Privacy Policy for Speech Metrics

This means:

• All data, including client information, audio recordings of therapy sessions and metadata (collectively "Session Data") are encrypted directly on the Provider's device before they are transmitted or stored.
• The cryptographic keys required to decrypt this Session Data are held exclusively by the authorized users (the Provider and, if applicable, the Client) and are never shared with or accessible by Speech Metrics.
• As a result, we cannot listen to, view, or otherwise access the content of any therapy session. We process your Session Data as an opaque, unreadable, and securely sealed container of information.

When a Provider registers for and uses the Service, we collect information necessary to establish and maintain a professional account. This includes:

• Account Information: Your full name, email address, and a secure password.
• Professional Verification Information: Your professional license number or other credentials, which we use solely to verify your status as a qualified healthcare provider.
• Payment Information: Your billing address and payment card details. This information is processed directly by our secure third-party payment processor (e.g., Stripe) and is not stored on our servers.
• Communications: If you contact us for customer support or other inquiries, we will collect the content of those communications, including your name, email address, and any other information you choose to provide.

When a Provider uses the Service to record a therapy session, the primary data generated is the Encrypted Session Data. This category includes:

• Encrypted Audio Recording: The audio file of the therapy session, which is immediately encrypted on the recording device.
• Encrypted Metadata: Associated information such as the date, time, and duration of the session, which is also encrypted alongside the audio.

To reinforce our "Zero-Knowledge" promise, we explicitly state that we do not engage in the following activities:

• We do not listen to, transcribe, or analyze the content of your audio recordings.
• We do not access or process any Client health information contained within Session Data.
• We do not share the content of your sessions with any third parties.
• We do not use the content of your sessions for advertising, marketing, or any other purpose.

To ensure the proper functioning, security, and improvement of our Service, we automatically collect a limited amount of technical information. This data is essential for troubleshooting, preventing fraudulent activity, and understanding how our Service is used to enhance user experience. This category includes:

• Device Information: The type of device you are using, its operating system version, and unique device identifiers.
• Usage Analytics: Information about how you interact with the Service, such as the features you use, session start and end times (but not the content), button clicks, and performance metrics.
• Log Data: When you use our Service, our servers automatically record information, which may include your Internet Protocol (IP) address, the date and time of your requests, and data related to application crashes or errors.

For individuals in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, we process personal data based on the following lawful bases as defined under the General Data Protection Regulation (GDPR):

• Performance of a Contract: We process Provider Account Information, Payment Information, and Encrypted Session Data because it is necessary to perform the service contract we have with our Providers. This includes creating their account and providing the core recording, storage, and transmission features they have subscribed to.
• Legitimate Interests: We process Usage and Device Data and Log Data based on our legitimate interest in maintaining a secure, functional, and reliable Service. We also rely on legitimate interests to communicate with Providers about important service updates. We have balanced these interests against your data protection rights and have concluded that our processing is necessary and does not override your fundamental rights and freedoms.
• Consent: For any processing activities that are not essential for service delivery, such as non-essential analytics cookies or marketing communications, we will rely on your explicit consent.
• Processing on Behalf of a Controller: For the Encrypted Session Data, which contains "special categories of personal data" (i.e., data concerning health) under Article 9 of the GDPR, we act as a Data Processor. The Provider is the Data Controller. The Provider is responsible for establishing a lawful basis for processing this sensitive data, which will typically be the explicit consent of the Client. Our policy requires Providers to certify that they have obtained all necessary consents from their Clients before using our Service to record sessions.

We do not sell your personal information. We limit the sharing of your information to the specific circumstances described below:

• Third-Party Service Providers (Sub-processors): We engage a limited number of third-party companies to perform functions on our behalf. These include:
  • Cloud Hosting Providers (e.g., Amazon Web Services, Microsoft Azure): These providers store the Encrypted Session Data. They are contractually and technically prevented from accessing the content of this data.
  • Payment Processors (e.g., Stripe): These providers handle payment card information to process subscriptions.
  • Analytics Services (e.g., Google Analytics): These services help us understand service usage.
• Legal Requirements: We may disclose your information if we are required to do so by law, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, such as a court order or subpoena. In such a scenario, it is important to note that for Encrypted Session Data, we can only provide the encrypted, unreadable data file, as we do not possess the keys to decrypt it.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

We have vetted these providers and have data processing agreements in place that require them to maintain the confidentiality and security of the data they process on our behalf. They are only permitted to process data for the specific purposes for which we engage them.

1. Encryption: When a session is recorded, the audio data is immediately scrambled on the Provider's device into an unreadable format called ciphertext, using a strong encryption algorithm like AES-256.
2. Transmission: This encrypted ciphertext is transmitted to our servers for storage. At no point during this transmission can anyone—including us, our hosting provider, or any third party—read the data.
3. Decryption: The data remains encrypted while stored on our servers. It can only be decrypted and turned back into readable audio on a device that possesses the correct decryption key—namely, the Provider's authorized device(s).

We retain different categories of data for different periods, guided by the principle of storing data only for as long as is necessary.

• Provider Account Data: We retain this information for as long as the Provider's account remains active. After an account is closed, we may retain some information for a limited period to comply with legal, financial, and tax obligations.
• Encrypted Session Data: As the Data Controller and Covered Entity, the Provider is responsible for determining the retention period for this data. Healthcare record retention requirements vary by jurisdiction and professional guidelines (e.g., HIPAA requires records to be kept for a minimum of six years). Our Service provides Providers with the tools to manage and delete their Encrypted Session Data in accordance with their own legal and professional obligations. We retain this data solely at the direction of the Provider.
• Usage and Device Data: We retain this data for a limited period, typically 18-24 months, as needed for security, analytics, and service improvement purposes. After this period, the data is either deleted or anonymized.

