Privacy Policy

This policy applies to the Dorothy web application and all features accessed through it, including voice-based incident capture, AI-generated documentation, and integrations with Electronic Health Record (EHR) systems. If your organization has executed a Business Associate Agreement (BAA) with Dorothy, the terms of that BAA govern our obligations regarding Protected Health Information (PHI) and take precedence over this policy to the extent of any conflict.

Dorothy may process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA) when used in connection with EHR integrations or when staff include resident details in voice recordings.

We act as a Business Associate under HIPAA when processing PHI on behalf of a Covered Entity (your organization). We enter into Business Associate Agreements with each customer organization before PHI is transmitted through our Service. Our obligations regarding PHI are governed by HIPAA, the HITECH Act, and the applicable BAA.

Account Information. When your organization provisions access or you create an account, we collect your name, email address, and organizational affiliation.

Voice Recordings and Transcripts. When you use Dorothy's voice capture feature, we temporarily process audio recordings to generate transcripts. Audio is processed in real time and is not stored after transcription is complete unless your organization's configuration requires it.

Incident Documentation. Dorothy generates structured incident reports, follow-up recommendations, and communication templates based on your voice input. These documents may contain PHI if resident-identifying information is included in the recording.

EHR Integration Data. When your organization enables an EHR integration (currently PointClickCare; additional systems planned), Dorothy exchanges data with the EHR to sync incident documentation. The categories of data transmitted depend on the integration and your organization's configuration. Data exchanged with EHR systems is governed by your organization's BAA with Dorothy and the applicable EHR vendor's terms.

Usage Data. We collect technical information such as browser type, device type, pages visited, feature usage, and error logs to maintain and improve the Service.

Cookies. We use essential cookies to maintain your session and authentication state. We use analytics cookies to understand how the Service is used. See Section 9 for details.

We use collected information to:

• Provide the Service, including voice transcription, AI-generated incident documentation, and EHR synchronization
• Maintain, monitor, and improve the Service's performance and reliability
• Respond to support requests and communicate service updates
• Comply with legal and regulatory obligations, including HIPAA
• Detect and prevent fraud, abuse, or security incidents

We do not use PHI for marketing, advertising, product development unrelated to the Service, or any purpose not permitted by the applicable BAA and HIPAA.

Dorothy uses artificial intelligence (including third-party large language model APIs) to transcribe voice recordings and generate structured documentation. When PHI is processed by AI systems:

• Data is transmitted via encrypted connections
• Third-party AI providers are bound by data processing agreements that prohibit them from retaining, training on, or using your data beyond the scope of providing the service
• We select AI providers whose data handling practices align with HIPAA requirements

We do not sell, rent, or trade personal information or PHI. We share information only in the following circumstances:

EHR Systems. When your organization enables an integration, we transmit documentation to the connected EHR in accordance with your organization's configuration and the applicable BAA.

Service Providers. We use third-party providers for infrastructure, AI processing, authentication, and payment processing (Stripe). Each provider is bound by contractual obligations to protect data, and where PHI is involved, by a Business Associate Agreement or equivalent data protection agreement.

Legal Requirements. We may disclose information when required by law, regulation, legal process, or enforceable governmental request.

With Your Organization. If your account is provisioned by an organization, that organization may have administrative access to usage information and documentation generated through the Service.

We implement administrative, technical, and physical safeguards to protect information, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls
• Logging and monitoring of access to systems containing PHI
• Regular review of security practices
• Incident response procedures

No system is completely secure. If we become aware of a security breach involving PHI, we will notify affected parties in accordance with HIPAA Breach Notification requirements and applicable law.

We retain information as follows:

• Voice recordings: Processed in real time and deleted after transcription unless your organization's configuration requires retention
• Incident documentation: Retained for the duration of your organization's account, or as required by the applicable BAA
• Account information: Retained while your account is active and for a reasonable period afterward for legal and operational purposes
• Usage data: Retained in aggregated or de-identified form for analytics

Upon termination of a BAA or an organization's account, we will delete or return PHI as specified in the BAA, typically within 30 days unless retention is required by law.

We use the following categories of cookies:

Essential cookies are required for the Service to function (authentication, session management). These cannot be disabled.

Analytics cookies help us understand usage patterns to improve the Service. You may opt out of analytics cookies through your browser settings. Disabling them will not affect the functionality of the Service.

We do not use advertising or tracking cookies.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated data
• Export your data in a portable format
• Restrict or object to certain processing

For PHI-related requests, contact your organization's privacy officer, as your organization is the Covered Entity responsible for PHI access and amendment requests under HIPAA.

For account-related requests, contact us at contact@dorothy.app.

The Service is not intended for use by individuals under 18. We do not knowingly collect personal information from minors.

Dorothy is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US or other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for cross-border data transfers.

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy with a new “Last updated” date. For changes affecting PHI handling, we will provide notice to customer organizations as specified in the applicable BAA.

If you have questions about this Privacy Policy or our privacy practices: