Privacy Policy
Effective March 10, 2026 · Last updated June 16, 2026
1. Introduction
AmpShift.ai ("AmpShift," "we," "us," or "our") provides a mobile application (the "App") that enables healthcare providers to record, transcribe, and document patient encounters using artificial intelligence. This Privacy Policy describes how we collect, use, store, and protect information when you use the AmpShift mobile application and related services (collectively, the "Services").
By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used for authentication (magic link login) and delivery of clinical documents
- Name (first and last) — used to identify you within the App and on generated documents
- Phone number (optional) — stored as part of your professional profile
- Medical specialty — used to configure AI output formatting for your clinical context
2.2 Clinical Data
When you use the App to record and document patient encounters, we collect:
- Audio recordings — voice recordings of physician-patient conversations captured through your device's microphone
- Transcriptions — text generated from audio recordings by our speech-to-text system
- Clinical documentation — SOAP notes, progress notes, and other structured clinical documents generated by our AI system
- Patient information — patient name, medical record number (MRN), date of birth, and gender, as entered by you or extracted from the audio recording by AI
- Billing codes — CPT, ICD-10, E/M, and RxNorm medication codes extracted from clinical documentation
2.3 Device and Technical Information
We may collect:
- Device identifiers — for biometric authentication (Face ID, Touch ID, fingerprint) if you enable this feature
- App version — to ensure you are running a supported version of the App
- Crash logs and diagnostics — to identify and fix technical issues
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Authentication and account management | Email address, name, device identifiers |
| Real-time transcription | Audio recordings |
| Clinical document generation | Transcriptions, patient information |
| Billing and medication code extraction | Clinical documentation, transcriptions |
| Document delivery | Email address, clinical documentation, billing codes |
| Archival and record retention | All clinical data (7-year retention for regulatory compliance) |
| App functionality and improvement | Crash logs, diagnostics, app version |
| Security and fraud prevention | Account information, device identifiers |
We do not use your data or patient data for:
- Advertising or marketing to third parties
- Selling to data brokers
- Training general-purpose AI models outside of your account
- Any purpose unrelated to providing the Services
4. How We Store and Protect Your Information
4.1 Infrastructure
All data processing occurs on infrastructure hosted within Amazon Web Services (AWS) in the United States (us-east-1 region). Clinical document generation runs on AWS Bedrock within our private Virtual Private Cloud (VPC). Speech-to-text transcription is processed by Groq Cloud, a third-party service provider with whom we maintain a signed Business Associate Agreement (BAA) ensuring HIPAA-compliant handling of protected health information. Audio transmitted to Groq is encrypted in transit via TLS 1.3 and is not retained by Groq beyond the duration of the transcription request. All other data processing — including storage, document generation, and billing code extraction — occurs within AmpShift's private AWS VPC.
4.2 Encryption
- In transit: All data transmitted between the App and our servers is encrypted using TLS 1.3, including both REST API and WebSocket connections.
- At rest: All stored data is encrypted using AES-256 encryption, including database records (DynamoDB), object storage (S3), and local device storage.
4.3 Access Controls
- Authentication is required for all access to clinical data.
- Session ownership validation ensures that only the physician who created a session can access its data.
- Administrative access to infrastructure is restricted and logged.
4.4 Local Device Security
- Clinical data stored locally on your device (for offline functionality) is encrypted using AES-256 encryption.
- Biometric authentication (Face ID, Touch ID, fingerprint) is available as an additional layer of device-level security.
- No patient data is stored in plaintext on the device.
5. Data Retention
| Data Type | Retention Period | Storage | Action at Expiry |
|---|---|---|---|
| Raw audio recordings | 24 hours | AWS S3 | Permanent deletion |
| Processing segments (transcripts, merged audio) | 30 days | AWS S3, AWS DynamoDB | Permanent deletion |
| Session metadata (clinical notes, billing codes, patient demographics) | 7 years | AWS DynamoDB, AWS S3 (Glacier) | Permanent deletion |
| Account information | Duration of account, plus 30 days after account closure | AWS DynamoDB | Permanent deletion |
| Crash logs and diagnostics | 90 days | AWS CloudWatch, AWS DynamoDB | Permanent deletion |
The 7-year retention period for clinical data aligns with HIPAA record retention requirements.
All data deletions at the end of their retention period are permanent and irreversible. Once the retention window expires, the data is automatically and completely removed from all storage systems, including backup tiers. There are no soft deletes, recycle bins, or recovery mechanisms after the stated retention period.
6. Data Sharing and Third Parties
6.1 We Do Not Sell Your Data
We do not sell, rent, or trade any personal information or patient data to third parties.
6.2 No Third-Party AI Processing of Patient Data
Speech-to-text transcription is performed by Groq Cloud, a third-party AI service provider, under a signed Business Associate Agreement (BAA) that requires equal or greater protection of protected health information. Audio recordings are transmitted to Groq encrypted in transit (TLS 1.3) solely for transcription and are not retained by Groq beyond the processing request. All other AI processing — clinical document generation and billing code extraction — occurs within AmpShift's private AWS VPC and is not sent to any third-party AI provider. You are asked to consent to this processing within the App before any audio is transmitted.
6.3 Limited Third-Party Services
We use the following third-party services in the operation of the App:
| Service | Provider | Purpose | Data Involved |
|---|---|---|---|
| Cloud infrastructure | Amazon Web Services (AWS) | Hosting, storage, compute | All data (encrypted, within private VPC) |
| Email delivery | AWS Simple Email Service (SES) | Delivering SOAP notes and billing reports to designated email addresses | Email addresses, clinical document content |
We have a Business Associate Agreement (BAA) with AWS to ensure HIPAA-compliant handling of protected health information.
6.4 Email Distribution
When you choose to distribute clinical documents via email, the SOAP note and/or billing report is sent to the email address(es) you designate (e.g., your own email, a billing department). This transmission occurs through AWS SES and is encrypted in transit.
6.5 Legal Requirements
We may disclose information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
7. HIPAA Compliance
AmpShift is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA):
- We maintain a signed Business Associate Agreement (BAA) with AWS.
- The majority of PHI processing and storage occurs within our private AWS VPC. Speech-to-text transcription is performed by Groq Cloud under a signed Business Associate Agreement (BAA); audio transmitted to Groq is encrypted in transit (TLS 1.3) and is not retained by Groq beyond the transcription request. All other PHI — including stored clinical documents, session data, and account information — remains within AmpShift's private AWS infrastructure.
- PHI is encrypted both in transit (TLS 1.3) and at rest (AES-256).
- Access to PHI is logged and auditable.
- Data retention policies align with HIPAA requirements (minimum 7-year retention for clinical records).
- We implement the minimum necessary standard — only the data required for each function is accessed.
You, as the healthcare provider, are responsible for ensuring that your use of the App complies with your own organization's HIPAA policies and any applicable state regulations.
8. Your Rights and Choices
8.1 Access and Correction
You can view and edit your account information (name, phone number, specialty, email preferences) directly within the App's Settings screen. You can view and edit transcripts and clinical documents before finalizing them.
8.2 Data Deletion
You may delete your account and associated data directly in the App under Settings → Delete Account. Deletion is immediate, subject to the following regulatory retention requirements:
- Your account information will be deleted within 30 days.
- Active clinical session data will be deleted, subject to any applicable legal or regulatory retention requirements.
- Archived clinical data subject to HIPAA retention requirements may be retained for up to 7 years from the date of creation, after which it will be permanently deleted.
8.3 Biometric Authentication
Biometric authentication (Face ID, Touch ID, fingerprint) is optional. You can enable or disable it at any time in the App's Settings. Biometric data is processed entirely on your device by the operating system — we do not collect, store, or transmit your biometric data.
8.4 Email Distribution
You choose whether and to whom clinical documents are distributed via email. Email distribution is initiated by you on a per-session basis.
9. Children's Privacy
The AmpShift App is designed for use by licensed healthcare professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@ampshift.ai and we will take steps to delete such information.
10. Data Security Incident Response
In the event of a data breach involving protected health information, we will:
- Investigate and contain the incident promptly.
- Notify affected users in accordance with HIPAA Breach Notification Rule requirements (within 60 days of discovery).
- Notify the U.S. Department of Health and Human Services as required.
- Take corrective actions to prevent recurrence.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you through the App or via email.
- If required, obtain your consent before applying material changes to data already collected.
Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
12. California Privacy Rights
If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to:
- Request disclosure of the categories and specific pieces of personal information we have collected.
- Request deletion of your personal information, subject to certain exceptions.
- Not be discriminated against for exercising your privacy rights.
Note: HIPAA-covered data is exempt from CCPA. However, we extend these rights to all users as a matter of good practice.
13. International Users
The Services are hosted and operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Services, you consent to the transfer of your information to the United States.
14. Contact Us
If you have questions or concerns about this Privacy Policy, or wish to exercise any of your rights described above, please contact us:
AmpShift.ai Email: privacy@ampshift.ai Website: https://ampshift.ai
For HIPAA-related inquiries: Email: hipaa@ampshift.ai
This Privacy Policy is provided for informational purposes. AmpShift.ai recommends consulting with a qualified legal professional to ensure compliance with all applicable laws and regulations.