Privacy Policy

Sylora, Inc. (“Sylora,” “we,” “us,” or “our”) is committed to protecting the privacy of our customers and their patients. This Privacy Policy describes how Sylora collects, uses, and discloses information through our voice-first, real-time AI scribing platform for musculoskeletal specialists (the “Service”).

We may collect various types of personal information when you interact with Sylora, including:

• Account and Contact Information: When clinic personnel register or contact us, we collect identifiers such as names, job titles, business contact information (email address, phone number), and login credentials.
• Patient Data (Protected Health Information): In providing our scribing Service to healthcare providers, we receive and process patients' health information (e.g. medical history, diagnoses, treatment notes) that may identify a patient. This information, when provided to us by a healthcare provider customer, is Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (“HIPAA”).
• Usage Data: We collect data about how users access and use our Service or website, such as device information, IP address, and actions taken in the application (e.g. voice recordings or transcripts created).
• Cookies and Website Data: Our public website may use cookies or similar technologies to enhance user experience. We do not use cookies to collect PHI.

Sylora uses the collected information for the following purposes:

• Providing and Improving the Service: We use personal information and PHI to operate the AI scribing platform, transcribe and document patient encounters as requested by our customers, and improve the accuracy and features of our Service.
• Compliance with Instructions and Law: When we handle PHI as a Business Associate to our healthcare provider customers, we use and disclose PHI only as permitted by our agreements or as required by law.
• Service Communications: We use contact information to send administrative communications, such as updates about our terms or privacy practices, security or support notices, and information about new features.
• Analytics and Product Development: We may use usage data and de-identified information to analyze trends and to develop and improve our products.
• Legal and Security: We may use information as necessary to enforce our Terms of Service, to prevent fraud or malicious activity, and to comply with applicable law or regulatory requirements.

Sylora only discloses personal information (including PHI) to third parties in the ways described below, and we limit such disclosures to what is necessary:

• Service Providers (Subprocessors): We use trusted third-party companies to support our Service – for example, cloud infrastructure providers, data center hosts, speech-to-text processing services, and other IT tools.
• Affiliates: We may share information with our corporate affiliates for purposes consistent with this Privacy Policy, such as internal administration.
• Authorized Disclosures to Healthcare Partners: We may disclose information at the direction of the customer, such as transmitting transcribed notes into a clinic's electronic health record system.
• Legal Compliance and Protection: We may disclose information if required to do so by law or legal process.
• Business Transfers: If Sylora is involved in a merger, acquisition, or similar transaction, your information may be transferred as part of such a transaction as permitted by law.

We retain personal information, including PHI, for as long as necessary to fulfill the purposes for which we collected it or as required by our customer agreements or by law. In general:

• Patient Health Records (PHI): We retain transcribed notes and related PHI on our system for the duration of our contract with the healthcare provider, unless instructed otherwise by that customer.
• Account and Business Information: We retain account registration information and business contact details of our customers for the duration of the contract and for an appropriate period thereafter.
• Website and Analytics Data: We retain usage analytics and website visitor data in aggregated or de-identified form indefinitely for research and improvement purposes.

After the applicable retention period, or upon verified request, we will delete or anonymize personal information in a secure manner using industry-standard techniques.

Sylora employs administrative, physical, and technical safeguards to protect the security and confidentiality of personal information and PHI, as required by HIPAA and other applicable laws:

• Administrative Safeguards: We have internal policies and procedures to manage security measures, designate a Security and Privacy Officer, and train staff regularly on data privacy and security.
• Technical Safeguards: We protect electronic data through encryption (both in transit and at rest), role-based access controls, unique user authentication, and comprehensive audit logging.
• Physical Safeguards: Sylora uses secure, SOC 2-compliant data centers with strict physical access controls and surveillance.
• Monitoring and Testing: We continuously monitor our infrastructure and conduct regular audits, vulnerability scanning, and penetration testing.
• Incident Response: We have a defined incident response protocol and will notify affected parties and regulators as required by law.

Because Sylora provides services exclusively to healthcare provider organizations, much of the personal data we process is on behalf of those organizations:

• For Patients: If you are a patient of one of our customer clinics, please direct any requests regarding your health information directly to your healthcare provider.
• For Users and Website Visitors: You may have certain rights regarding your personal information under applicable U.S. state laws, including access, correction, deletion, and opt-out rights.

To exercise any applicable rights or ask questions about your data, please contact us using the information in the “Contact Us” section below.

Sylora's privacy practices aim to comply with applicable U.S. privacy laws. We focus on healthcare data, which is often exempt from certain state privacy laws due to HIPAA's governance:

• California: Sylora treats relevant personal information in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
• Other States: We also endeavor to honor the spirit of privacy laws in other states such as Colorado, Virginia, Connecticut, and Utah to the extent applicable.

Our Service is intended for use by healthcare professionals and is not directed to children under the age of 13. We do not knowingly collect personal information directly from children. Patient health information we process may include information about minors as provided by our healthcare provider customers, and such information is handled with all the protections described in this Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will provide notice to our customers and indicate the date of the latest revision at the top of the policy. Your continued use of the Service after any update means you acknowledge and agree to the revised Privacy Policy.