Privacy Policy

Last updated 11/14/2025


1. Information We Collect

When you use Joyera's AI-powered healthcare services ("Services"), we collect information that you provide directly to us, including:

  • Account Information: Name, email address, phone number, professional credentials, and NPI number
  • Protected Health Information (PHI): Patient data you input into our Services for clinical documentation, including clinical notes, diagnoses, treatment plans, and billing codes
  • Usage Data: Features accessed, time spent, interaction patterns, and error logs
  • Device Information: IP address, browser type, operating system, device identifiers, and session data
  • Communications: Support requests, feedback, and correspondence with Joyera


2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our AI-powered clinical documentation Services
  • Process your clinical documentation requests through AI models
  • Send administrative information, service updates, and security alerts
  • Respond to your support requests and questions
  • Comply with federal, state, and local legal obligations, including HIPAA, HITECH, FERPA (where applicable), SOC 2-aligned security practices, NIST Cybersecurity Framework-aligned controls, state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, MHMDA), and applicable state, county, and city privacy ordinances where required
  • Detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
  • Perform aggregated analytics on de-identified data to improve Services (never using identifiable PHI)


3. AI Processing and Third-Party Providers

Critical Disclosure: Our Services use third-party AI providers to process your clinical documentation. By using our Services, you acknowledge and consent to the following:

  • PHI you submit is processed by HIPAA-compliant AI providers including OpenAI, Anthropic, and Google (each bound by Business Associate Agreements)
  • AI providers process PHI solely to provide Services and are prohibited from using it for their own purposes, including model training
  • We do NOT use your PHI to train or improve AI models without explicit written authorization for private cloud deployment
  • AI processing occurs on servers located in the United States
  • We maintain a current list of all subprocessors handling PHI, available upon request via our privacy contact form
  • We will notify you at least 30 days before adding new AI subprocessors that handle PHI


4. HIPAA Privacy Protections

As a HIPAA Business Associate, we implement comprehensive safeguards:

  • Administrative, physical, and technical safeguards compliant with HIPAA Security Rule
  • We do NOT use PHI for marketing, advertising, or commercial purposes
  • We do NOT sell PHI to third parties under any circumstances
  • We do NOT use PHI to train AI models without explicit written authorization
  • We maintain comprehensive audit logs of all PHI access for 7 years
  • We encrypt PHI using 256-bit AES at rest and TLS 1.3 in transit
  • Employee access to PHI is role-based and logged
  • All employees undergo HIPAA training and background checks


5. Information Sharing and Disclosure

We may share your information only in these limited circumstances:

  • With Your Consent: When you explicitly authorize disclosure
  • Service Providers: With HIPAA-compliant vendors (cloud hosting, AI providers, payment processors) all bound by BAAs and prohibited from using PHI for their own purposes
  • Legal Requirements: When required by valid subpoena, court order, or law (we will notify you unless prohibited)
  • Law Enforcement: Only when legally required with valid legal process; we will challenge overly broad requests
  • Business Transfers: In connection with merger, acquisition, or sale (with 30 days' notice and continued privacy protections; you may delete your data before transfer)
  • To Prevent Harm: When necessary to prevent imminent harm or serious threat to health/safety

We do NOT sell, rent, or share PHI with third parties for marketing or advertising purposes.


6. Data Security

We implement industry-leading security measures:

  • 256-bit AES encryption for data at rest
  • TLS 1.3 encryption for all data in transit
  • Multi-factor authentication (MFA) required for all accounts
  • Annual third-party security audits and penetration testing
  • Employee security training, background checks, and HIPAA certification
  • 24/7 intrusion detection and prevention systems
  • Automatic session timeouts and password requirements
  • Role-based access controls with least-privilege principles
  • Regular vulnerability scanning and patch management


7. Data Breach Notification

In the event of a data breach involving PHI:

  • We will notify affected users within 60 days of discovery as required by HIPAA
  • Notice will include: description of breach, types of information involved, steps we're taking, steps you should take, and contact information
  • If breach affects 500+ individuals, we will notify HHS and prominent media outlets
  • We maintain cyber liability insurance and incident response procedures
  • You may request information about any breach affecting your data by submitting a request via our privacy contact form


8. Data Retention and Deletion

Important: We Are NOT a Designated Record Set

Joyera is an AI-powered clinical documentation assistance tool, not a Designated Record Set or legal health record system as defined by HIPAA. While we save your AI chat conversations and documentation as a convenience and backup feature, we are NOT your official Electronic Health Record (EHR) or student information system. Healthcare providers and educational professionals remain solely responsible for maintaining their own legal health records and student education records in their designated record systems. Any clinical notes, documentation, or outputs generated through our Services must be reviewed, approved, and transferred to your official record system by you to become part of the patient's or student's legal record.


