The next step for IDEX, the future of dermatology. View IDEX partnership

subQdocs Privacy Notice

Last Updated: May 23, 2026

subQdocs Co. (“subQdocs,” “we,” “us,” or “our”) is committed to protecting the privacy of both our users and the patients whose personal data we process while providing our Services. When we use terms like “you” and “your,” we’re referring to you as a user of our Services. This Privacy Notice explains how we collect, use, disclose, and handle personal data while providing the Services. Such personal data includes information about you while you use the Services and the Protected Health Information (PHI) of the patients processed on your behalf through the Services.

“Services” means our proprietary software as a service platform, including electronic medical records management, patient scheduling, billing and revenue cycle management, electronic prescribing, labs and pathology integration, insurance verification and payer interactions, patient engagement features (including SMS and email communications), photo and document management, the recording and transcription of patient interactions, AI-assisted clinical documentation, and such other features as we may make available from time to time.

By downloading, accessing and/or using the Services, you agree to the terms of this Privacy Notice and the accompanying User Agreement, which incorporates our Business Associated Agreement (BAA) governing our handling of PHI.

1. Scope & Applicability

This Notice applies to all personal data collected through your use of the Services, including through our web and mobile applications.

2. HIPAA Compliance & Legal Basis

subQdocs operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. We process Protected Health Information (PHI) solely on behalf of, and under the instruction of, Covered Entities pursuant to a signed BAA, incorporated within our User Agreement. Our collection, use, and disclosure of PHI are limited to those activities permitted or required by the BAA and applicable law. You are responsible for obtaining valid patient consent for audio recording and AI-based documentation processing and creation.

3. Personal Data We Collect

While providing the Services, we may collect the following types of information.

  • User Information including name, email address, role, and contact information, medical license numbers and credentials, and login credentials and activity logs
  • Patient PHI that is processed on your behalf including patient demographics, visit details, medical history, audio recordings, transcriptions, and documentation, images captured during visits, and provider-generated content including personal and visit notes
  • Integration Data including data pulled from electronic medical records (EMRs) or office systems during integration, and data pushed back to EMRs, billing, prescription, and lab systems
  • System Usage Data including IP address, browser type, device identifiers, session logs, and app interaction data

4. How We Use and Disclose Personal Data

We may use and share the personal data we collect from you as follows.

  • Provide the Services to you including delivering AI-enabled documentation and visit previews, assisting with documentation during live encounters, routing information to integrated systems (EMR, lab, Rx, etc.), providing analytics, summaries, and quality assurance support, monitoring, supporting, analyzing, and improving your customer experience, and creating de-identified data in accordance with HIPAA de-identification standards (which is no longer PHI) to improve the Services
  • Support our day-to-day business operations including maintaining internal business records and reporting, performing accounting, auditing, and payment collection functions, engaging in business planning, internal reporting, customer relationship management, communicating with you about your account, Services updates, and our products or services that may be relevant to your professional practice, administering our systems and networks, and executing corporate transactions, such as mergers and acquisitions
  • Manage legal and operational risks including conducting troubleshooting, audits, billing, and fraud and security monitoring, and meeting our legal obligations
  • Market our products and services including those that may be of interest to you, as permitted by applicable law, and evaluating the efficacy of our marketing efforts. We do not use PHI for marketing purposes.
  • Disclose your personal data with third party contractors, service providers, and Business Associates (as permitted by the BAA) that assist us in providing the Services and conducting our business operations (e.g., cloud hosting, data analytics, AI service providers) subject to contractual safeguards, with subsidiaries, affiliates or other companies under common control with us, in the context of an actual or prospective business transaction, and as required by law or legal process (e.g., subpoena, court order) or to protect the rights, property, or safety of subQdocs, our users, patients, or others. The sharing of PHI with any third party will strictly adhere to the terms of our BAA with you and applicable law.

5. Text Messaging and SMS Communications

As part of the patient engagement features of the Services, subQdocs may send text (e.g., SMS) messages to patients on behalf of our customers, Covered Entities. These messages are limited to non-marketing, transactional communications that support the care relationship between the patient and the provider, including: (a) appointment reminders, confirmations, and rescheduling notifications; (b) account and patient portal notifications, such as new messages, test results availability, and document requests; (c) care-related instructions, such as pre-visit preparation, post-visit follow-up, and prescription pickup reminders; and (d) security notifications, including one-time passcodes and login alerts. We do not send promotional or marketing text messages, and patient mobile numbers and consent information are not shared with third parties for marketing purposes.

