Alcove Last updated: May 21, 2026

Privacy Policy

Effective: May 21, 2026

Introduction

Alcove is a HIPAA-compliant AI medical scribe designed for independent healthcare practices. We operate through the Alcove Chrome extension and web application (app.alcove.health). This Privacy Policy explains how we collect, use, store, disclose, and protect information when you use our services, including audio recordings of clinical encounters, AI-generated clinical notes, and patient encounter data.

By using Alcove, healthcare practices and their staff agree to the collection and use of information as described in this policy. If you have questions or concerns, contact us at privacy@alcove.health.

Limited Use Commitment

Alcove's use of data collected through the Chrome extension and web application — including audio recordings, clinical transcripts, patient identifiers, and AI-generated SOAP notes — is strictly limited to:

Providing the Alcove medical scribe service to your practice
Improving the reliability and accuracy of the Alcove service (e.g., error monitoring, performance diagnostics with PHI redacted)
Supporting technical troubleshooting and security monitoring

This data is not used to develop, train, or improve AI or machine learning models outside the Alcove service pipeline. This data is not used for advertising, behavioral profiling, or any commercial purpose unrelated to medical documentation. This data is not sold, rented, or traded to third parties for any purpose.

This is a Limited Use commitment consistent with Chrome Web Store User Data Policy requirements.

Information We Collect

We collect the following categories of information to provide and improve our services:

Account information: Name, email address, practice name, role (practitioner, medical assistant, or admin), and billing information provided during registration.
Patient encounter data: Audio recordings of clinical sessions, AI-generated SOAP notes, and any clinical content discussed during recorded encounters. This data constitutes Protected Health Information (PHI) under HIPAA and is handled accordingly.
Patient identifiers: Patient names and identifiers associated with encounters, sourced from your EHR system (Practice Fusion) and used solely to associate recordings with the correct encounter in Alcove.
Usage data: Session duration, feature interaction events, and application performance metrics. PHI is automatically redacted from usage data before transmission using our phi_redaction module — no clinical content reaches our analytics pipeline.
Device and browser data: Browser type, extension version, and operating system — collected only to support technical troubleshooting.

Audio Recording & Processing

Audio recording is the core of Alcove's functionality. Here is the complete lifecycle of audio data through our system:

Capture: Audio is captured entirely in browser memory using the Web Audio API and the browser's MediaRecorder interface. It does not touch the local disk at any point during the recording session.
Telehealth tab audio: When the provider selects Telehealth mode, Alcove captures the remote speaker's audio from the active browser-based telehealth tab (e.g., Zoom, Google Meet, Doxy.me). This tab audio is mixed with the provider's microphone audio and follows the identical pipeline described above — TLS transit to S3, transcription, SOAP generation, and automatic deletion. No video or screen content is captured; only the audio stream from the tab.
Transit: When recording stops, the audio is uploaded directly to Amazon S3 over HTTPS (TLS 1.2+) via a pre-signed upload URL. The audio data is never routed through Alcove's own application servers — it travels directly from your browser to S3.
Storage at rest: Audio files are encrypted at rest in Amazon S3 using AES-256 encryption managed by AWS Key Management Service (KMS). Access is restricted to authorized Alcove services only.
Processing: AWS Transcribe Medical converts the audio to text using speaker diarization to distinguish between clinician and patient voices. The resulting transcript is passed to Amazon Bedrock (powered by Anthropic's Claude models) to generate structured SOAP notes.
Deletion: Audio files are automatically deleted from S3 after transcription and AI processing complete — typically within minutes of upload. Audio is not retained for any secondary purpose, model training, analytics, or research. We do not retain audio beyond the processing window under any circumstances.

Healthcare practices using Alcove are responsible for obtaining patient consent for audio recording in accordance with applicable federal and state law. While HIPAA permits recording of clinical encounters for treatment documentation purposes without a separate patient Authorization (45 CFR § 164.506), state wiretapping and electronic surveillance laws may impose additional requirements.

Several U.S. states require the consent of all parties before a conversation may be recorded ("all-party consent" states). These include, but are not limited to: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. If your practice operates in one of these states — or if a patient is located in one of these states at the time of recording — you must obtain explicit patient consent before initiating a recording with Alcove.

We recommend that all practices, regardless of state, inform patients at the start of encounters that the visit may be audio-recorded for clinical documentation purposes. A simple verbal notice (e.g., "I use an AI documentation tool that records our conversation to create your clinical notes — is that okay with you?") is sufficient in most one-party consent jurisdictions and demonstrates good faith in all-party consent states.

Alcove (Alfaaz, LLC) provides the technology to record and transcribe clinical encounters. Compliance with applicable state recording consent laws and patient notification requirements is the responsibility of the healthcare practice using Alcove. Alcove is not responsible for a practice's failure to obtain required patient consent.

When using Alcove's Telehealth mode, an additional consent gate is enforced by the extension: recording does not begin until the provider explicitly acknowledges that the patient has been informed and consents to the visit being recorded. This consent acknowledgment is required at the start of every telehealth recording session. Providers remain responsible for ensuring that patient consent is obtained in accordance with applicable law, including any heightened requirements for recorded telecommunications.

PHI & HIPAA Compliance

Alcove acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We maintain a Business Associate Agreement (BAA) with Amazon Web Services covering all services that process PHI:

Amazon S3 — encrypted audio storage during the processing window
AWS Transcribe Medical — speech-to-text transcription with speaker diarization
Amazon DynamoDB — structured storage for SOAP notes and encounter records
Amazon Bedrock — SOAP note generation via Claude models

PHI is never used for advertising, sold to third parties, or shared outside the scope of the BAA. All PHI access is audit-logged at the application level. Role-based access controls (RBAC) ensure that medical assistants cannot access detailed SOAP notes or complete clinical histories — only practitioners with explicit permission can view full clinical content.

We implement multi-tenant data isolation: each practice's data is segregated using composite partition keys in DynamoDB, ensuring that no practice can access another practice's patient data under any circumstances.

We apply the minimum necessary standard to all PHI uses and disclosures: each component of the Alcove system accesses only the specific fields of PHI required to fulfill its function. Role-based access controls enforce this at the API level — medical assistants cannot access complete SOAP notes or detailed clinical histories; practitioners cannot access other practitioners' patient data; each practice's data is inaccessible to all other practices.

As a Business Associate, Alcove ensures that any subcontractor who creates, receives, maintains, or transmits PHI on our behalf is bound by a Business Associate Agreement as required by 45 CFR § 164.502(e)(1)(ii). Amazon Web Services acts as a downstream Business Associate covering all AWS services used by Alcove, including Amazon Bedrock. Alcove does not engage subcontractors outside of the services listed in this policy who access PHI.

Breach Notification

As a Business Associate under HIPAA, Alcove will notify affected healthcare practices of any breach of unsecured Protected Health Information involving Alcove systems without unreasonable delay and no later than 60 calendar days of discovery, consistent with our obligations under 45 CFR §§ 164.400–414. Our breach notification will include:

A description of the breach, including the date of breach and date of discovery
The categories of PHI involved (e.g., names, clinical notes, audio recordings)
The number of individuals whose PHI was involved, to the extent known
The steps Alcove has taken or is taking to contain and remediate the breach
Steps affected individuals may take to protect themselves, where applicable

Healthcare practices, as Covered Entities under HIPAA, are responsible for notifying affected patients and — where required — the U.S. Department of Health and Human Services, consistent with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Alcove will cooperate fully and provide the information reasonably necessary for practices to fulfill their notification obligations.

To report a suspected security incident or request breach-related information, contact us immediately at security@alcove.health.

Chrome Extension Storage

The Alcove Chrome extension uses browser storage carefully to ensure PHI is never persisted beyond the active session:

chrome.storage.session: All temporary state — current patient context, active recording status, and session-scoped flags — is stored in chrome.storage.session. This storage is automatically cleared when the browser closes. No PHI persists across browser sessions via this mechanism.
chrome.storage.local: Used only for non-PHI data: encrypted authentication tokens and non-sensitive user preferences (e.g., UI settings). PHI is never written to chrome.storage.local.
Browser localStorage: PHI is never written to the browser's native localStorage API, which persists across browser restarts and is accessible to the web application origin. This is a deliberate HIPAA compliance requirement.

Authentication tokens stored in chrome.storage.local are encrypted using AES-GCM-256 with PBKDF2 key derivation (100,000 iterations). No raw tokens or credentials are ever written to browser storage in plaintext.

