Privacy Policy for Inscripta Oy

Last updated: 12 May 2026

This Privacy Policy explains the types of personal data collected, recorded, used, and shared, by Inscripta Oy and its subsidiary, Inscripta Transcription Service Oy (together, "Inscripta").

It applies to all individuals whose personal data is processed by Inscripta, except Inscripta employees. Staff are provided with a separate Employee Privacy Policy at onboarding.

At the end of this notice, you find the controller-controller terms for data processing activities, Inscripta is data controller.

Information we collect, legal bases and purposes

Enquiries, questions, and feedback: When you contact us via our website or other channels, we collect the personal information you provide — for example, your name, contact details, and the content of your message — so that we can respond to you. The legal basis for this processing is our legitimate interest, and our purpose is responding to communications directed to us.

User accounts: Based on the contractual obligation we have with our customers, your employer, we collect email and other relevant information to create individual accounts for each user using our tools. In addition, and based on our legitimate interest, we collect personal information related to the sign-up, such as insights related to browser's used in connection with the service, email, IP address, device information, time stamps, with the purpose to gain insights on the usability, security, location, and to verify the individual's relationship with our customer.

Trial and demo: When you use our trial product or demo, we collect your email address in order to provide you with access to the service (Article 6(1)(b) GDPR, performance of a contract or pre-contractual steps at your request, 'exploration or initiation of a contractual relationship'). We also collect information about how the trial or demo is used, on the basis of our legitimate interest in evaluating and improving our service (Article 6(1)(f) GDPR). We may contact you to ask for your feedback on your experience; any response you provide is given voluntarily. Audio and transcription data generated during a trial or demo is deleted as soon as you close the session. Trials and demos are intended for evaluation purposes only and should not be used with real patient data.

Audio and transcriptions: In order to provide our services to our customers, we process personal data contained in audio recordings and transcriptions generated through use of the service. This may include personal data relating to the customer's users (e.g. clinicians) as well as personal data relating to third parties (e.g. patients) that is disclosed during a recording, whether intentionally or not. The legal basis for this processing is the performance of the contract between us and the customer (Article 6(1)(b) GDPR). Where the data relates to individuals other than the customer's users, we act as a data processor on behalf of the customer, who is the controller of that data.

Research and development data: We train and improve our models using audio and transcription data obtained from providers under contractual agreements that permit such use, and publicly available information relating to medical terminology, concepts and clinical language. The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR) in developing, improving, and validating speech recognition models suitable for clinical use, and, where applicable and considered special category data (such as health data), processing is carried out based on Article 9(2)(j) GDPR in conjunction with applicable safeguards under Article 89(1) and applicable national law. Read more below on our privacy by design concerning model training.

Public information: Based on our legitimate interest we collect publicly disclosed personal information, for example, via social media, or websites, to understand how our brand is perceived, or known, by the wider audience.

Marketing and sales: We collect, based on legitimate interest personal data via sales calls, events, webinars, and in-person events, to offer and sell you our product and services. We also may collect your business cards, information, or you may appear, or you may appear on pictures we take from our participation at an event. Where we can ask for your consent to be on a picture, we will do so.

Recruitment: We collect recruitment information when you apply for employment, and follow up on the references and information you have provided us, to verify your qualifications and to assess if you are a great fit for our team.

Website insights: We collect, based on our legitimate interest, website network and information security logs via the website log files. These logs visitors when they visit websites. The information collected by log files include, as a side effect, internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. We collect this information based on purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information, including fraud prevention of the website, abuse detection and debugging. In our company we cannot derive any personal information from these logs concerning any individual.

Cookies: We do not collect marketing or tracking cookies on our website. The only cookies collected are necessary cookies to to make sure the website functions and is correctly displayed, and to distinguish between human visitors and bots.

Inscripta as a Data Processor

Where Inscripta acts as a data processor, we process personal data on behalf of our customer and in accordance with a written data processing agreement, as required by Article 28 GDPR. If you use our tools or services under a customer contract, your personal data is processed in line with the scope and terms of the agreement between Inscripta and that customer.

Inscripta as a Data Controller

Where Inscripta act as your data controller, we are responsible for demonstrating that the processing of your personal data complies with the GDPR. This means, among other things, that:

comply with applicable transparency and information obligations,
we have assessed risks, and balanced our processing against your data protection rights in a Data Protection Impact Assessment ("DPIA"), where required,
have implemented adequate technical and organizational security measures to protect the data against unauthorized access, loss, or modification,
specifically select our processors and bind them by written agreements that include confidentiality and data protection obligations, in accordance with Article 28 GDPR;
maintain internal policies and procedures to support compliance with our data protection obligations; and
provide regular data protection awareness training to our staff.

We have appointed a Data Protection Officer responsible for monitoring our compliance, and we keep our compliance framework under ongoing review, including a documented review of all data protection documentation at least once per year.

Privacy by Default and by Design

Specifically to our research and development data, including the training and development of our current and other relevant models, we have designed our activities in line with the principles of data protection by design and by default under Article 25 GDPR. This section describes how those principles are applied in practice.