Our Retention Schedule:

  • Saved Chat Conversations & Clinical Documentation (per plan tier):
  • Solo Trial Plan: Session-only storage (chat history and data deleted when session ends or after 24 hours of inactivity, whichever comes first)
  • Solo/Solo Max/Team/Team Max Plans: Chat conversations and saved documentation retained for 7 years from date of creation, or until user-requested deletion, whichever comes first
  • User Control: You may delete saved chats and documentation at any time through the chat history interface, account settings, or by submitting a deletion request
  • Audit Logs: All access to PHI and student education records is logged and retained for 7 years for HIPAA/FERPA compliance, security purposes, and breach investigation. Audit logs contain metadata (who accessed what, when, from what IP address) but not the PHI content itself.
  • Account Information: Name, email, phone number, professional credentials, and NPI numbers retained while your account is active, plus 7 years after account closure for compliance and billing purposes
  • Billing Records: Subscription history, payment methods, and transaction records retained for 7 years after final transaction for tax and accounting compliance
  • Support Communications: Email correspondence, support tickets, and feedback retained for 3 years (PHI should never be included in support requests)
  • Security Incident Logs: Breach investigations, security events, and incident response documentation retained for 7 years for compliance and investigation purposes


Your Responsibilities as a Healthcare Provider or Educational Professional:

  • You are solely responsible for determining what constitutes your official legal health record or educational record
  • You must transfer any AI-generated documentation to your official EHR or student information system for it to become part of the legal record
  • You must review and approve all AI-generated content before it becomes part of a patient's or student's legal record
  • You are responsible for maintaining compliance with applicable medical record and educational record retention laws (typically 7+ years depending on state, specialty, and record type)
  • Our retention of chat conversations is provided as a convenience, backup, and collaboration tool, but does NOT constitute or satisfy your legal record retention requirements
  • You are responsible for responding to patient/student requests for access, amendment, or accounting of disclosures from your designated record set


After retention periods expire, we securely delete data using industry-standard deletion methods (cryptographic erasure, secure wiping). You may request early deletion of saved documentation at any time through your account settings, subject to legal audit log retention requirements.


9. Your Privacy Rights


HIPAA Rights:

  • Right to Access: Request copies of your PHI (we respond within 30 days)
  • Right to Amend: Request corrections to inaccurate PHI
  • Right to Accounting of Disclosures: Request list of PHI disclosures for past 6 years
  • Right to Restriction: Request restrictions on certain uses/disclosures of PHI
  • Right to Confidential Communications: Request PHI communications by alternative means
  • Right to Copy: Receive electronic or paper copies of your PHI


State Privacy Rights (California, Virginia, Colorado, etc.):

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of personal information (subject to legal retention)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of sale of personal information (we do not sell PHI)
  • Right to Data Portability: Receive your data in portable format (JSON, CSV, or PDF)
  • Right to Non-Discrimination: Exercise rights without penalty


To exercise these rights, submit a request via our privacy contact form. We respond within 30 days for HIPAA requests and 45 days for state privacy law requests.


10. Cookies and Tracking Technologies

We use the following cookies and tracking technologies:

  • Essential Cookies: Required for authentication, session management, and security (cannot be disabled)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Understand usage patterns to improve Services (we do not track PHI)
  • Marketing Cookies: Track conversions, measure campaign effectiveness, and understand user journeys for our own marketing purposes (we do not share with third-party advertisers)
  • Security Cookies: Detect fraud and prevent unauthorized access


We do NOT use third-party advertising cookies or ad networks. You can control non-essential cookies through your browser settings, but disabling essential cookies will prevent you from using the Services.


11. Children's Privacy and FERPA Compliance


General Privacy for Minors:

Our Services are intended for licensed healthcare providers and educational professionals 18 years or older. We do not knowingly collect personal information directly from individuals under 18. If we discover we have collected information from a minor without proper authorization, we will delete it immediately.