The extension requests the microphone permission as an optional permission, prompted at runtime only when the clinician initiates their first recording. Microphone access is used solely to capture audio during active clinical encounters and is not accessed at any other time. The tabs permission is used to identify which browser tab is displaying a Practice Fusion patient chart, enabling the extension to route completed SOAP drafts to the correct tab — tab content is never read or transmitted.

EHR Integration & Content Injection

The Alcove Chrome extension integrates with Practice Fusion (practicefusion.com) to support in-EHR recording and SOAP note review. Here is exactly what the extension does and does not do within Practice Fusion:

Patient name detection: The extension reads the patient name displayed in the currently open Practice Fusion chart. This is done for the sole purpose of associating the recording with the correct encounter in Alcove. This name is not transmitted to any external service by the content script — it is used only within the local extension context.
SOAP note injection: AI-generated SOAP notes from Alcove are injected into Practice Fusion's native clinical note editors. All DOM operations use sanitized insertion methods (never innerHTML with raw content) to prevent cross-site scripting (XSS) vulnerabilities.
No data extraction: The extension does not extract, copy, scrape, or transmit any clinical data from Practice Fusion to third parties. It only writes content into EHR fields — it does not read clinical content out of them.
Widget UI: The extension injects a floating Alcove widget into the Practice Fusion interface to surface recording controls and encounter status. This widget is visually isolated using Shadow DOM to prevent CSS conflicts with the EHR interface.

Third-Party Service Providers

We work with the following third-party service providers. The table below describes each provider's role, PHI access, and the safeguards in place:

Provider	Purpose	PHI Access	Safeguard
Amazon Web Services (AWS)	Cloud infrastructure: S3 audio storage, Transcribe Medical (speech-to-text), DynamoDB (encounter data), and Bedrock (AI note generation)	Yes — processes audio recordings and transcript data	HIPAA Business Associate Agreement (BAA) in place; AES-256 encryption at rest via AWS KMS; TLS 1.2+ in transit
Amazon Bedrock / Anthropic Claude	AI-powered SOAP note generation: transcribed text is processed by Claude models to generate structured clinical documentation	Yes — transcribed text (derived from audio PHI) is processed to generate clinical notes	Amazon Bedrock is a HIPAA-eligible service fully covered under Alcove's Business Associate Agreement with AWS. Alcove does not have a direct data-processing relationship with Anthropic — Claude models are operated by AWS within their infrastructure. AWS contractually prohibits the use of customer data for model training under Bedrock service terms.
Stripe	Payment processing and subscription management for Alcove plans	No — Stripe receives only billing information (payment card details, billing address). Clinical data is never transmitted to Stripe.	Stripe is PCI DSS Level 1 certified; payment data is governed by Stripe's Privacy Policy
Sentry	Application error monitoring and crash reporting to support reliability and debugging	No — PHI is programmatically scrubbed by Alcove's `phi_redaction` module before any error payload is transmitted to Sentry	PHI redaction is enforced at the application layer; Sentry receives only sanitized stack traces and event metadata — never raw clinical content
Amazon Cognito	User authentication and identity management — issues practice-scoped JWT tokens containing role and practice identifiers	No — Cognito stores authentication data (email, role, practice identifier) but not clinical PHI	Covered under Alcove's BAA with AWS; practice-scoped custom attributes enforce multi-tenant isolation at the identity layer
Amazon SES	Transactional email delivery — team invitations and payment notifications	No — SES emails contain only administrative notices (invitations, billing); no clinical data is included in email content	Covered under Alcove's BAA with AWS; email content is limited to non-PHI administrative notifications

Data Security

We implement multiple layers of technical and organizational safeguards to protect your data:

Encryption at rest: AES-256 encryption for all S3 objects and DynamoDB tables, managed by AWS KMS
Encryption in transit: TLS 1.2+ for all data transmissions between browsers, Lambda functions, and AWS services
Role-based access control: RBAC enforced at every API endpoint via middleware decorators, ensuring practitioners, medical assistants, and admins can only access data appropriate to their role
Multi-tenant isolation: Each practice's data is strictly segregated using composite DynamoDB partition keys — cross-practice data access is architecturally impossible
PHI audit logging: All access to PHI triggers an immutable audit log entry recording the accessor, timestamp, and data accessed
Sanitized DOM operations: Content injected into Practice Fusion uses sanitized DOM insertion methods — never raw HTML injection — to prevent XSS attacks
PHI-free application logs: Application logs automatically redact PHI before writing to CloudWatch; PHI never appears in log output
Authentication: AWS Cognito with practice-scoped custom attributes, enforcing practice isolation at the identity layer