The privacy of individuals in Australia is protected by the federal Privacy Act 1988 and the Australian Privacy Principles (APPs) contained within it.

• Applicability: The Privacy Act applies to Australian Government agencies, private sector organizations with an annual turnover of more than AUD 3 million, and all health service providers.
• Personal and Sensitive Information: The Act defines "personal information" as information or an opinion about an identifiable individual. It provides special protection for "sensitive information," which includes health information, genetic data, and racial or ethnic origin.

The 13 APPs set out the standards for the handling of personal information. Our practices are aligned with these principles.

• APP 1 - Open and Transparent Management: We are committed to managing your personal information transparently. This Privacy Policy is designed to be clear and up-to-date, explaining the kinds of information we collect, how we handle it, and for what purposes. It also details how you can access your data, make corrections, or file a complaint.
• APP 2 - Anonymity and Pseudonymity: You have the right to deal with us anonymously or by using a pseudonym where it is lawful and practicable to do so.
• APP 3 - Collection of Solicited Personal Information: We only collect personal information that is reasonably necessary for our functions. We will not collect sensitive information (including health information) about you without your consent, unless an exception applies.
• APP 5 - Notification of Collection: At or before the time we collect your personal information, we will notify you of the purposes of collection, who we might disclose it to, and other relevant details as outlined in this policy.
• APP 6 - Use or Disclosure: We will only use or disclose your personal information for the primary purpose for which it was collected, unless you have consented to a secondary use or disclosure, or another exception applies.
• APP 7 - Direct Marketing: We will not use your sensitive information for direct marketing without your explicit consent. For all direct marketing, we will provide a simple way for you to opt out.
• APP 12 & 13 - Access and Correction: You have the right to request access to the personal information we hold about you and to request that we correct any information that is inaccurate, out-of-date, or incomplete.

Under the Privacy Act, you have the right to:

• Know why your personal information is being collected and how it will be used.
• Access and correct your personal information.
• Remain anonymous or use a pseudonym in certain situations.
• Opt out of receiving direct marketing communications.

Several Canadian provinces have their own private-sector privacy laws that have been deemed "substantially similar" to PIPEDA. For activities conducted wholly within these provinces, the provincial law applies.

• Quebec: An Act to modernize legislative provisions as regards the protection of personal information (Law 25, formerly Bill 64) Law 25 significantly modernizes Quebec's privacy framework, introducing stricter requirements. Key provisions include:
  • Enhanced Consent: Consent must be clear, granular, and requested separately for each specific purpose. Express consent is required for sensitive personal information, and parental consent is needed for minors under 14.
  • Privacy Impact Assessments (PIAs): We are required to conduct PIAs for certain activities, including before transferring personal information outside of Quebec, to ensure the data receives adequate protection.
  • Expanded User Rights: Law 25 grants you rights similar to the GDPR, including the right to data portability (effective September 2024) and the right to request the de-indexation of your information (a "right to be forgotten").
  • Privacy by Default: Technological products and services must be configured to provide the highest level of privacy by default.
  • Breach Reporting: We must report any confidentiality incident that presents a "risk of serious injury" to the Commission d'accès à l'information (CAI) and affected individuals.
• Alberta: Personal Information Protection Act (PIPA) Alberta's PIPA governs how private sector organizations in the province handle personal information.
  • Applicability: PIPA applies to provincially regulated organizations in Alberta. Personal health information is primarily protected under a separate law, the Health Information Act.
  • Your Rights: You have the right to know why your data is being collected, expect it to be handled reasonably, and to access and request corrections to your personal information.
  • Consent: Organizations must obtain your explicit consent before collecting, using, or disclosing your personal information.
• British Columbia: Personal Information Protection Act (PIPA) BC's PIPA sets the rules for how private sector and non-profit organizations in the province manage personal data.
  • Applicability: PIPA applies to most private organizations in BC. Health-specific records are also covered by the E-Health (Personal Health Information Access and Protection of Privacy) Act.
  • Personal Information: The law defines personal information broadly to include name, address, medical information, and employment history.
  • Your Rights: You have the right to know why your information is being collected, expect it to be used reasonably, access it, and request corrections.
• Ontario: Personal Health Information Protection Act (PHIPA) For users in Ontario, the collection, use, and disclosure of personal health information is specifically governed by PHIPA. This law applies to "health information custodians," such as healthcare providers, and is considered substantially similar to PIPEDA for health data.

You have the following rights with respect to your personal data:

• The Right of Access: You have the right to request a copy of the personal data we hold about you.
• The Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
• The Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
• The Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data in certain circumstances.
• The Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format and to have it transmitted to another controller.
• The Right to Object: You have the right to object to our processing of your personal data where we are relying on a legitimate interest as our legal basis.
• Rights in Relation to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not engage in such processing.

You have the following rights concerning your PHI. To exercise these rights, you must contact your Provider directly.

• Right to Inspect and Copy: You have the right to inspect and obtain a copy of your PHI.
• Right to Amend: If you believe that PHI your Provider has about you is incorrect or incomplete, you may ask them to amend the information.
• Right to an Accounting of Disclosures: You have the right to request a list of the disclosures your Provider has made of your PHI for purposes other than treatment, payment, and healthcare operations.
• Right to Request Restrictions: You have the right to request a restriction or limitation on the PHI your Provider uses or discloses about you.
• Right to Request Confidential Communications: You have the right to request that your Provider communicate with you about medical matters in a certain way or at a certain location.