Privacy Policy

Scope and roles

CentaurMD is designed for use by healthcare practitioners and healthcare organizations. This policy applies to Website visitors, practitioner users, and patient information processed through the Application.

CentaurMD handles Website, account, subscription, billing, and support information for its own business and operational purposes. For patient PHI processed through the Application, CentaurMD generally acts on behalf of the practitioner or organization that controls the record.

In Alberta, many physicians and other regulated health service providers are custodians under the Health Information Act ("HIA"). When CentaurMD processes PHI for an Alberta custodian under a service arrangement, CentaurMD is intended to act as an "information manager" within the meaning of the HIA, subject to applicable agreements and law.

Users are responsible for determining their own legal role and responsibilities in their practice setting, including whether they act as a custodian, affiliate, clinic operator, or other organization under applicable law.

Consent and authority

By using the Service to process patient information, healthcare practitioners and organizations represent that they:

• have the legal authority to collect, use, disclose, upload, record, or otherwise direct CentaurMD to process the information;
• have obtained any patient consent, authorization, or provided any notice required by applicable law, clinic policy, contract, or professional standards, including for recording or AI-supported documentation where required; and
• are complying with applicable professional and regulatory requirements, including any required privacy impact assessments, information-manager agreements, and internal approvals.

Patients should direct questions about consent, recording, access, or correction of clinical information to their healthcare provider or organization.

What information we collect

Website and browser data. We may collect IP address, device identifiers, browser and operating-system information, pages viewed, referral source, and general interaction data. We may also use cookies, analytics tags, session identifiers, local storage, and similar technologies on the Website and public-facing pages.

Account and business data. For practitioner users, we may collect name, email address, clinic or organization details, username or login identifiers, authentication events, subscription and billing status, support history, and communications with us. Payment card details are generally handled by our payment processor rather than stored directly by CentaurMD, although we may receive limited billing metadata such as customer, subscription, and transaction status information.

Application and workflow data. Depending on feature use, the Application may process transcripts, prompts, generated outputs, forms, templates, attachments, referral content, billing content, and related workflow metadata.

Patient information and PHI. The Application processes the information that practitioners or their authorized staff input, upload, paste, dictate, record, or otherwise direct CentaurMD to handle. This may include patient identifiers, demographic information, clinical notes, EMR excerpts, audio recordings, transcripts, attachments, forms, referral content, billing-related content, and other personal information or PHI. If a visit is recorded, the audio may include both the patient's voice and the clinician's voice.

Local device and browser storage. Depending on configuration and feature use, limited workflow data such as settings, drafts, transcript text, EMR background text, crash-recovery data, or other temporary state may be stored locally in the user's browser or device to support continuity and recovery.

Application boundaries. CentaurMD does not automatically pull information from an electronic medical record unless a practitioner expressly initiates or authorizes an integration, paste, upload, or similar workflow.

How we use information

Service delivery. We use information to operate the Service, authenticate users, manage accounts, process transcription and documentation workflows, generate requested outputs, support clinical query and workflow features, and provide customer support.

Operations. We use information for billing, subscription administration, communications, security monitoring, troubleshooting, abuse prevention, incident response, internal recordkeeping, and service administration.

Product improvement. Where permitted by applicable law, our agreements, and the context in which the data was collected, we may analyze service activity, workflow metadata, and error information to improve product quality, performance, reliability, and future features. Wherever feasible, this work should rely on de-identified, aggregated, minimized, redacted, synthetic, or otherwise lawfully permitted information.

We do not sell personal information or PHI.

Artificial intelligence processing

CentaurMD uses internal systems and third-party providers to support features such as speech-to-text transcription, note drafting, clinical query assistance, attachment extraction, and other clinician-support workflows. Those providers process information only as needed to deliver the requested services, subject to contractual, technical, and organizational controls.

CentaurMD does not use PHI to train general-purpose AI models unless that use is lawfully authorized, contractually permitted, and subject to appropriate safeguards.

Who we share information with

We may share information with service providers that help us operate the Website or Application, including providers that support hosting and cloud infrastructure, AI and speech services, identity and authentication, communications, payment processing, analytics where enabled, security monitoring, and similar operational functions.

We may also disclose information where required by law, court order, subpoena, regulatory demand, or where reasonably necessary to investigate misuse, protect rights, prevent harm, preserve system integrity, or complete a merger, financing, reorganization, acquisition, or sale of all or part of our business. In those circumstances, we will use reasonable efforts to ensure the information continues to be protected in a manner consistent with applicable law and this Privacy Policy.

