AmpShift.ai
Try Free
← Back to home

Privacy Policy

Effective March 10, 2026 · Last updated June 16, 2026

1. Introduction

AmpShift.ai ("AmpShift," "we," "us," or "our") provides a mobile application (the "App") that enables healthcare providers to record, transcribe, and document patient encounters using artificial intelligence. This Privacy Policy describes how we collect, use, store, and protect information when you use the AmpShift mobile application and related services (collectively, the "Services").

By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.


2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication (magic link login) and delivery of clinical documents
  • Name (first and last) — used to identify you within the App and on generated documents
  • Phone number (optional) — stored as part of your professional profile
  • Medical specialty — used to configure AI output formatting for your clinical context

2.2 Clinical Data

When you use the App to record and document patient encounters, we collect:

  • Audio recordings — voice recordings of physician-patient conversations captured through your device's microphone
  • Transcriptions — text generated from audio recordings by our speech-to-text system
  • Clinical documentation — SOAP notes, progress notes, and other structured clinical documents generated by our AI system
  • Patient information — patient name, medical record number (MRN), date of birth, and gender, as entered by you or extracted from the audio recording by AI
  • Billing codes — CPT, ICD-10, E/M, and RxNorm medication codes extracted from clinical documentation

2.3 Device and Technical Information

We may collect:

  • Device identifiers — for biometric authentication (Face ID, Touch ID, fingerprint) if you enable this feature
  • App version — to ensure you are running a supported version of the App
  • Crash logs and diagnostics — to identify and fix technical issues

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeData Used
Authentication and account managementEmail address, name, device identifiers
Real-time transcriptionAudio recordings
Clinical document generationTranscriptions, patient information
Billing and medication code extractionClinical documentation, transcriptions
Document deliveryEmail address, clinical documentation, billing codes
Archival and record retentionAll clinical data (7-year retention for regulatory compliance)
App functionality and improvementCrash logs, diagnostics, app version
Security and fraud preventionAccount information, device identifiers

We do not use your data or patient data for:

  • Advertising or marketing to third parties
  • Selling to data brokers
  • Training general-purpose AI models outside of your account
  • Any purpose unrelated to providing the Services

4. How We Store and Protect Your Information

4.1 Infrastructure

All data processing occurs on infrastructure hosted within Amazon Web Services (AWS) in the United States (us-east-1 region). Clinical document generation runs on AWS Bedrock within our private Virtual Private Cloud (VPC). Speech-to-text transcription is processed by Groq Cloud, a third-party service provider with whom we maintain a signed Business Associate Agreement (BAA) ensuring HIPAA-compliant handling of protected health information. Audio transmitted to Groq is encrypted in transit via TLS 1.3 and is not retained by Groq beyond the duration of the transcription request. All other data processing — including storage, document generation, and billing code extraction — occurs within AmpShift's private AWS VPC.

4.2 Encryption

  • In transit: All data transmitted between the App and our servers is encrypted using TLS 1.3, including both REST API and WebSocket connections.
  • At rest: All stored data is encrypted using AES-256 encryption, including database records (DynamoDB), object storage (S3), and local device storage.

4.3 Access Controls

  • Authentication is required for all access to clinical data.
  • Session ownership validation ensures that only the physician who created a session can access its data.
  • Administrative access to infrastructure is restricted and logged.

4.4 Local Device Security

  • Clinical data stored locally on your device (for offline functionality) is encrypted using AES-256 encryption.
  • Biometric authentication (Face ID, Touch ID, fingerprint) is available as an additional layer of device-level security.
  • No patient data is stored in plaintext on the device.

5. Data Retention

Data TypeRetention PeriodStorageAction at Expiry
Raw audio recordings24 hoursAWS S3Permanent deletion
Processing segments (transcripts, merged audio)30 daysAWS S3, AWS DynamoDBPermanent deletion
Session metadata (clinical notes, billing codes, patient demographics)7 yearsAWS DynamoDB, AWS S3 (Glacier)Permanent deletion
Account informationDuration of account, plus 30 days after account closureAWS DynamoDBPermanent deletion
Crash logs and diagnostics90 daysAWS CloudWatch, AWS DynamoDBPermanent deletion

The 7-year retention period for clinical data aligns with HIPAA record retention requirements.

All data deletions at the end of their retention period are permanent and irreversible. Once the retention window expires, the data is automatically and completely removed from all storage systems, including backup tiers. There are no soft deletes, recycle bins, or recovery mechanisms after the stated retention period.


6. Data Sharing and Third Parties

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade any personal information or patient data to third parties.

