Dawn Health
Book a call

Legal

Privacy Policy

Dawn Health Intelligence, Inc.

1. Who we are

This Privacy Policy describes how Dawn Health Intelligence, Inc. (“Dawn,” “we,” or “us”) processes Personal Data in connection with the Dawn mobile and web applications and related services (the “Service”). Dawn is the controller of the Personal Data described below. Contact: support@dawnhealth.ai.

When physicians and clinics use the Service to document patient care, Dawn processes Protected Health Information (PHI) on their behalf as a service provider. Physicians and clinics are the covered entities or equivalent data controllers responsible for the PHI they submit to the Service.

2. Categories of data we process

  • Account data: Full name, email address, hashed password (when applicable), phone number, specialty, practice name, OAuth identifiers (Google ID, Apple ID), role, preferences.
  • Authentication data: Hashed refresh tokens, one-time passcodes, device identifiers, IP address, session metadata.
  • Clinical content (PHI): Audio recordings you capture, transcripts derived from those recordings, clinical notes (structured and free-text), visit summaries, encounter analyses (differential diagnoses, ICD-10 code suggestions, E&M billing code suggestions, red flags, research paper references), note revision history, and patient records you enter (name, date of birth, sex, contact details, allergies, conditions, medications, medical history, insurance, clinical attachments).
  • Billing data: Subscription plan, Stripe customer and subscription identifiers, invoice and payment identifiers, and metered usage. Dawn does not receive or store payment card details; those are handled directly by Stripe.
  • Technical and audit data: Device type and operating system, application version, IP address, user-agent, screen views, feature events, crash reports (with PHI redacted before transmission), and tamper-evident audit logs of access to PHI.

3. How we use data

We do not sell Personal Data. We do not use PHI for marketing or for training third-party AI models.

  • Provide and secure the Service, including authentication, recording, transcription, AI-assisted note generation, encounter analysis, and subscription management.
  • Send transactional communications, including one-time passcodes and account notices.
  • Prevent fraud, abuse, and security incidents, and enforce our Terms.
  • Comply with legal obligations, including retention of audit logs for healthcare recordkeeping.

4. Third-party processors

We engage the following sub-processors to provide the Service. Each is bound by a written data-processing agreement. Each receives only the data necessary for its function.

  • Soniox, Inc. (United States): Receives audio recordings and returns transcripts. Used solely for speech-to-text processing.
  • Microsoft Corporation (United States and European Union): Provides Azure OpenAI Service (generation of clinical notes, summaries, encounter analyses, and coding suggestions from transcripts and clinical content); Azure Blob Storage (storage of recordings and attachments); Azure Database for PostgreSQL (primary data store); Azure Cache for Redis (session and rate-limit state); and Azure Communication Services (delivery of one-time passcode emails). Under Microsoft's Product Terms, prompts and completions processed through Azure OpenAI are not used to train Microsoft or third-party foundation models.
  • Stripe, Inc. (United States): Processes subscription payments and stores payment instruments. Dawn shares only the information necessary to bill your subscription.
  • Google LLC and Apple Inc. (United States): Provide sign-in when you choose Google or Apple authentication. Dawn receives the identifiers and verified email addresses necessary to create or link your account.
  • Google LLC – Firebase (United States): Provides product analytics and crash reporting for the mobile application. Analytics events contain no patient identifiers, and crash reports are redacted to remove emails, tokens, file paths, and other sensitive values before transmission.
  • U.S. National Library of Medicine (United States): Receives de-identified medical concept queries (for example, ICD-10 codes and symptom terms) to retrieve ICD-10, UMLS, and PubMed reference data. No PHI is sent.

5. International transfers

The Service is operated from infrastructure located in the United States and the European Union. If you access the Service from another jurisdiction, Personal Data will be transferred to those locations. Where required by applicable law, we rely on Standard Contractual Clauses or equivalent safeguards.

6. Retention

  • Clinical content (recordings, transcripts, notes, analyses, attachments, patient records) is retained until you or your clinic delete it, and is then purged from our systems and from Azure Blob Storage within seven years of deletion, consistent with medical recordkeeping obligations.
  • Audit logs are retained for six years in accordance with 45 C.F.R. § 164.530(j).
  • Authentication data is retained only as long as needed for the session or token (one-time passcodes expire in ten minutes; refresh tokens expire within seven days by default).
  • Billing records are retained for the period required by tax and commercial law.

7. Security

We protect data with TLS in transit, encryption at rest provided by our cloud infrastructure, access controls, audit logging with a tamper-evident hash chain, short-lived access tokens tied to your account with server-side session revocation on logout, password change, or administrative action, and device-level screen lock (handled by your iOS or Android device) to protect your app session when the device is unattended. Mobile clients detect rooted or jailbroken devices and redact sensitive values from logs. No system is perfectly secure; you are responsible for safeguarding your credentials and devices.

8. Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your Personal Data, and you may withdraw consent where processing is based on consent. You can initiate account deletion from within the application; deletion requires verification by one-time passcode and cascades to your clinical content. Patients whose PHI is submitted by a physician or clinic should direct rights requests to that physician or clinic.

You may contact us at support@dawnhealth.ai to exercise any of these rights. If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local supervisory authority.

9. AI processing consent

Before we send audio or clinical content to Soniox or Azure OpenAI, the application presents an in-product disclosure and requests your consent. You can withdraw that consent at any time in the application's settings. Withdrawal takes effect prospectively and does not affect data already processed.

10. Children

The Service is intended for licensed physicians, clinics, and the adult members of their workforce. It is not directed to children, and we do not knowingly collect Personal Data from children. PHI about pediatric patients may be submitted by physicians in the ordinary course of care; that processing is governed by the physician's or clinic's privacy notice.

11. Changes

We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact

Dawn Health Intelligence, Inc.

Email: support@dawnhealth.ai