Data Retention & Deletion

We retain different categories of data according to the following schedules:

Audio recordings: Deleted automatically from Amazon S3 after transcription and AI processing complete — typically within minutes of upload. Audio is not retained beyond the processing window for any purpose.
Transcripts: Stored temporarily in Amazon S3 as intermediate processing artifacts and deleted automatically upon successful SOAP note generation — typically within minutes of transcription completion. In error or retry states, transcripts are retained only until the processing pipeline resolves, and are purged within 24 hours regardless of processing outcome. Transcripts are never retained beyond this window for any purpose.
SOAP notes and encounter records: Retained for the life of your Alcove account to support encounter history, retrieval, and clinical continuity.
Account information: Retained for the duration of your active account plus any legally required retention period.
PHI access audit logs: Retained for 7 years from the date of the logged event, consistent with HIPAA documentation retention requirements (45 CFR § 164.530(j)). Audit logs record accessor identity, timestamp, and data accessed — they do not contain clinical note content.

To request deletion of your data or your practice's data, email privacy@alcove.health with "Privacy Request" in the subject line. We will acknowledge your request within 30 days and complete deletion within 60 days, except where retention is required by law or for legitimate business purposes.

Upon account deletion, all SOAP notes, encounter records, and patient data associated with your practice will be deleted within 60 days, consistent with our data deletion policy above. PHI access audit logs are retained for the legally required 7-year period even after account deletion.

Your Rights

Depending on your location and applicable law, you may have the following rights with respect to your data:

Right to access: Request a copy of the personal information and PHI we hold about your practice and its encounters
Right to correction: Request correction of inaccurate or incomplete information
Right to deletion: Request deletion of your data, subject to legal retention requirements
Right to data portability: Request an export of your encounter data in a machine-readable format
Right to restrict processing: Request that we limit how we process your data in specific circumstances

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know specific categories of data collected and the right to opt out of data sharing.

Under CPRA, health data collected by Alcove — including audio recordings of clinical encounters, clinical notes, and health conditions discussed during recorded visits — constitutes Sensitive Personal Information as defined by Cal. Civ. Code § 1798.140. California residents have the right to direct Alcove to limit the use of their Sensitive Personal Information to that which is necessary to provide the services requested. To exercise this right, contact us at privacy@alcove.health.

Alcove does not sell personal information and does not share personal information for cross-context behavioral advertising purposes. No "Do Not Sell or Share My Personal Information" opt-out mechanism is required, as this practice does not occur. California residents may contact us to confirm this in writing.

The categories of personal information collected by Alcove include: identifiers (name, email, practice name); professional or employment-related information (clinical role); audio recordings and their derived transcripts; health information (AI-generated SOAP notes); and internet or network activity (session metadata, with PHI redacted). These categories are collected and used solely for the purposes described in this policy.

To exercise any of these rights, contact us at privacy@alcove.health. We will respond within 30 days.

No Sale of Data

We do not sell your data. Alcove does not sell, trade, rent, or otherwise transfer personal information or Protected Health Information to third parties for commercial purposes. We do not engage in data brokering. We do not share your clinical data with advertisers, data aggregators, or any party whose primary purpose is the commercial use of that data.

This commitment applies to all data collected through the Alcove Chrome extension and web application, without exception. The only third parties who receive any Alcove data are our service providers (listed above in the Third-Party Services section), who process data solely on our behalf and under contract.

Changes to This Policy

We may update this Privacy Policy from time to time as our services evolve or legal requirements change. Material changes will be reflected in the "Last updated" date at the top of this page. We will notify active users of material changes via email to the address associated with their Alcove account.

Continued use of Alcove after a policy update constitutes acceptance of the revised policy. If you do not agree with a change, you may discontinue use and request data deletion by contacting privacy@alcove.health.

Contact Us

For privacy questions, data deletion requests, or HIPAA inquiries, email us at privacy@alcove.health. Include "Privacy Request" in the subject line for data rights requests.

Alcove (Alfaaz, LLC)
Privacy Contact: privacy@alcove.health