Skip to content
shiftlog
Back to Home

Privacy Policy

Last updated: December 16, 2025

At shiftlog ("we", "us", or "our"), we take your privacy and the security of your patients' Protected Health Information (PHI) seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical transcription platform and related services.

1. Healthcare Compliance

shiftlog is designed to be fully compliant with major healthcare data protection regulations, including:

  • HIPAA (United States): We implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information (ePHI).
  • PIPEDA (Canada): We adhere to the Personal Information Protection and Electronic Documents Act for the collection, use, and disclosure of personal information in the course of commercial activities.
  • Law 25 (Quebec): We comply with the Act to modernize legislative provisions as regards the protection of personal information, including mandatory breach reporting and governance policies.

2. Data Residency and Sovereignty

All data is stored and processed exclusively in Canada.

We utilize Amazon Web Services (AWS) data centers located in the Canada (Central) Region in Montreal, Quebec. Your data, including all PHI and audio recordings, never leaves Canadian jurisdiction.

3. Information We Collect

a. Account Information

We collect your name, email address, professional credentials, and hospital affiliation when you register for an account.

b. Audio Recordings and Transcripts

When you use our services, we process audio recordings of patient encounters and generate text transcripts. These recordings and transcripts constitute PHI/PII and are treated with the highest level of security.

c. Usage Data

We collect anonymized technical data about your device, browser, and how you interact with our application to improve system performance and reliability.

4. How We Use Your Information

We use the collected information for the following purposes:

  • Providing medical transcription services.
  • Authenticating your identity and preventing unauthorized access.
  • Generating billing reports for RAMQ or other insurance providers (where applicable).
  • Improving the accuracy of our AI models (only using de-identified data).

5. Data Security

We employ industry-leading security measures to protect your data:

  • Encryption at Rest: All data stored in our databases and object storage is encrypted using AES-256 standards.
  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
  • Access Controls: We use strict Role-Based Access Control (RBAC) to limit access to data on a "need-to-know" basis.
  • Audit Logs: We maintain detailed logs of all access and modifications to PHI.

6. Data Retention

a. Audio Recordings

Zero retention. Audio is processed transiently in memory and immediately discarded after transcription. We do not store audio recordings—ever. Our speech-to-text provider also maintains a zero data retention policy.

b. Notes and Transcripts

Configurable short-term retention. You control how long notes remain on our servers before automatic permanent deletion. Default retention periods range from 48 hours to 7 days.

c. Account Data

Retained while your account is active. You may request deletion of your account and all associated data at any time.

7. Business Associate Agreements

We maintain signed Business Associate Agreements (BAAs) with all vendors in our technology stack who may process PHI. This ensures HIPAA-compliant handling from end to end—cloud infrastructure, speech-to-text, and AI services.

8. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact our Privacy Officer at:

privacy@shiftlog.io