FERPA (Family Educational Rights and Privacy Act) Compliance:

For educational professionals who work with students (including school psychologists, speech therapists, special education providers, and school-based clinicians), we comply with FERPA requirements for protecting student education records:

  • Educational Records Protection: Student education records, including IEPs, academic records, and school-based therapy notes, are protected under FERPA with the same security controls as PHI
  • Consent Management: We support proper consent mechanisms for accessing and sharing student educational records in accordance with FERPA requirements
  • Student Privacy Rights: Parents and eligible students have rights to inspect, amend, and control disclosure of educational records
  • Audit Logging: All access to student education records is logged and retained for 7 years for compliance and accountability
  • Institutional Responsibilities: Educational institutions maintain control over their student data and can request access logs, amendments, or deletion subject to legal retention requirements
  • Directory Information Controls: We support appropriate controls for directory information vs. non-directory educational records
  • NYC-Specific: For school-based services in NYC, we comply with Chancellor's Regulation A-820 for student data privacy


Data Classification: Student educational records are classified as Tier 1 (Highly Sensitive) and receive the same protections as PHI, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and comprehensive audit logging.


If you believe we have information from a minor without proper authorization, or if you have questions about FERPA compliance, please submit a request via our privacy contact form.


12. International Data Transfers

Your information is processed and stored on servers located in the United States. If you access our Services from outside the U.S., your information will be transferred to, stored, and processed in the U.S. where our servers are located and our central database operates. By using the Services, you consent to this transfer. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses where required.


13. Automated Decision-Making and AI

Our Services use AI to assist with clinical documentation. You acknowledge that:

  • AI-generated content is assistive only and requires human review before clinical use
  • You retain full control over all clinical decisions and documentation
  • You may reject, modify, or override any AI suggestions
  • We do not make automated decisions about patient care without human oversight
  • You bear sole responsibility for verifying accuracy of AI outputs


14. Marketing Communications

We may send you:

  • Transactional Emails: Service updates, security alerts, billing notices (you cannot opt out)
  • Marketing Emails: Product updates, feature announcements, educational content (you can opt out anytime)


Opt out of marketing emails by clicking "unsubscribe" in any marketing email or by submitting a request via our privacy contact form.

We will honor opt-out requests within 10 business days.


15. California Privacy Rights

California residents have additional rights under CCPA/CPRA:

  • Right to Know: Categories of personal information collected, sources, business purposes, and third parties we share with
  • Right to Delete: Request deletion of personal information (subject to legal exceptions)
  • Right to Correct: Request correction of inaccurate information
  • Right to Opt-Out of Sale: We do NOT sell personal information or PHI
  • Right to Limit Sensitive Personal Information: You may limit use of sensitive data (we only use for essential Services)
  • Right to Non-Discrimination: We will not discriminate for exercising privacy rights


Do Not Sell My Personal Information: We do not and will not sell your personal information. To exercise your California privacy rights, submit a request via our privacy contact form.


16. Data Portability and Export

You may export your data at any time:

  • Available formats: JSON, CSV, PDF
  • Includes: All clinical notes, patient data, account information, and usage history
  • Export initiated through account settings or by submitting a request via our privacy contact form
  • Exports provided within 30 days of request
  • You may request exports up to once per month without charge


17. Third-Party Services and Links

Our Services may contain links to third-party websites or integrate with third-party services (e.g., EHR systems, billing platforms). We are not responsible for the privacy practices of these third parties. We recommend reviewing their privacy policies before providing information. Third-party services that access PHI are required to sign BAAs with us.


18. Business Transfers and Corporate Changes

If Joyera is involved in a merger, acquisition, bankruptcy, or sale of assets:

  • We will notify you at least 30 days before your information is transferred
  • The acquiring entity must maintain the same privacy protections
  • You will have the option to delete your data before transfer
  • HIPAA protections will continue to apply to PHI
  • You may terminate your account if you object to the transfer


19. Changes to Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or Services. Material changes will be communicated via:

  • Email notification at least 30 days before effective date
  • Prominent notice in the Services
  • Updated "Last Updated" date at top of this page

Continued use after changes constitute acceptance. If you do not agree to changes, you must stop using the Services and may request deletion of your data.


20. Contact Us and Privacy Officer

For questions, concerns, or to exercise your privacy rights, contact our Privacy Officer:

Submit a Privacy Request


Response Time: Within 30 days for HIPAA requests; within 45 days for state privacy law requests


You also have the right to file a complaint with:

  • HHS Office for Civil Rights: For HIPAA violations (www.hhs.gov/ocr/privacy/hipaa/complaints)
  • State Attorney General: For state privacy law violations
  • California Attorney General: For CCPA violations (oag.ca.gov)


We will not retaliate against you for filing a complaint.