Privacy Policy

Welcome to Fayha.ai, operated by Fayha Health Technologies, LLC (“Fayha,” “we,” “us,” or “our”). This Privacy Policy describes how we collect, use, process, and protect information in connection with the Fayha clinical documentation service (the “Service”).

Fayha operates as a managed AI documentation service — not a self-serve software platform. Physicians and healthcare providers (“Clients”) engage Fayha directly under a service agreement. Fayha provides each Client with a recording tool, processes the resulting audio using AI transcription, applies human review by trained Fayha staff, and delivers finalized clinical notes back to the Client.

This Policy applies to all Clients, their authorized staff, and any individuals whose information is processed in connection with the Service. By engaging Fayha's services, you agree to the practices described in this Policy. If you do not agree, please contact us before using the Service.

Client Onboarding Information. When a physician or practice engages Fayha under a service agreement, we collect professional details including name, NPI number, specialty, clinic or practice name, contact information, and billing details. This is collected directly through our onboarding process — not through any online registration form.

Audio Recordings. Clients use the Fayha-provided recording tool to capture patient encounters. Audio files are transmitted securely to Fayha for processing. Audio recordings are used solely to produce the clinical note and are permanently deleted upon completion of transcription. No audio is retained on Fayha systems after this point.

Transcription Data. Voice-to-text transcriptions are generated from the audio recording as an intermediate step in producing the clinical note. Transcriptions are processed and discarded as part of the note generation workflow and are not stored independently.

Clinical Notes. AI-generated draft notes are reviewed by Fayha's clinical team and delivered to the Client. Fayha retains a copy of delivered notes only for the minimum period required to fulfil quality assurance and legal obligations, as described in Section 7.

Communications. If you contact us by email or other means, we collect the content of those communications and any information you choose to share.

We use the information we collect solely to:

• Transcribe and process audio recordings into draft clinical notes;
• Apply human review by Fayha's clinical team to ensure quality and accuracy;
• Deliver finalized clinical notes to the Client;
• Onboard and manage our Client relationships under service agreements;
• Process invoices and manage billing;
• Respond to Client inquiries and provide operational support;
• Comply with applicable legal obligations, including HIPAA; and
• Improve the quality and accuracy of our documentation service on an aggregate, de-identified basis.

We do not use patient encounter content to train general-purpose AI models. We do not use Client or patient data for advertising, marketing profiling, or any secondary commercial purpose.

Business Associate Agreement. Because Fayha receives and processes patient encounter recordings on behalf of healthcare providers, we qualify as a Business Associate under HIPAA. A BAA is executed as part of every Client service agreement prior to any audio or PHI being shared with Fayha. No service begins without a signed BAA in place.

PHI Handling. Patient audio recordings, transcriptions, and clinical notes contain Protected Health Information. Fayha handles all PHI in strict accordance with 45 C.F.R. Parts 160 and 164 (the HIPAA Privacy and Security Rules) and the terms of the applicable BAA.

Human Review Confidentiality. Fayha staff who review AI-generated notes are trained in HIPAA compliance, bound by confidentiality obligations, and access PHI only to the extent necessary to complete quality review of the assigned note. Access is logged and auditable.

Minimum Necessary Standard. We access only the PHI necessary to perform the specific documentation task requested by the Client.

No Secondary Use of PHI. We do not sell, license, or disclose PHI to third parties for any purpose beyond delivering the documentation service described herein.

Breach Notification. In the event of a breach of unsecured PHI, Fayha will notify affected Clients in accordance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) within the timeframes required by law.

Fayha does not sell Client or patient data. We may share information only in the following limited circumstances:

• Delivery to Client. Finalized clinical notes are delivered to the Client who submitted the recording. No note is shared with any third party without explicit Client instruction.
• Service Providers. We engage trusted sub-processors (including cloud infrastructure and speech processing services) who are contractually bound to protect data and may process it only to provide services to Fayha. All sub-processors handling PHI operate under executed BAAs.
• Legal Requirements. We may disclose information if required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of Fayha, our Clients, or others.
• Business Transfers. In the event of a merger, acquisition, or sale of assets, Client information may be transferred to the successor entity, which will be required to honor this Privacy Policy and all BAAs in force at the time of transfer.
• With Your Consent. We may share your information for any other purpose with your prior written consent.

Fayha takes the security of patient and Client information seriously and has designed the documentation workflow with data minimization and HIPAA compliance as foundational principles.

No Audio Storage. The recording tool provided to Clients does not store audio on the device or transmit it to Fayha servers for retention. Audio is streamed for transcription purposes only and is not saved at any point in the process. Once transcription is complete, the audio is discarded and cannot be recovered.

