top of page

Privacy Policy

Effective Date: March 10, 2026 Last Updated: March 10, 2026

1. Introduction

AmpShift.ai ("AmpShift," "we," "us," or "our") provides a mobile application (the "App") that enables healthcare providers to record, transcribe, and document patient encounters using artificial intelligence. This Privacy Policy describes how we collect, use, store, and protect information when you use the AmpShift mobile application and related services (collectively, the "Services").

By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication (magic link login) and delivery of clinical documents

  • Name (first and last) — used to identify you within the App and on generated documents

  • Phone number (optional) — stored as part of your professional profile

  • Medical specialty — used to configure AI output formatting for your clinical context

2.2 Clinical Data

When you use the App to record and document patient encounters, we collect:

  • Audio recordings — voice recordings of physician-patient conversations captured through your device's microphone

  • Transcriptions — text generated from audio recordings by our speech-to-text system

  • Clinical documentation — SOAP notes, progress notes, and other structured clinical documents generated by our AI system

  • Patient information — patient name, medical record number (MRN), date of birth, and gender, as entered by you or extracted from the audio recording by AI

  • Billing codes — CPT, ICD-10, and E/M codes extracted from clinical documentation

2.3 Device and Technical Information

We may collect:

  • Device identifiers — for biometric authentication (Face ID, Touch ID, fingerprint) if you enable this feature

  • App version — to ensure you are running a supported version of the App

  • Crash logs and diagnostics — to identify and fix technical issues

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeData Used

Authentication and account managementEmail address, name, device identifiers

Real-time transcriptionAudio recordings

Clinical document generationTranscriptions, patient information

Billing code extractionClinical documentation, transcriptions

Document deliveryEmail address, clinical documentation, billing codes

Archival and record retentionAll clinical data (7-year retention for regulatory compliance)

App functionality and improvementCrash logs, diagnostics, app version

Security and fraud preventionAccount information, device identifiers

We do not use your data or patient data for:

  • Advertising or marketing to third parties

  • Selling to data brokers

  • Training general-purpose AI models outside of your account

  • Any purpose unrelated to providing the Services

4. How We Store and Protect Your Information

4.1 Infrastructure

All data processing occurs on infrastructure hosted within Amazon Web Services (AWS) in the United States (us-east-1 region). Clinical document generation runs on AWS Bedrock within our private Virtual Private Cloud (VPC). Speech-to-text transcription is processed by Groq Cloud, a third-party service provider with whom we maintain a signed Business Associate Agreement (BAA) ensuring HIPAA-compliant handling of protected health information. Audio transmitted to Groq is encrypted in transit via TLS 1.3 and is not retained by Groq beyond the duration of the transcription request. All other data processing — including storage, document generation, and billing code extraction — occurs within AmpShift's private AWS VPC.

4.2 Encryption

  • In transit: All data transmitted between the App and our servers is encrypted using TLS 1.3, including both REST API and WebSocket connections.

  • At rest: All stored data is encrypted using AES-256 encryption, including database records (DynamoDB), object storage (S3), and local device storage.

4.3 Access Controls

  • Authentication is required for all access to clinical data.

  • Session ownership validation ensures that only the physician who created a session can access its data.

  • Administrative access to infrastructure is restricted and logged.

4.4 Local Device Security

  • Clinical data stored locally on your device (for offline functionality) is encrypted using AES-256 encryption.

  • Biometric authentication (Face ID, Touch ID, fingerprint) is available as an additional layer of device-level security.

  • No patient data is stored in plaintext on the device.

4.5 Audio Data Lifecycle

  • Raw audio recordings captured during clinical encounters are permanently deleted from all systems within 24 hours of capture. Encrypted processing segments — intermediate files generated during transcription and AI processing — are retained for up to 30 days for quality assurance and technical dispute resolution purposes, after which they are permanently and irreversibly deleted. The final clinical documentation generated from these recordings (SOAP notes, progress notes, billing reports, and other structured outputs) constitutes the official clinical record and is subject to the 7-year retention policy described in Section 5.

5. Data Retention

Raw Audio Recordings

  • Retention: 24 hours — permanently and automatically deleted

  • Storage: AWS S3 (Standard) with automated deletion policy

Encrypted Processing Segments

  • Retention: 30 days — permanently and automatically deleted

  • Storage: AWS S3 (Standard) with automated deletion policy

Clinical Documents (SOAP Notes, Progress Notes, Billing Reports)

  • Retention: 7 years minimum, then permanently deleted

  • Storage: AWS S3 (active), then AWS S3 Glacier (archive)

Session Metadata

  • Retention: 7 years minimum

  • Storage: AWS DynamoDB

Account Information

  • Retention: Duration of active account, plus 30 days following account deletion

  • Storage: AWS DynamoDB

Crash Logs and Diagnostics

  • Retention: 90 days

  • Storage: AWS CloudWatch (within AmpShift's private infrastructure). Crash logs are stripped of any patient identifiers before storage.

6. Data Sharing and Third Parties

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade any personal information or patient data to third parties.