We use only the data necessary to achieve our purpose, which is to train and refine existing models and to develop new models and tools intended to support accurate, reliable, and clinically suitable speech recognition tools for healthcare providers. Our mission is to accelerate the creation of patient visit notes and reports, contributing to greater efficiency and cost-effectiveness of healthcare delivery. Therefore, we do not collect or retain identifiers beyond what is needed, or use the research and development data for any other purpose.
All research and development data is kept separately from operational service data. Prior to using data for research and development and model training, pursuant to a robust internal data annotation policy, direct and indirect identifiers are irreversibly removed. Re-identification of any individual is then only possible by combining the dataset with additional information that is not in Inscripta's possession and is generally not publicly available. To the extent the dataset is nevertheless lawfully considered as personal data, Inscripta protects the data as data controller, and has implemented appropriate and adequate technical and organizational security measures and risk mitigation safeguards.
We opt only for high quality research and development data for model training to maintain a high level of model accuracy, usability and overall experience of the tools at use by our customers. Related risks to data subjects associated with model training have been assessed and documented in a Data Protection Impact Assessment (DPIA), which is reviewed regularly and updated when required.

With whom is your data shared

Your personal data is shared with the following processors and sub-processors. Where sharing involves an internal data transfer, such transfer shall be based on the obligations and safeguard from Chapter V of the GDPR.

For reasons of clarity, research and development data is, and remains, stored in the European Economic Area.

Name	Type of data	Location of processing
Google Cloud Platform	Storage of user data	Europe
OVHCloud	Storage of user data, customer audio and transcription	Europe
Freshdesk	Support messages	Europe
Inscripta Transcription Services	Customer audio and transcription	Europe

How long do we store your information

We have established internally a thorough data retention policy.

Audio and transcription data related to the services we provide to our customers is stored for a maximum of 90 days, after which it is irreversibly deleted.

Research and development data is retained for as long as necessary for our research and development purposes, or for the period agreed under the applicable license terms, where relevant.

User accounts created in connection with our product are retained for the duration set out in the relevant data processing agreement, or for a maximum of one year after termination of the service.

Customer questions, inquiries, feedback, and customer service records are retained for a maximum of three years, to enable us to respond to and defend against potential claims.

Marketing prospects and non-customer inquiries, questions, or feedback are retained for a maximum of one year following the last point of engagement or activity.

Applicant and recruitment data is retained for a maximum of two years following an unsuccessful application. Data relating to successful applicants is transferred to the employee file and retained in accordance with our employee data policy.

Your Data Protection Rights

We want to make sure you are fully aware of your data protection rights. Every data subject is entitled to the following:

The right to access – You have the right to request copies of your personal data. We may charge a reasonable fee where requests are manifestly unfounded, excessive, or repetitive.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate, or complete any information you believe is incomplete.

The right to erasure – You have the right to request that we erase your personal data. We will comply where the conditions set out in Article 17 GDPR apply.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under the conditions set out in Article 18 GDPR.

The right to object to processing – You have the right to object to our processing of your personal data, under the conditions set out in Article 21 GDPR.

The right to data portability – You have the right to request that we transfer the personal data you have provided to us to another organization, or directly to you, where the conditions in Article 20 GDPR are met.

The right to withdraw consent – Where our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

The right to not be subject to automated decision-making – You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects concerning you. Where applicable, we will provide human review and assistance, for example with account creation or system troubleshooting.

Where Inscripta acts as a data processor, we will refer your request to the relevant data controller and assist them in responding, using reasonable efforts.

Where Inscripta is data controller, acts as a data controller, we will respond to your request within one month, in line with Article 12(3) GDPR. With respect to our research and development data, Inscripta is unable to re-identify individuals from the dataset due to the security measures in place; re-identification would only be possible by linking this data with additional information that is not in our possession (see Article 11 GDPR). We will nevertheless respond to your request and explain the extent to which we are able to execute your request.

Complaints

If you would like to exercise any of these rights, please contact us using the contact information provided at the top of this notice.

You have the right to lodge a complaint with the Data Protection Authorities in Finland, or with the supervisory authority in your country of residence, at any time.

Keep this privacy notice under review as it may be updated from time to time.

Controller-Controller Terms

If you are a Customer, Inscripta may become Data Controller of de-identified personal data, where agreed. In such event, Inscripta will comply with all statutory requirements, and overall data compliance with the GDPR and applicable Data Protection Laws as Data Controller.

Inscripta will adhere, in principle, to the GDPR regulation, and with data protection laws where applicable, concerning, but not limited to, data collection and processing of personal data, respecting data subject rights and providing adequate transparency notices, establishing and documenting appropriate legal bases for specified purposes, ensuring compliant sharing and transfers where applicable, assess risks in data protection impact assessments, and secure the data against unauthorized loss, modification or access with adequate technical and organizational security measures.

Inscripta will keep personal data secured, confidential, and permissible only on a need-to-know access level. Only qualified personnel, under contractual confidentiality obligations, will process personal data, and always in accordance with applicable data protection laws.

Concerning anonymous, or de-identified personal data, Inscripta will perform the de-identification process in such a way that re-identification of data subjects is no longer feasible without the use of additional information, not in Inscripta's possession. In addition, Inscripta has implemented strict technical and organizational security controls preventing re-identification.

Inscripta will notify the Customer without undue delay but within no more than 48 hours after it becomes aware of any personal data breach affecting any personal data which may cause a high risk to the rights and freedoms of data subjects. The Customer remains responsible for any notification to Customers or Authorities because it is practically impossible for Inscripta to match and verify a data subject with a de-identified record in Inscripta's database.

For the same reason as previously stated, Incripta will inform and refer any received data subject right request to the Customer and assist the Customer with the best of its efforts.

Any legal claim or procedure will first attempted to be resolved amicably. Disputes may be brought forth in the court in Helsinki, Finland.