HIPAA-Compliant Processing Pipeline. Each step of the workflow — from audio capture through transcription and note generation — is handled by services that operate under HIPAA-compliant frameworks and have executed Business Associate Agreements with Fayha. This means the obligations and protections required under HIPAA apply across the entire processing chain, not just to Fayha directly.

Data Transmitted Securely. Data passed between components of the workflow is transmitted over encrypted connections. We do not transmit patient information over unsecured channels.

Access Limited to Authorized Staff. Access to patient encounter content during the human review step is restricted to Fayha team members who are trained in HIPAA requirements and bound by confidentiality obligations. PHI is accessed only to the extent necessary to complete quality review of the specific note.

Organizational Measures. Fayha applies reasonable administrative and operational controls to protect against unauthorized access to or disclosure of patient information, including limiting the personnel who handle PHI and maintaining clear internal protocols for how encounter data is processed and delivered.

No method of data transmission or processing is completely without risk. While we have designed this service to minimize the handling of patient data at every step, we cannot guarantee absolute security. If you become aware of any potential security concern related to Fayha's service, please contact us at support@fayha.ai.

Audio Recordings: Never retained after transcription is complete. Audio files are permanently deleted from Fayha systems upon completion of the transcription step.

Transcription Data: Intermediate transcripts are generated as part of the note production workflow and are discarded upon generation of the draft clinical note. They are not stored independently.

Clinical Notes: A copy of delivered notes is retained by Fayha for a maximum of 90 days following delivery, solely for quality assurance, dispute resolution, and legal compliance purposes. After this period, notes are permanently deleted from Fayha systems.

Client Information: Onboarding and billing information is retained for the duration of the service relationship and for up to 3 years following termination of the service agreement, to comply with applicable legal, tax, and contractual obligations.

Communications: Records of Client communications are retained for up to 12 months.

To request earlier deletion of your information, please contact support@fayha.ai. Deletion requests will be completed within 30 days, subject to any legal hold requirements.

Depending on your location, you may have the following rights regarding your personal information:

• Access: The right to request a copy of the personal information we hold about you.
• Correction: The right to request correction of inaccurate or incomplete personal information.
• Deletion: The right to request deletion of your personal information, subject to legal exceptions.
• Portability: The right to receive your personal information in a structured, machine-readable format.
• Objection: The right to object to certain types of processing, including marketing communications.
• Restriction: The right to request restriction of processing in certain circumstances.

To exercise any of these rights, please contact us at support@fayha.ai. We will respond within 30 days. Note that some rights may be limited by applicable law or by our obligations as a HIPAA Business Associate.

The Fayha website (fayha.ai) uses cookies and similar technologies to operate the site and understand how visitors interact with it. As Fayha is a managed service rather than a self-serve platform, cookies are used on our marketing website only — not within any clinical workflow.

• Essential Cookies: Required for basic website functionality and security.
• Analytics Cookies: Help us understand how visitors find and use our website so we can improve it. You may opt out via your browser settings or our cookie preference tool.

We do not use advertising or tracking cookies. You can control cookie settings through your browser preferences at any time.

Fayha uses the following categories of third-party services to deliver the documentation workflow:

• Cloud Infrastructure: Secure, HIPAA-eligible cloud services are used for audio file transmission, processing, and temporary storage. All cloud providers operate under executed BAAs.
• Speech-to-Text Processing: Audio transcription is performed using medical-grade speech recognition services. These providers operate under strict data processing agreements and BAAs, and do not retain audio beyond the transcription request.
• AI Note Generation: AI language models are used to convert transcriptions into structured clinical notes. Patient data processed through these models is handled under data processing agreements that prohibit retention or secondary use.
• Payment Processing: Billing is handled by PCI-DSS compliant payment processors. Fayha does not store full payment card details on its own systems.

A complete list of sub-processors who may access PHI is available upon request by contacting support@fayha.ai.

Fayha's documentation service is intended exclusively for licensed healthcare providers and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors for the purpose of engaging the Service.

Clinical encounters involving pediatric patients are a normal part of medical practice. Such encounters are handled in strict accordance with applicable HIPAA provisions, and the privacy rights of the minor are protected under the terms of the applicable BAA and service agreement.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the nature of the Service. When we make material changes, we will:

• Update the “Last Updated” date at the top of this page;
• Notify active Clients by email at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you may terminate the service agreement in accordance with its terms.

If you have questions about this Privacy Policy or how we handle your data, please contact our Privacy Team: