Privacy Policy

5 Dec 2025

We've updated our Privacy Policy to provide greater clarity on how we protect your information and your privacy rights. This policy explains how we collect, use, and safeguard your data while helping you provide better patient care.

Your privacy matters to us. As healthcare professionals, you trust us with sensitive information, and we take that responsibility seriously.

What This Policy Covers

This Privacy Policy applies to:

Healthcare professionals using BurnaAI's platform
Visitors to our website (burnaai.com)
Anyone interacting with our marketing or support services

Important: This policy does NOT cover patient health information that our healthcare customers store in BurnaAI ("Customer Data"). That information is governed by:

Our Business Associate Agreements with healthcare providers
Your healthcare provider's own privacy practices
HIPAA regulations

If you're a patient: Please check with your healthcare provider about how they handle your health information when using BurnaAI.

Information We Collect

Information You Give Us

When you create an account:

Your name, email, and phone number
Professional credentials (NPI number, specialty, employer)
Billing information for subscriptions
Professional title, organization, and work-related contact details

When you use our platform:

Audio recordings of clinical encounters (with appropriate consent)
Clinical notes and documentation you create
Patient encounter summaries (de-identified when possible)
Medical terminology and clinical workflow data
EHR integration data and system interactions
Feedback and support requests you send us

When you visit our website:

Contact information when you request demos or information
Survey responses and event registration details

Information We Automatically Collect

When you use BurnaAI:

Login times and session duration
Features you use and how often
Device and browser information
IP address and general location
Performance data to improve our service
API calls and integration performance data
Security monitoring and audit trail information

When you visit our website:

Pages you view and links you click
Time spent on different pages
Referring website information
Cookie and similar technology data

Information from Other Sources

We may receive information about you from:

Healthcare organizations you work for
Professional directories and databases
Marketing partners for industry events
Social media platforms (when you interact with our content)
Trusted third-party service providers

How We Use Your Information

To Provide Our Service

Process your audio recordings into clinical notes
Provide, operate, and maintain our AI-powered healthcare solutions
Integrate with your EHR systems
Generate ICD and CPT codes for billing
Facilitate workflow optimization
Provide customer support and technical assistance

To Improve BurnaAI

Analyze usage patterns to enhance features
Develop new AI models and capabilities
Test platform performance and reliability
Conduct research and development for new features
Note: We only use de-identified, aggregated data for improvements

To Communicate With You

Send service updates and important notices
Provide technical support
Share new features and product updates
Process billing and account matters
Send administrative messages and security alerts

For Marketing (With Your Consent)

Send newsletters and product announcements
Invite you to webinars and industry events
Share relevant healthcare industry insights
Provide information about industry events and educational content
Conduct market research and customer satisfaction surveys
You can opt out anytime using links in emails

Legal and Compliance

Comply with applicable laws, regulations, and industry standards
Respond to legal requests, court orders, and regulatory inquiries
Protect our rights, property, and security
Prevent fraud and ensure platform security

Legal Basis for Processing

For users in the European Economic Area (EEA), UK, and Switzerland, our legal basis for processing personal information includes:

Contract Performance: Processing necessary to perform our services
Legitimate Interest: Improving our services, security, and business operations
Legal Compliance: Meeting regulatory requirements and legal obligations
Consent: For marketing communications and optional features

How We Share Your Information

We Share Information When:

You Direct Us To:

EHR integrations you set up
Colleagues you invite to use BurnaAI
Third-party apps you connect

To Provide Our Service:

Cloud infrastructure providers (SOC2 Type II certified providers)
Payment processors for billing
Customer support tools
Security monitoring and compliance auditing
All bound by strict confidentiality agreements

When Required by Law:

Valid court orders or subpoenas
Healthcare regulatory investigations
Public health reporting requirements
Emergency situations to prevent harm
Compliance with regulatory investigations
Prevention of fraud or security threats

Business Associates (HIPAA):

For healthcare data, we enter into Business Associate Agreements (BAAs) with covered entities
All data sharing complies with HIPAA requirements

Business Transactions:

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to equivalent privacy protections

We Never:

Sell your personal information for profit
Share patient health information without authorization
Use your data for advertising by other companies
Provide information to unauthorized third parties

Your Privacy Choices

Marketing Communications

Opt out easily:

Click "unsubscribe" in any marketing email
Email us at hello@burna.ai
Update preferences in your account settings

You'll still receive:

Important service updates
Billing and account notifications
Security alerts

Session Recording

We use tools like FullStory to understand how you use our platform and identify areas for improvement.
Opt out at: https://www.fullstory.com/optout/