How long we keep information

We retain information only as long as reasonably necessary for service delivery, security, troubleshooting, support, legal compliance, dispute resolution, and other legitimate operational purposes. Retention may vary by information type, feature, customer configuration, and legal context.

PHI retention obligations are primarily determined by the custodian, the healthcare organization, and applicable professional or legal requirements. CentaurMD is not a substitute for the practitioner's own record-retention obligations in their EMR, chart, or local systems.

Temporary operational data, such as active transcription audio, session attachments, cached workflow state, browser-based recovery data, or similar intermediate artifacts, may be retained briefly for processing, continuity, troubleshooting, error recovery, abuse prevention, or support, then deleted or overwritten in the ordinary course based on the relevant workflow and configuration.

Alberta and Canadian privacy context

CentaurMD is designed for healthcare use in Alberta and Canada. If the Service is used to process health information in Alberta, the HIA may govern the collection, use, disclosure, safeguarding, and handling of that information. Outside health-information rules, personal information may also be subject to Alberta's Personal Information Protection Act ("PIPA") and, in some circumstances, federal privacy law such as the Personal Information Protection and Electronic Documents Act ("PIPEDA").

Healthcare practitioners and organizations remain responsible for determining whether and how CentaurMD may be used in their practice setting, including any required patient notices or consents, clinic policies, privacy impact assessments, information-manager agreements, professional-college requirements, and other governance steps. Alberta OIPC guidance states that custodians must submit a privacy impact assessment for the implementation and use of AI scribe tools.

Data residency and cross-border processing

Depending on deployment choices, workflow configuration, and service-provider setup, information processed through CentaurMD may be stored or processed in Canada, the United States, or both. If information is processed outside Canada, it becomes subject to the laws of that jurisdiction, which may permit access by courts, law enforcement, regulators, or other authorities in accordance with local law.

If your organization has Alberta-specific outsourcing, data-residency, or cross-border requirements, you are responsible for confirming that the approved CentaurMD configuration is suitable for your legal and governance obligations before using the Service with that data.

Safeguards and accuracy

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, disclosure, modification, destruction, or loss. These measures may include encryption in transit, authentication, access controls, vendor due diligence, logging and monitoring, backup protections, and other security practices appropriate to the data and environment.

We rely on users and account holders to provide accurate, current information and to correct errors when identified. Even with reasonable safeguards, no system can guarantee absolute security. Users remain responsible for protecting information they download, export, print, or store locally, including any browser or device-level storage under their control.

If a privacy or security incident occurs, we will respond in accordance with applicable law, our agreements, and our internal procedures. Under the HIA, the custodian remains responsible for risk-of-harm assessments and required breach notifications where that law applies.

Third-party links

The Website or Application may contain links to third-party websites, documents, or services. Those third parties have their own privacy practices, and CentaurMD is not responsible for how they collect, use, disclose, or safeguard information. You should review their privacy terms before providing information to them.

Your rights

Subject to applicable law and appropriate verification, individuals may have the right to request access to personal information we hold about them, request corrections, ask questions about our handling practices, or raise a complaint. The rights available depend on the nature of the information and the law that applies.

If you are a patient seeking access to, correction of, or information about clinical records or PHI, you should generally contact the clinic, physician, or other healthcare organization that controls the record rather than CentaurMD. If you contact us directly, we may refer you back to the relevant healthcare practitioner or organization.

Cookies and marketing

We may use cookies, analytics, local storage, and similar technologies to understand Website usage, improve performance, maintain session continuity, remember settings, and support communications or marketing. When analytics is enabled for public-facing pages, this may include technologies such as Google Tag Manager or Google Analytics 4.

If you choose to receive marketing or promotional communications from CentaurMD, you can opt out at any time by using the unsubscribe feature in the message or by contacting us directly. Our separate Cookies Notice explains browser-based technologies in more detail.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we may post a revised version on the Website or Application, update the date above, or provide another form of notice where appropriate.

Contact

Privacy inquiries, access requests, or complaints may be directed to: support@centaurmd.ca

We will respond in accordance with applicable legal timelines. If concerns remain unresolved, you may contact the Office of the Information and Privacy Commissioner of Alberta (OIPC) or another regulator or professional body that applies to your situation.