Privacy Policy

5 Dec 2025

This Privacy Policy explains how Burna AI, Inc. ("Burna AI," "we," "us," or "our") collects, uses, and protects your information when you use our platform and services.

Your privacy matters to us. As a company serving healthcare professionals, we take our responsibility to protect your information seriously.

What This Policy Covers

This Privacy Policy applies to:

Healthcare professionals using Burna AI's CTCAE AI platform
Visitors to our website (burna.ai)
Anyone interacting with our marketing or support services

Important: This policy does NOT cover patient health information that healthcare customers process through Burna AI ("Customer Data"). That information is governed by:

Our Business Associate Agreements with healthcare providers
Your healthcare provider's own privacy practices
HIPAA regulations

If you're a patient: Please contact your healthcare provider about how they handle your health information.

Information We Collect

Information You Provide

When you create an account:

Name and email address
Professional credentials (specialty, organization)
Role and professional title

When you use our platform:

Audio recordings of clinical encounters (with appropriate consent)
Clinical notes and documentation you create
CTCAE grading data and adverse event documentation
Feedback and support requests

When you visit our website:

Contact information when you request demos or information
Information you provide in forms or surveys

Information We Collect Automatically

When you use Burna AI:

Login times and session duration
Features you use and how often
Device type and operating system
IP address and general location
Performance and error data

When you visit our website:

Pages you view and time spent
Referring website
Browser type
Cookie data (see our Cookie Policy)

Information from Other Sources

We may receive information from:

Healthcare organizations you work for
Professional directories (to verify credentials)
Marketing platforms (HubSpot) when you interact with our content

How We Use Your Information

To Provide Our Service

Process audio recordings into clinical documentation
Generate CTCAE grades and adverse event assessments
Provide AI-assisted clinical decision support
Maintain your account and preferences
Provide customer support

To Improve Burna AI

Analyze usage patterns to enhance features
Fix bugs and improve performance
Develop new capabilities

Note: We only use de-identified, aggregated data for product improvements. Individual patient data is never used for training without explicit authorization.

To Communicate With You

Send service updates and important notices
Provide technical support
Share product updates and new features
Process billing and account matters

For Marketing (With Your Consent)

Send newsletters and product announcements
Invite you to webinars and industry events
Share relevant healthcare industry insights

You can opt out anytime using the unsubscribe link in any email.

Legal and Compliance

Comply with applicable laws and regulations
Respond to legal requests and court orders
Protect our rights and security
Prevent fraud

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland:

Purpose	Legal Basis
Providing services	Contract performance
Security and fraud prevention	Legitimate interest
Product improvement (aggregated data)	Legitimate interest
Legal compliance	Legal obligation
Marketing communications	Consent

How We Share Your Information

We Share Information When:

You Direct Us To:

EHR integrations you configure
Colleagues you invite to collaborate
Third-party apps you connect

To Provide Our Service:

Provider	Purpose	Safeguards
Microsoft Azure	Transcription, cloud infrastructure	BAA in place, HIPAA-eligible
Convex	Database infrastructure	SOC 2 Type II certified
Cloudflare	Security, performance	SOC 2 Type II certified
HubSpot	Marketing, CRM	Data processing agreement

All providers are bound by confidentiality agreements.

When Required by Law:

Valid court orders or subpoenas
Healthcare regulatory investigations
Public health reporting requirements
Emergency situations to prevent harm

Business Transactions: In the event of a merger, acquisition, or sale, your information may be transferred subject to equivalent privacy protections. We will notify you of any such change.