6.2 No Third-Party AI Processing of Patient Data

Speech-to-text transcription is performed by Groq Cloud, a third-party AI service provider, under a signed Business Associate Agreement (BAA) that requires equal or greater protection of protected health information. Audio recordings are transmitted to Groq encrypted in transit (TLS 1.3) solely for transcription and are not retained by Groq beyond the processing request. All other AI processing — clinical document generation and billing code extraction — occurs within AmpShift's private AWS VPC and is not sent to any third-party AI provider. You are asked to consent to this processing within the App before any audio is transmitted.

6.3 Limited Third-Party Services

We use the following third-party services in the operation of the App:

ServiceProviderPurposeData Involved
Cloud infrastructureAmazon Web Services (AWS)Hosting, storage, computeAll data (encrypted, within private VPC)
Email deliveryAWS Simple Email Service (SES)Delivering SOAP notes and billing reports to designated email addressesEmail addresses, clinical document content

We have a Business Associate Agreement (BAA) with AWS to ensure HIPAA-compliant handling of protected health information.

6.4 Email Distribution

When you choose to distribute clinical documents via email, the SOAP note and/or billing report is sent to the email address(es) you designate (e.g., your own email, a billing department). This transmission occurs through AWS SES and is encrypted in transit.

6.5 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.


7. HIPAA Compliance

AmpShift is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA):

  • We maintain a signed Business Associate Agreement (BAA) with AWS.
  • The majority of PHI processing and storage occurs within our private AWS VPC. Speech-to-text transcription is performed by Groq Cloud under a signed Business Associate Agreement (BAA); audio transmitted to Groq is encrypted in transit (TLS 1.3) and is not retained by Groq beyond the transcription request. All other PHI — including stored clinical documents, session data, and account information — remains within AmpShift's private AWS infrastructure.
  • PHI is encrypted both in transit (TLS 1.3) and at rest (AES-256).
  • Access to PHI is logged and auditable.
  • Data retention policies align with HIPAA requirements (minimum 7-year retention for clinical records).
  • We implement the minimum necessary standard — only the data required for each function is accessed.

You, as the healthcare provider, are responsible for ensuring that your use of the App complies with your own organization's HIPAA policies and any applicable state regulations.


8. Your Rights and Choices

8.1 Access and Correction

You can view and edit your account information (name, phone number, specialty, email preferences) directly within the App's Settings screen. You can view and edit transcripts and clinical documents before finalizing them.

8.2 Data Deletion

You may delete your account and associated data directly in the App under Settings → Delete Account. Deletion is immediate, subject to the following regulatory retention requirements:

  • Your account information will be deleted within 30 days.
  • Active clinical session data will be deleted, subject to any applicable legal or regulatory retention requirements.
  • Archived clinical data subject to HIPAA retention requirements may be retained for up to 7 years from the date of creation, after which it will be permanently deleted.

8.3 Biometric Authentication

Biometric authentication (Face ID, Touch ID, fingerprint) is optional. You can enable or disable it at any time in the App's Settings. Biometric data is processed entirely on your device by the operating system — we do not collect, store, or transmit your biometric data.

8.4 Email Distribution

You choose whether and to whom clinical documents are distributed via email. Email distribution is initiated by you on a per-session basis.


9. Children's Privacy

The AmpShift App is designed for use by licensed healthcare professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@ampshift.ai and we will take steps to delete such information.


10. Data Security Incident Response

In the event of a data breach involving protected health information, we will:

  • Investigate and contain the incident promptly.
  • Notify affected users in accordance with HIPAA Breach Notification Rule requirements (within 60 days of discovery).
  • Notify the U.S. Department of Health and Human Services as required.
  • Take corrective actions to prevent recurrence.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Notify you through the App or via email.
  • If required, obtain your consent before applying material changes to data already collected.

Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.


12. California Privacy Rights

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to:

  • Request disclosure of the categories and specific pieces of personal information we have collected.
  • Request deletion of your personal information, subject to certain exceptions.
  • Not be discriminated against for exercising your privacy rights.

Note: HIPAA-covered data is exempt from CCPA. However, we extend these rights to all users as a matter of good practice.


13. International Users

The Services are hosted and operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Services, you consent to the transfer of your information to the United States.


14. Contact Us

If you have questions or concerns about this Privacy Policy, or wish to exercise any of your rights described above, please contact us:

AmpShift.ai Email: privacy@ampshift.ai Website: https://ampshift.ai

For HIPAA-related inquiries: Email: hipaa@ampshift.ai


This Privacy Policy is provided for informational purposes. AmpShift.ai recommends consulting with a qualified legal professional to ensure compliance with all applicable laws and regulations.

© 2026 AmpShift.ai. All rights reserved. Patents pending at USPTO. Privacy · Terms · info@ampshift.ai