6.2 No Third-Party AI Processing of Patient Data

Speech-to-text transcription is performed by Groq Cloud under a signed Business Associate Agreement (BAA). All other AI processing — including clinical document generation and billing code extraction — is performed on AmpShift's private AWS infrastructure. No PHI is transmitted to any third-party service without a valid BAA in place.

6.3 Limited Third-Party Services

We use the following third-party services in the operation of the App:

Cloud Infrastructure

  • Provider: Amazon Web Services (AWS)

  • Purpose: Hosting, storage, and compute

  • Data Involved: All data, encrypted, processed entirely within our private VPC

Speech Recognition

  • Provider: Groq Cloud (OpenAI Whisper STT)

  • Purpose: Real-time medical speech-to-text transcription

  • Data Involved: Audio recordings transmitted to Groq Cloud servers for processing. Audio is not retained by Groq beyond the processing request. A Business Associate Agreement (BAA) is in place with Groq.

  • Data Residency: Processed on Groq Cloud infrastructure. Audio is transmitted securely via TLS 1.3 and is not stored by Groq after transcription is complete.

AI Document Generation

  • Provider: AWS Bedrock (private)

  • Purpose: Clinical note and billing code generation

  • Data Involved: Transcriptions, processed within our private VPC only — data does not leave AmpShift's AWS infrastructure

Email Delivery

  • Provider: AWS Simple Email Service (SES)

  • Purpose: Delivering SOAP notes and billing reports to designated recipients

  • Data Involved: Email addresses and clinical document content

6.4 Email Distribution

When you choose to distribute clinical documents via email, the SOAP note and/or billing report is sent to the email address(es) you designate (e.g., your own email, a billing department). This transmission occurs through AWS SES and is encrypted in transit.

6.5 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. HIPAA Compliance

AmpShift is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA):

  • We maintain a signed Business Associate Agreement (BAA) with AWS.

  • The majority of PHI processing and storage occurs within our private AWS VPC. Speech-to-text transcription is performed by Groq Cloud under a signed Business Associate Agreement (BAA). Audio transmitted to Groq is encrypted in transit (TLS 1.3) and is not retained by Groq beyond the transcription request. All other PHI — including stored clinical documents, session data, and account information — remains within AmpShift's private AWS infrastructure.

  • PHI is encrypted both in transit (TLS 1.3) and at rest (AES-256).

  • Access to PHI is logged and auditable.

  • Data retention policies align with HIPAA requirements (minimum 7-year retention for clinical records).

  • We implement the minimum necessary standard — only the data required for each function is accessed.

You, as the healthcare provider, are responsible for ensuring that your use of the App complies with your own organization's HIPAA policies and any applicable state regulations.

8. Your Rights and Choices

8.1 Access and Correction

You can view and edit your account information (name, phone number, specialty, email preferences) directly within the App's Settings screen. You can view and edit transcripts and clinical documents before finalizing them.

8.2 Data Deletion

You may request deletion of your account and associated data by contacting us at privacy@ampshift.ai. Upon receiving a verified deletion request:

  • Your account information will be deleted within 30 days.

  • Active clinical session data will be deleted, subject to any applicable legal or regulatory retention requirements.

  • Archived clinical data subject to HIPAA retention requirements may be retained for up to 7 years from the date of creation, after which it will be permanently deleted.

8.3 Biometric Authentication

Biometric authentication (Face ID, Touch ID, fingerprint) is optional. You can enable or disable it at any time in the App's Settings. Biometric data is processed entirely on your device by the operating system — we do not collect, store, or transmit your biometric data.

8.4 Email Distribution

You choose whether and to whom clinical documents are distributed via email. Email distribution is initiated by you on a per-session basis.

9. Children's Privacy

The AmpShift App is designed for use by licensed healthcare professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@ampshift.ai and we will take steps to delete such information.

10. Data Security Incident Response

In the event of a data breach involving protected health information, we will:

  • Investigate and contain the incident promptly.

  • Notify affected users in accordance with HIPAA Breach Notification Rule requirements (within 60 days of discovery).

  • Notify the U.S. Department of Health and Human Services as required.

  • Take corrective actions to prevent recurrence.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.

  • Notify you through the App or via email.

  • If required, obtain your consent before applying material changes to data already collected.

Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

12. California Privacy Rights

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to:

  • Request disclosure of the categories and specific pieces of personal information we have collected.

  • Request deletion of your personal information, subject to certain exceptions.

  • Not be discriminated against for exercising your privacy rights.

Note: HIPAA-covered data is exempt from CCPA. However, we extend these rights to all users as a matter of good practice.

13. International Users

The Services are hosted and operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Services, you consent to the transfer of your information to the United States.

14. Contact Us

If you have questions or concerns about this Privacy Policy, or wish to exercise any of your rights described above, please contact us:

AmpShift.ai Email: privacy@ampshift.ai Website: https://ampshift.ai

For HIPAA-related inquiries: Email: hipaa@ampshift.ai

bottom of page