We Never:

Sell your personal information
Share patient health information without authorization
Use your data for third-party advertising
Provide information to unauthorized parties

HIPAA and Healthcare Data

Our Role as Business Associate

When you use Burna AI for patient care:

We serve as your HIPAA Business Associate
We execute formal Business Associate Agreements (BAAs)
We follow HIPAA security and privacy requirements
We only process patient data as you direct
We maintain administrative, physical, and technical safeguards
We provide breach notification within required timeframes

Clinical Data Protection

Encryption for all data at rest and in transit
Secure API connections with healthcare systems
Audit trails for all data access
Role-based access controls
Automatic session timeouts

Your Responsibilities as a Healthcare Provider

Obtain appropriate patient consent for AI documentation assistance
Ensure Burna AI use complies with your organization's policies
Review and approve all AI-generated clinical content
Report any suspected privacy incidents to us immediately

Patient Rights

If you're a patient whose provider uses Burna AI:

Contact your healthcare provider about your privacy rights
Your provider's privacy notice governs how your information is handled
We process your information only as directed by your provider

Data Security

Technical Safeguards

TLS 1.3 encryption for all data transmission
AES-256 encryption for stored data
Multi-factor authentication available
Regular security testing and monitoring

Operational Security

Employee background checks and privacy training
Strict access controls and audit logging
Role-based access with least privilege principles
Incident response procedures

Physical Security

Our infrastructure providers maintain:

SOC 2 Type II certified data centers
Physical access controls and monitoring
Environmental controls and redundant systems

Security Incidents

If a security incident affects your data:

We will notify affected users within 72 hours (24 hours for HIPAA breaches)
We will conduct a full investigation
We will assist with any required notifications
We will implement enhanced security measures as needed

International Data Transfers

We may transfer your information to countries outside your residence, including the United States. We ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) for EU data transfers
Encryption for all data in transit and at rest
Access controls limiting who can view data

Primary data processing occurs in the United States using HIPAA-compliant infrastructure.

Mobile App (iOS)

Data Collection in Our App

Our iOS app collects:

Account information (email, name)
Audio recordings (when you initiate recording)
Usage analytics (features used, session duration)
Device information (iOS version, device type)

App Tracking Transparency

We respect Apple's App Tracking Transparency framework. Our app does NOT:

Track you across other companies' apps or websites
Use device fingerprinting for advertising
Share data with advertising networks or data brokers

You can verify tracking permissions anytime: Settings → Privacy & Security → Tracking → Burna AI

Permissions We Request

Permission	Why We Need It	When We Ask
Microphone	Record clinical encounters for transcription	When you tap Record
Speech Recognition	Convert audio to text	When you tap Record
Notifications	Alert you when transcription is complete	After first recording

We only request permissions when contextually relevant, not on app launch.

Your Privacy Rights

All Users

Access: View your account data anytime in Settings
Correction: Update inaccurate information in your account
Deletion: Delete your account and personal data
Portability: Request a copy of your data

GDPR Rights (EEA, UK, Switzerland)

Objection: Object to processing based on legitimate interest
Restriction: Request we limit processing in certain circumstances
Withdrawal: Remove consent for marketing anytime

CCPA Rights (California)

Know: What personal information we collect and why
Delete: Request deletion of personal information
Opt-Out: We do not sell personal information
Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights

Email: contact@burna.ai

We will respond within 30 days and verify your identity for security.

Account Deletion

You can delete your account at any time:

In the app: Settings → Account → Delete Account
Confirm deletion when prompted
All personal data will be permanently deleted within 30 days

Some information may be retained longer if required by law (e.g., audit logs for HIPAA compliance).

For assistance with account deletion: contact@burna.ai

Cookies and Tracking

We use cookies to operate our website and improve your experience. For full details, see our [Cookie Policy].

Summary:

Essential cookies: Required for login and security
Analytics cookies: Help us improve (opt-out available)
Marketing cookies: Measure campaign effectiveness (consent required)

We do not use cookies to track you across other websites for advertising.

Data Retention

Data Type	Retention Period
Account information	Duration of account + 30 days after deletion
Clinical data	As configured by customer (default: 7 years per healthcare regulations)
Audio recordings	Deleted after processing (typically < 24 hours)
Audit logs	3 years (HIPAA requirement)
Marketing preferences	Until you opt out

Children's Privacy

Our services are intended for healthcare professionals and are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children.