Patient consent to receive text messages is collected by our customers, the Covered Entities, at the time of patient intake, registration, or onboarding to the patient portal, in accordance with the Telephone Consumer Protection Act (TCPA) and applicable state law. The consent language clearly identifies subQdocs and the customer practice as the senders, describes the categories of messages the patient may receive, and discloses that message and data rates may apply and that message frequency varies. Consent to receive text messages is not a condition of receiving care or of using any product or service.

Patients may opt out of text messages at any time by replying STOP to any message received. Opting out of text messages will not affect the patient’s ability to receive care or to use other features of the Services. Patients may reply HELP for assistance.

6. Data Security

We have a robust data security program that uses appropriate technical, administrative, and physical controls to protect your personal data against accidental or unlawful destruction, loss, disclosure, alteration or use. This includes measures such as encryption, access controls, and regular security assessments.

7. Retention & Deletion of Personal Data

We retain personal data for as long as necessary to fulfill the purposes outlined in this Notice, provide the Services to you under the User Agreement and BAA, and comply with legal obligations. While you may have tools to manually delete patient records or configure automatic deletion within the Services (e.g., 30-day retention), ultimate retention periods for PHI are subject to the requirements of the BAA, your instructions as the Covered Entity, and applicable legal or professional record-keeping obligations. Audio recordings are temporarily stored to generate visit notes and are deleted once the documentation process is completed.

8. Subprocessors & Third Parties

We use third-party vendors and subprocessors to help provide the Services, such as cloud infrastructure providers, AI model providers, and customer support tools. We take reasonable measures (including contractual agreements like BAAs where required) to ensure these third parties adhere to the privacy and security standards established in this Notice, our User Agreement, and applicable law.

9. AI Model Use & Improvement

  • You maintain full responsibility for clinical decisions made using AI outputs.
  • We do not use PHI to train AI models. We may use data that has been deidentified in accordance with HIPAA’s deidentification standard (45 CFR 164.514(b)) to improve, develop, adapt, modify, train, or enhance the Services and other products or services. Such deidentified data is no longer PHI.

10. Responsibilities of Our Customers

You are responsible for using the Services in compliance with this Notice, our User Agreement, and applicable law.

11. International Use

The Services are operated in the US and are intended for use in accordance with US law, including HIPAA. If accessed internationally, you acknowledge that your data will be processed and stored in the US. We may access or transfer personal data outside of the US in compliance with this Notice, our User Agreement, and applicable law.

12. Your Rights

Depending on your role and jurisdiction, you may have rights in your own personal data to:

  • View or correct your personal data
  • Request deletion of certain records
  • Object to processing (in limited circumstances)

If you wish to exercise privacy rights under applicable law, please contact us using the details in the Contact Us section below. We will respond to your request in the manner prescribed by law, including your right not to be discriminated against for exercising these rights. Please note, rights concerning Patient PHI (such as access, amendment, and accounting of disclosures) are governed by HIPAA and must be exercised directly by the patient through you, the Covered Entity who controls the patient’s medical record.

13. Children’s Privacy

The Services are intended for use by licensed healthcare professionals and are not directed at children under 18. Any personal data, including PHI, collected through the Services pertaining to minor patients must be collected only after you have obtained legally valid consent or authorization from the minor’s parent or legal guardian, as required by applicable law (including state-specific minor consent laws).

14. Changes to this Notice

We may update this Notice. You will be notified through the Services or by email if material changes are made.

15. Contact Us

You may contact us with questions about this Notice or our use of personal data related to the Services by mail or email at:

subQdocs Co.
207 24th Ave N
Nashville, TN 37203
Attn: Chief Privacy Officer
privacy@subqdocs.ai

×

Reserve your spot

Saturday, March 28th 4pm To 7pm Slate Hotel. 1250 Welton st.

Please share a few details so we can plan the evening.

My Details

+ Add a guest