Shifaa AI
Legal

Privacy Policy

This policy explains what data Shifaa AI handles, how we use and protect it, and the choices you have. We aim to describe this in plain language.

Last updated: June 12, 2026

Template notice. This page is a clear, good-faith starting point describing how Shifaa AI works. It is not legal advice and should be reviewed by qualified counsel before launch. Some specifics (entity name, jurisdiction, contact details) are marked for completion.

1. Who we are

Shifaa AI (“Shifaa”, “we”, “us”) provides a mobile AI clinical assistant for doctors and clinic teams. The data controller is {{LEGAL_ENTITY_NAME}}, {{REGISTERED_ADDRESS}}. For privacy questions, contact {{PRIVACY_CONTACT_EMAIL}}.

2. Data we handle

  • Account data — name, email, role and clinic association for the people who use the app.
  • Clinic and patient data — patient records, vitals, notes, prescriptions and related clinical information that clinicians enter or generate in the app. The clinic is the controller of this patient data; Shifaa processes it on the clinic’s behalf.
  • Voice and AI inputs — audio you record for the scribe and the context sent to AI features.
  • Usage and device data — app interactions, AI usage and basic device information needed to operate and secure the service.

3. How we use data

We use data to provide the app’s features (documentation, queue, decision support, prescriptions and records), to keep the service secure, to support you, and to improve reliability. We do not sell personal or patient data.

4. AI sub-processors

AI features are delivered using third-party model providers as sub-processors, disclosed openly:

  • OpenAI — speech-to-text transcription (Whisper) for the voice-to-SOAP scribe.
  • Anthropic — drafting and clinical decision-support generation (Claude).

These providers process the relevant inputs only to deliver the feature you invoke. {{Confirm sub-processor data-retention and training terms before launch.}}

5. How we protect data

  • Sensitive on-device data is encrypted at rest with AES-256.
  • Every action, including PHI access and export, is recorded in an append-only audit log designed around HIPAA §164.312(b) principles.
  • Each clinic is strictly isolated; one workspace cannot access another’s data.
  • Accounts are hardened with hashed credentials, rotating SHA-256-stored refresh tokens, rate-limiting and OTP verification.

We describe our posture as “built around HIPAA security principles.” We do not claim a certification we do not hold.

6. Data retention

We retain data for as long as an account or clinic is active and as needed to provide the service, then delete or anonymise it within a reasonable period. {{Specify retention periods per data category.}}

7. Your rights and choices

Depending on your jurisdiction, you may have rights to access, correct, export or delete personal data, and to object to or restrict certain processing. The AI features can be disabled entirely with the in-app AI kill-switch. To exercise rights, contact {{PRIVACY_CONTACT_EMAIL}}.

8. International processing

Shifaa serves clinics worldwide, and data may be processed in countries other than your own, including by our sub-processors. {{Confirm processing locations and transfer safeguards.}}

9. Changes to this policy

We may update this policy as the product evolves. Material changes will be reflected here with an updated date.

10. Contact

Questions about privacy? Email {{PRIVACY_CONTACT_EMAIL}} or use our contact page.