Privacy Policy & HIPC Compliance Statement

1. Scope and Adherence to New Zealand Legislation

Be Smart Global, LLC (a Delaware entity) (“we”, “us”, “our”) is dedicated to protecting clinical and health records in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC)of New Zealand. This Privacy Policy details how we handle information in our operations on our secure server cluster. We act as a “health agency” (or “agent” when processing data on behalf of clinics and healthcare providers) under the HIPC.

2. Processing of Personal and Health Data

In providing our ambient AI medical scribe and documentation assistance, our systems temporarily process voice recordings or text dictations to compile clinical draft SOAP notes. This information is processed solely to perform our contractual service of drafting structured records for practitioners.

3. Zero-Trust Local Browser-Side Redaction

To ensure patient personal information does not exit your local workspace or enter international cloud networks in cleartext, DocReport implements a local redaction pass in the practitioner's browser:

• Patient Names & Dates of Birth: Automatically replaced client-side with secure placeholders (e.g. `[NZ_PATIENT_NAME_1]`).
• National Health Index (NHI) Numbers: Automatically scrubbed and replaced with secure tokens (e.g. `[NZ_NHI_ID_1]`).
• Contact Information: Phone numbers, email addresses, and home addresses are stripped out entirely.

Only anonymized clinical narratives are sent to remote AI services for transcription and structure. Identifying information is cached only in your local browser memory.

4. Zero-Knowledge Local AES-GCM Encryption

When case records or clinical notes are saved to our cloud database (Firestore), they are encrypted on your local device using a private practice key stored strictly in your browser's local database (`localStorage` namespace `nz_practice_key_[userId]`). We do not transmit or store this key on our servers, ensuring your database records remain protected.

5. Cross-Border Data Disclosure & Stripe Processing

Because our global services run on premium international servers to minimize latency, processing occurs in secure data centers globally. However, because patient-identifiable clinical data is redacted and encrypted client-side before leaving your browser, no cleartext patient health information is transferred across borders.

For practitioner account registration and billing purposes, certain personal information (e.g., clinician name, clinic email, phone, and credit card details) is collected and processed in the United States by our billing partner, Stripe, Inc. In compliance with Information Privacy Principle 12 of the NZ Privacy Act 2020, we ensure that our third-party service providers are contractually obligated to protect personal information with safeguards comparable to those under New Zealand law.

6. Audio Record Management

Audio recordings of consultations are processed strictly in-memory to generate clinical transcripts. Once the note is drafted, the audio data is destroyed in secure memory nodes. We do not retain, listen to, or compile patient audio logs. Transcripts are never used to train public or private AI models.

7. Access and Correction Rights (IPP 6 & 7)

Under the Privacy Act 2020, practitioners have the right to access and request the correction of any personal account or billing information we hold about them. Requests to access, correct, or delete your account information can be made by contacting our Privacy Officer. Note that because patient health information is encrypted client-side using a key we do not possess, we are unable to retrieve, access, or decrypt patient records on behalf of patients or clinics. Any patient requests for clinical record access must be handled directly by the medical practitioner/clinic as the health agency in possession of the local encryption key.

8. Privacy Officer and Inquiries

Inquiries regarding compliance, account details, or exercising your rights under the Privacy Act 2020 can be sent to our Privacy Officer at privacy@docreport.us.