Privacy Policy
VeloMD Enterprise — Clinical
Documentation Platform
1. Introduction
TAMDB SOFT PLLC ("Company," "we," "our," or "us") operates the VeloMD Enterprise platform ("VeloMD," "Service,"
or "Platform"), a cloud-based clinical documentation tool designed for licensed healthcare providers. This
Privacy Policy describes how we collect, use, store, and protect information — including Protected Health
Information (PHI) — when you use our Service.
By accessing or using VeloMD, you agree to the terms of this Privacy Policy. If you do not agree, please do not
use the Service.
2. Information We Collect
2.1 Account Information
- Email address — provided via Google Sign-In authentication
- Display name and profile photo — from your Google account
- Unique user identifier (UID) — assigned by Firebase Authentication
2.2 Clinical Data (PHI)
- Audio recordings — captured during clinical encounter dictation
- Transcribed text — generated from audio recordings via AI processing
- Clinical notes — AI-generated structured notes (SOAP, H&P, procedure notes)
- Patient identifiers — patient names, phone numbers, locations, or other identifiers that
providers enter or capture for documentation and review request workflows
- Additional text — provider-authored notes, edits, and amendments
- Uploaded clinical content — images, documents, and reference materials uploaded by the
provider for AI-assisted documentation
- Custom protocols — user-defined scribe templates and preferences
2.3 Technical and Usage Data
- Device information — browser type, operating system (collected for audit logging; truncated
to 120 characters)
- Usage events — login, logout, note creation/viewing/editing/deletion timestamps (audit log
purposes only)
- Error logs — application errors for debugging (PHI is stripped from production logs)
2.4 Information We Do NOT Collect
- Advertising identifiers or data used for third-party advertising
- IP addresses (not stored or logged)
- Location data or cookies used for tracking
3. How We Use Your Information
| Purpose |
Data Used |
Legal Basis |
| Authenticate your identity and manage your account |
Email, UID, display name |
Contractual necessity |
| Transcribe audio and generate clinical notes |
Audio recordings, transcribed text |
Contractual necessity; HIPAA Treatment exception |
| Store and retrieve your clinical notes |
Clinical notes, custom protocols |
Contractual necessity |
| Maintain HIPAA-required audit trail |
Usage events, device info |
Legal obligation (45 CFR § 164.312(b)) |
| Debug and improve the Service |
Error logs (PHI-stripped) |
Legitimate interest |
4. How We Process and Protect PHI
4.1 AI Processing
Audio recordings, transcripts, uploaded clinical content, prompts, and generated note text are processed through
Google Cloud Vertex AI / Gemini under a
signed Business Associate Agreement (BAA) with Google Cloud. Under this agreement:
- Your data is not used to train, improve, or develop Google's AI models
- Audio data is processed transiently — it is not permanently stored by the AI provider
- All data transmission occurs over TLS 1.2+ encrypted channels
4.2 Data Storage
- Cloud storage: Clinical notes and audit logs are stored in Google Cloud Firestore, which
provides encryption at rest (AES-256) and in transit (TLS 1.2+)
- Local storage: Audio recordings are temporarily cached in your browser's IndexedDB during
active recording sessions. This data is automatically purged after 7 days or upon logout.
- Session recovery: Temporary session data (raw transcript) is stored in browser
sessionStorage and automatically cleared when the browser tab is closed or after 2 hours, whichever comes
first.
4.3 Data Retention
| Data Type |
Retention Period |
Purge Method |
| Audio drafts (IndexedDB) |
7 days |
Automatic purge on app startup |
| Session recovery data |
2 hours or tab close |
Automatic purge |
| Clinical notes (Firestore) |
30 days |
Automatic purge on app startup |
| Audit logs |
6 years |
Per HIPAA retention requirements |
| Account information |
Duration of account |
Upon account deletion request |
4.4 Access Controls
- Firebase Security Rules enforce strict user-scoped access — each user can only read and write their own data
- No cross-user data access is possible at the database level
- Automatic session logoff after 45 minutes of inactivity
- Authentication required for all data access
5. Third-Party Service Providers
| Provider |
Service |
BAA in Place |
Data Accessed |
| Google Cloud Platform (Firebase) |
Authentication, database, cloud functions |
Yes |
All application data |
| Google Cloud Vertex AI / Gemini |
AI transcription and note generation |
Yes (same GCP BAA) |
Audio, transcripts, uploaded clinical content, prompts, and generated clinical text for processing |
We do not share, sell, rent, or trade your personal information or PHI with any third parties for marketing,
advertising, or any purpose not described in this policy.
6. Your Rights
As a user and healthcare provider, you have the following rights:
- Access: You can view and download all your clinical notes through the application at any
time
- Correction: You can edit or amend any clinical notes within the application
- Deletion: You can delete individual notes. You may also request complete account deletion
by contacting us.
- Data Portability: You can copy and export your clinical notes from the application
- Breach Notification: In the event of a data breach affecting your PHI, we will notify you
in accordance with HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) within 60 days of discovery
7. Children's Privacy
VeloMD is not intended for use by individuals under the age of 18. We do not knowingly collect personal
information from children. The Service is restricted to licensed healthcare professionals.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the
"Last Updated" date at the top of this policy and, where appropriate, providing additional notification within
the application.
9. Contact Information
If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy
concern, please contact:
TAMDB SOFT PLLC
HIPAA Privacy Officer
Email: privacy@tamdbsoft.com
© 2026 TAMDB SOFT PLLC. All rights reserved.
This Privacy Policy is effective as of February 25, 2026.