Privacy Policy
Last updated: March 12, 2026
1. Introduction
AI SIMP LLC ("Psynopsis," "we," "us," or "our") operates the Psynopsis psychiatric documentation platform, including the web application at app.psynopsis.ai, the marketing website at psynopsis.ai, and the Psynopsis AI Chrome Extension (collectively, "the Service").
This Privacy Policy explains how we collect, use, store, share, and safeguard your information when you use any part of the Service. By using the Service, you consent to the data practices described in this policy.
2. Chrome Extension Privacy Disclosures
Chrome Web Store Compliance
To comply with Chrome Web Store User Data Privacy policies, this section explicitly details the data lifecycle strictly for the Psynopsis AI Chrome Extension.
The Psynopsis AI Chrome Extension communicates exclusively with our secure backend (api.psynopsis.ai). It does not contain third-party SDKs, analytics libraries, or tracking scripts.
2.1 Data Collection
- Audio Data: The extension collects the audio stream from your active browser tab only when you explicitly initiate a recording session. It does not capture audio passively or in the background.
- Authentication Data (Cookies): The extension reads session cookies exclusively from our own domains (
psynopsis.aiandapp.psynopsis.ai) to verify your active login status. - No Web Browsing Collection: The extension does not read, collect, or track visual webpage content, text, DOM elements, images, or your browsing history on any third-party sites or telehealth platforms.
2.2 Data Handling and Use
- Audio Handling: Captured audio is streamed securely via encrypted WebSocket (WSS) connections to generate real-time clinical transcripts. It is used strictly for the core function of clinical documentation.
- Authentication Handling: Session cookies and tokens are used strictly to authorize API requests between the extension and our backend.
- No Unrelated Use: Extension data is never used for advertising, building user profiles, or training AI models.
2.3 Data Storage
- Audio Storage: Audio is never stored. It is processed in real time by our secure transcription partner and immediately discarded.
- Local Extension Storage: The extension locally stores your authentication token, user UI preferences, and temporary transcript caches (
chrome.storage.localandchrome.storage.session). Transcript caches are automatically purged after 15 minutes or when the browser closes.
2.4 Data Sharing and Third Parties
- Authorized Third-Party Sharing: Audio streams are securely routed through our backend to Deepgram (bound by a HIPAA Business Associate Agreement) for real-time speech-to-text processing. Transcript text is processed by Azure OpenAI (also bound by a HIPAA BAA) for clinical note generation.
- Prohibited Sharing: Data collected by the Chrome Extension is never sold, rented, or shared with third-party advertisers, data brokers, or information resellers.
2.5 Chrome Extension Permissions Justification
| Permission | Justification |
|---|---|
| tabCapture | Required to capture the audio stream from the active tab for transcription. Hardcoded to ignore all visual/textual page content. |
| activeTab | Accesses the currently active tab solely to initiate the authorized audio capture session. |
| storage | Stores authentication tokens and temporary, ephemeral transcript caches locally. |
| offscreen | Required by Chrome's Manifest V3 to process audio capture in the background without interrupting the user's active window. |
| contentSettings | Manages microphone access specifically for the extension's transcription functionality. |
| host_permissions | Scoped to api.psynopsis.ai and app.psynopsis.ai only. Used for API communication and reading the CSRF authentication cookie. Audio capture from telehealth tabs is handled by the tabCapture permission and does not require host access. |
| cookies | Required to read session cookies exclusively from psynopsis.ai domains to authenticate secure API requests. |
3. Web Platform & General Information Collection
Beyond the Chrome Extension, when you use the Psynopsis web platform, we collect:
- Account Information: Name, email, professional credentials, National Provider Identifier (NPI), and practice details.
- Clinical Documentation: Encrypted clinical notes and generated documentation.
- Usage Data: Standard log data, device/browser information, and anonymized analytics via Umami (no cross-site tracking).
- Billing Information: Processed securely by Stripe. We do not store credit card numbers.
- Platform Cookies: We use strictly necessary first-party cookies (
session,refresh_token,csrf_token) to authenticate web app users. We do not use advertising or tracking cookies.
4. Data Sharing for the General Platform
To operate the broader platform, we utilize the following secure infrastructure partners. All partners handling Protected Health Information (PHI) are bound by strict HIPAA Business Associate Agreements (BAA):
| Service | Role | BAA |
|---|---|---|
| Deepgram | Real-time audio processing (no storage) | Yes |
| Azure OpenAI (Microsoft) | AI clinical note generation (no model training) | Yes |
| Aidbox (Health Samurai) | FHIR R4 clinical data storage | Yes |
| Azure Blob Storage (Microsoft) | Secure file storage (no PHI) | Yes |
| Azure Communication Services | Transactional email delivery | Yes |
| Stripe | Payment processing | N/A |
| RevenueCat | Subscription management and sync | N/A |
| Umami | Privacy-focused analytics (no PII) | N/A |
| Netlify | Web application and marketing site CDN | N/A |
We do not share your data with any parties other than those listed above, except as required by law (e.g., in response to a valid subpoena, court order, or government investigation).
We do not sell, rent, or trade your personal information or clinical data. We never use your data to serve personalized advertisements, build advertising profiles, or transfer data to data brokers or information resellers. Your clinical data, audio, and transcripts are never used to train AI models.
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Service before any such transfer occurs.
5. Google API Limited Use Disclosure
Psynopsis AI's use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
Specifically, data obtained through Chrome APIs (including tab audio capture, storage, and active tab access) is:
- Not used for advertising — we do not use Chrome API data to serve ads, build advertising profiles, or target advertisements of any kind.
- Not transferred for advertising purposes — we do not transfer Chrome API data to any advertising platform, data broker, or information reseller.
- Not read by humans — except with your explicit consent, for security/fraud investigation, to comply with applicable law, or when aggregated and anonymized so that it cannot identify any individual.
- Used only for the extension's core purpose — real-time clinical transcription and documentation generation for licensed healthcare providers.
6. HIPAA Compliance and Business Associate Agreements
Psynopsis is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA). We implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).
- We offer Business Associate Agreements (BAA) to covered entities
- PHI is encrypted at rest (AES-256) and in transit (TLS 1.3)
- Access to PHI is logged and auditable
- We conduct regular security assessments
- Patient data is never used to train AI models
Clinical Data Governance
Clinical session data — including audio streams, transcripts, generated notes, and encounter records — is governed primarily by your Business Associate Agreement (BAA) with AI SIMP LLC, not solely by this Privacy Policy. The BAA defines data handling obligations, breach notification timelines, and security requirements for all PHI. If there is any conflict between this Privacy Policy and your BAA, the BAA controls for protected health information.
7. 42 CFR Part 2 Compliance
Psynopsis complies with 42 CFR Part 2, the federal regulation governing the confidentiality of substance use disorder patient records. Our platform maintains strict separation between psychotherapy notes and progress notes, with consent-based disclosure controls and a complete audit trail for all access to protected records.
8. Data Storage
This section describes where and how your data is stored across all parts of the Service.
8.1 Server-Side Storage
| Data Type | Where It Is Stored | Location |
|---|---|---|
| Clinical records (patients, encounters, notes, diagnoses) | Aidbox — a FHIR R4-compliant clinical data store | United States |
| Uploaded files (practice logos) | Azure Blob Storage | United States |
| Billing and payment information | Stripe (PCI-DSS compliant; we never store card numbers) | United States |
| Audio data | Not stored — processed in real time and immediately discarded | N/A |
All server-side data is stored on HIPAA-compliant cloud infrastructure within the United States. Data containing protected health information (PHI) is encrypted at rest using AES-256 and in transit using TLS 1.3.
8.2 Chrome Extension Local Storage
The Chrome extension stores limited, temporary data locally on your device using Chrome's built-in storage APIs (chrome.storage.local and chrome.storage.session). This data never leaves your browser except when transmitted to Psynopsis servers at api.psynopsis.ai. See Section 2.3 for full details.
8.3 Web Application Local Storage
The web application stores your subscription status in browser localStorage for performance. Authentication is handled via httpOnly cookies (described in Section 3). No clinical data is stored in the browser.
9. Data Security
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.3 (HTTPS for REST APIs, WSS for WebSocket audio streaming) |
| Audio storage | None — processed in real-time, never stored |
| Data residency | United States (HIPAA-compliant cloud infrastructure) |
| Access controls | Role-based with complete audit trail |
| AI training | Patient data is never used to train AI models |
| Incident response | Documented breach notification process per HIPAA requirements |
10. Data Retention and Deletion
We retain your data only for as long as necessary to provide the Service or as required by law. You may request deletion of your data at any time.
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account information | Duration of account + 30 days after deletion request | Permanent deletion from all systems |
| Clinical notes and transcripts | Duration of account (or as required by state medical records law) | Permanent deletion or anonymization on request |
| Audio data | Zero — never stored | N/A (discarded immediately after transcription) |
| Chrome extension cache (transcripts, decision support) | 15 minutes (automatic TTL expiry) | Automatic purge; also cleared on new recording start |
| Chrome extension session storage | Until browser close | Automatic browser session expiry |
| Session cookies | Until logout or browser close | Cleared on logout event |
| Billing records | 7 years (legal requirement) | Retained per legal obligation; not associated with PHI |
| Audit logs | 6 years (HIPAA requirement) | Retained per regulatory requirement |
| Analytics data | 90 days (anonymized) | Rolling deletion — no personal identifiers involved |
11. Your Rights
You have the right to:
- Access your personal data and clinical documentation
- Correct inaccurate information in your account
- Delete your account and all associated data
- Export your clinical documentation in standard formats
- Opt out of marketing communications
- Withdraw consent for data processing at any time
To exercise any of these rights, contact us at privacy@psynopsis.ai.
12. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information to third parties.
13. Children's Privacy
The Service is intended for use by licensed healthcare providers and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
AI SIMP LLC
Chandler, AZ
Privacy inquiries: privacy@psynopsis.ai
Compliance inquiries: compliance@psynopsis.ai
General support: support@psynopsis.ai