BD). Removed Formspree from sub-processor table (§7) — no forms are currently operated on the Site. |
This policy is published under the principle that a privacy policy should accurately describe what a company does. The architecture described in §3 is verified by CODE_AUDIT_REPORT.md. The HIPAA position in §13 is reasoned in HIPAA_ARCHITECTURE_BRIEF.md. The contractual reflection of this policy is in EULA.md. If you find an inconsistency between these documents, please tell us; consistency across documents is part of how we earn customer trust.