Privacy Policy & POPIA Compliance Statement

1. Scope and Adherence to POPIA

Be Smart Global, LLC (a Delaware entity) (“we”, “us”, “our”) is dedicated to protecting clinical and health records in accordance with the Protection of Personal Information Act (POPIA), Act No. 4 of 2013, of South Africa and Health Professions Council of South Africa (HPCSA) guidelines. This Privacy Policy details how we handle information in our operations on our secure server cluster. We act as a “responsible party” (or “operator” when processing data on behalf of clinics and healthcare providers) under POPIA.

2. Processing of Personal and Health Data

In providing our ambient AI medical scribe and documentation assistance, our systems temporarily process voice recordings or text dictations to compile clinical draft SOAP notes. This information is processed solely to perform our contractual service of drafting structured records for practitioners.

3. Zero-Trust Local Browser-Side Redaction

To ensure patient personal information does not exit your local workspace or enter international cloud networks in cleartext, DocReport implements a local redaction pass in the practitioner's browser:

• Patient Names & Dates of Birth: Automatically replaced client-side with secure placeholders (e.g. `[ZA_PATIENT_NAME_1]`).
• 13-Digit South African ID Numbers: Automatically scrubbed and replaced with secure tokens.
• Contact Information: Phone numbers, email addresses, and home addresses are stripped out entirely.

Only anonymized clinical narratives are sent to remote AI services (such as Vertex AI) for transcription and structure. Identifying information is cached only in your local browser memory.

4. Zero-Knowledge Local AES-GCM Encryption

When case records or clinical notes are saved to our cloud database (Firestore), they are encrypted on your local device using a private practice key stored strictly in your browser's local database (`localStorage` namespace `za_practice_key_[userId]`). We do not transmit or store this key on our servers, ensuring your database records remain protected.

5. Cross-Border Data Disclosure

Because our global services run on premium international servers to minimize latency, processing occurs in secure data centers globally. However, because clinical data is redacted and encrypted client-side before leaving your browser, no cleartext personal information is transferred across borders, ensuring full compliance with POPIA requirements.

6. Audio Record Management

Audio recordings of consultations are processed strictly in-memory to generate clinical transcripts. Once the note is drafted, the audio data is destroyed in secure memory nodes. We do not retain, listen to, or compile patient audio logs. Transcripts are never used to train public or private AI models.

7. Information Officer and Inquiries

Inquiries regarding account deletion, correction of records, or general compliance questions can be sent to our Information Officer at privacy@docreport.us.