Data Retention Practices
At Scope Health, we believe you should have full control over your data. This guide outlines our data retention practices and how we help you comply with healthcare regulations including HIPAA and PIPEDA.
Our Commitment to Data Security
Scope Health is SOC 2 certified and maintains the highest standards of data security. We are fully compliant with both HIPAA (for US healthcare providers) and PIPEDA (for Canadian healthcare providers). All data is encrypted in transit and at rest, and we enforce strict access controls across our systems.
For more details, see our Business Associate Agreement and PIPEDA Compliance pages.
What Data We Process
- Audio recordings - Voice recordings of patient encounters captured during visits
- Transcripts - Text transcriptions generated from audio recordings
- Clinical notes - AI-generated documentation (SOAP notes, H&P, etc.)
- Visit metadata - Visit titles, timestamps, and organizational information
Default Retention Periods
| Data Type | Retention | Notes |
|---|---|---|
| Audio recordings | Deleted after processing | Automatically deleted once transcription is complete |
| Transcripts | Indefinite | Retained with visit notes until you delete them |
| Clinical notes | Indefinite | Retained until you delete them |
| Visit metadata | Matches note retention | Deleted when associated note is deleted |
Audio Recording Handling
We take extra precautions with audio recordings because they contain the most sensitive information:
- Encryption: All audio is encrypted immediately upon capture
- Secure processing: Audio is processed in secure, isolated environments
- Automatic deletion: Recordings are automatically deleted after transcription is complete
- No AI training: Your audio is never used for model training
When explaining Scope to patients, you can assure them that audio is encrypted, used only for generating notes, and automatically deleted afterward.
Data Deletion
Automatic Deletion
- Audio recordings are automatically deleted after processing
- Expired data is permanently removed from our systems
Manual Deletion
You can manually delete individual visits, notes, and associated data at any time:
- Deleted data is permanently removed within 24 hours
- Deletion is irreversible—ensure you have any necessary copies before deleting
Account Deletion
If you close your account:
- All associated data is permanently deleted
- Deletion is completed within 30 days of account closure
- We retain only what is legally required for compliance purposes
HIPAA Compliance
For US healthcare providers, our data retention practices comply with HIPAA requirements:
- Minimum necessary standard: We only collect and retain data necessary for providing our services
- Access controls: Data access is limited to authorized personnel on a need-to-know basis
- Audit trails: We maintain comprehensive logs of data access and modifications
- Breach notification: We notify affected parties within required timeframes if a breach occurs
- Business Associate Agreement: We execute BAAs with all covered entities
See our full Business Associate Agreement for complete details.
PIPEDA Compliance
For Canadian healthcare providers, we comply with PIPEDA and provincial privacy laws:
- Retention limitation: We keep personal information only as long as necessary
- User-controlled retention: You decide when to delete your data based on your practice requirements
- Data residency: While data may be stored outside Canada, it is protected to SOC 2 and HIPAA standards
- Access and correction: Patients can request access to and correction of their records through their clinician
See our full PIPEDA Compliance documentation for complete details.
Your Rights and Controls
As a Scope Health user, you have the right to:
- Access your data at any time through your account
- Export your notes and transcripts in standard formats
- Delete any or all of your data at any time
- Request information about how your data is handled
If you have questions about our data retention practices, please contact support@scopehealth.com.