HIPAA and Healthcare Data

Our Role as Business Associate

When you use BurnaAI for patient care:

We serve as your HIPAA Business Associate
We execute formal Business Associate Agreements
We follow strict HIPAA security and privacy rules
We only process patient data as you direct
We maintain appropriate administrative, physical, and technical safeguards
We limit access to the minimum necessary for service provision
We provide breach notification within required timeframes

Clinical Data Protection

De-identification of patient data where possible
Secure API connections with healthcare systems
Audit trails for all data access and modifications
Clinical safety monitoring and adverse event reporting

Your Responsibilities

Obtain appropriate patient consent for AI documentation assistance
Ensure BurnaAI use complies with your organization's policies
Review and approve all AI-generated clinical content
Report any suspected privacy incidents immediately

Patient Rights

If you're a patient whose provider uses BurnaAI:

Contact your healthcare provider about your privacy rights
Your provider's privacy notice governs how your information is handled
We process your information only as directed by your provider

Data Security

How We Protect Your Information

Technical Safeguards:

End-to-end encryption for all data transmission
AES-256 encryption for stored data
Multi-factor authentication required
Regular security testing and monitoring
Regular security audits and penetration testing

Operational Security:

SOC 2 Type II certified processes
Employee background checks and training
Employee privacy training and confidentiality agreements
Strict access controls and audit logging
Role-based access controls and least privilege principles
24/7 security monitoring
Incident response and breach notification procedures

Physical Security:

Tier III/IV data centers with biometric access
Redundant systems across multiple locations
Secure destruction of decommissioned equipment
Controlled access to physical infrastructure
Environmental controls and redundant systems

If a Security Incident Occurs

We'll notify affected users within 24 hours
Full investigation and remediation
Assistance with any required notifications
Enhanced security measures as needed

International Data Transfers

We may transfer your information to countries outside your residence, including the United States. We ensure appropriate safeguards are in place:

EU-US Data Privacy Framework compliance for EU data transfers
Standard Contractual Clauses for international business relationships
Adequacy Decisions where recognized by relevant authorities
Additional Safeguards such as encryption and access controls

Your Rights

Depending on where you live, you may have these rights regarding your personal information:

Access and Correction

View your information: Access your account data anytime
Update information: Correct inaccurate details in your account
Request data copy: Get a copy of your personal information

Deletion and Control

Delete your account: Remove your personal information (subject to legal requirements)
Opt out of sales: We don't sell data, but you can opt out of sharing for advertising
Limit automated processing: Opt out of automated decision-making

GDPR Rights (EEA, UK, Switzerland)

Objection: Object to processing based on legitimate interest
Restriction: Request restriction of processing under certain circumstances
Automated Decision-Making: Opt out of automated decision-making processes

CCPA Rights (California Residents)

Know: Know what personal information is collected and how it's used
Delete: Request deletion of personal information
Opt-Out: Opt out of the sale of personal information (we do not sell data)
Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights

Email: hello@burna.ai
Online: Contact request form (website)

We'll respond within 30 days and verify your identity for security.

International Data Transfers

We may transfer your information to countries outside your residence, including the United States. We ensure appropriate safeguards are in place:

EU-US Data Privacy Framework compliance for EU data transfers
Standard Contractual Clauses for international business relationships
Adequacy Decisions where recognized by relevant authorities
Additional Safeguards such as encryption and access controls

Cookies and Tracking

Types of Cookies We Use

Essential Cookies: Required for platform functionality (login, security)
Analytics Cookies: Help us understand usage patterns (Google Analytics)
Preference Cookies: Remember your settings and preferences
Advertising Cookies: Show relevant ads about BurnaAI on other sites

Third-Party Services

We work with trusted partners:

Google Analytics (with IP anonymization)
HubSpot for customer relationship management
Zendesk for customer support
Stripe for payment processing

Managing Cookies

Use our Cookie Preference Center (website footer)
Adjust browser settings to block cookies
Enable "Do Not Track" or Global Privacy Control
Use privacy-focused browsers or ad blockers

You can control cookie preferences through your browser settings. Some features may not function properly if cookies are disabled.

Data Retention

We retain your information for as long as necessary to:

Provide our Services and support your account
Comply with legal and regulatory requirements
Resolve disputes and enforce our agreements
Support business continuity and disaster recovery

Specific Retention Periods:

Account information: For the duration of your account plus 7 years
Clinical data: In accordance with healthcare regulations and customer agreements
System logs: Up to 13 months for security monitoring
Marketing communications: Until you opt out or as required by law

Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.