Ginidok Privacy Policy

Last updated: 2025-10-30

TL;DR (English)
Ginidok processes consultation audio ephemerally to extract structured SOAP summaries. Ginidok does not store audio recordings or raw transcriptions. Only structured SOAP notes are stored if a clinician/clinic chooses to save them. This document explains what we process, what we store, user rights, security practices, and third-party handling.

TL;DR (Bahasa Indonesia)
Ginidok memproses audio konsultasi secara sementara untuk mengekstrak ringkasan SOAP terstruktur. Ginidok tidak menyimpan rekaman audio atau transkrip mentah. Hanya ringkasan SOAP yang disimpan jika klinik atau penyedia layanan memilih untuk menyimpannya. Dokumen ini menjelaskan data apa yang diproses, apa yang disimpan, hak pengguna, praktik keamanan, dan penggunaan pihak ketiga.

Scope & Purpose
Definitions
What we process and what we do not store
Ephemeral processing — technical guarantees
Data we may store (SOAP, metadata, audit logs)
Third parties & Data Processing Agreements (DPAs)
Retention & deletion policy
User rights (access / export / delete / withdraw consent)
Security measures
Logging, debugging, and developer access controls
Legal requests & limitations
Breach notification & incident response
Children & vulnerable populations
Changes to this policy
Contact & Data Subject Requests
Appendices: UI consent copy, DPA clause, Ops checklist

1. Scope & Purpose

EN: This Privacy Policy applies to Ginidok’s services that record and process clinician–patient consultations to generate structured SOAP (Subjective, Objective, Assessment, Plan) summaries. It covers how Ginidok collects, uses, processes, and stores data in connection with those services.

ID: Kebijakan Privasi ini berlaku untuk layanan Ginidok yang merekam dan memproses konsultasi dokter–pasien untuk menghasilkan ringkasan SOAP terstruktur. Kebijakan ini menjelaskan bagaimana Ginidok mengumpulkan, menggunakan, memproses, dan menyimpan data terkait layanan tersebut.

2. Definitions

Audio / Recording: raw audio captured during a consultation session.
Transcription: text produced from audio by automated speech-to-text (STT) processing.
SOAP summary / SOAP note: structured clinical summary extracted from the transcription (Subjective, Objective, Assessment, Plan).
Ephemeral processing: processing that occurs temporarily in memory or transient environments and is not written to persistent storage.
DPA (Data Processing Agreement): contractual agreement with third-party processors governing use, retention, and protections for data.

3. What we process and what we do NOT store

EN:
- We process: consultation audio for the sole purpose of generating an automated transcription and extracting a SOAP summary.
- We do NOT store/persist: raw audio recordings or raw transcriptions (unless explicitly and separately consented to by the clinic and recorded in writing). We do not retain audio/transcriptions in backups, logs, or analytics datasets.

ID:
- Yang kami proses: audio konsultasi untuk tujuan membuat transkripsi otomatis dan mengekstrak ringkasan SOAP.
- Yang TIDAK kami simpan: rekaman audio mentah atau transkrip mentah (kecuali ada persetujuan eksplisit dan terdokumentasi oleh klinik). Kami tidak menyertakan audio/transkrip di backup, log, atau dataset analitik.

Important caveat (EN/ID): The claim “we do not store audio or transcriptions” depends on correct configuration and contractual guarantees from third-party processors (e.g., STT vendors, cloud providers). See sections 4 and 6 for controls and vendor requirements.

4. Ephemeral processing — technical guarantee

EN:
Ginidok implements the following controls to make ephemeral processing verifiable and defensible:

Audio is transmitted to processing endpoints over TLS.
Transcription and SOAP extraction occur in-memory or in write-protected, ephemeral containers. Nothing is written to persistent disk by the processing application.
Temporary processing environments are destroyed immediately after job completion. Temporary storage, swap, and crash dumps are disabled or encrypted and wiped.
We configure any STT or vendor SDKs to operate in ephemeral/in-memory mode; all vendor settings defaulted to no-retention and no-use for training.
We maintain operational logs that record that processing occurred (timestamps, job id, clinic id) but do not contain consultation content.

ID:
Ginidok menerapkan kontrol berikut untuk memastikan pemrosesan sementara yang dapat diverifikasi:

Audio dikirim melalui TLS.
Transkripsi dan ekstraksi SOAP diproses di memori atau container sementara yang write-protected. Aplikasi tidak menulis ke penyimpanan persisten.
Lingkungan pemrosesan dihancurkan sesaat setelah pekerjaan selesai. Swap/crash dump dinonaktifkan atau dienkripsi dan dihapus.
SDK/layanan STT dikonfigurasi untuk mode in-memory; setelan vendor disetel ke no-retention dan tidak digunakan untuk training.
Log operasi mencatat bahwa pemrosesan terjadi (timestamp, job id, clinic id) tanpa menyertakan isi konsultasi.

5. Data we may store

Only if explicitly enabled by the clinician/clinic.

EN:
- Structured SOAP summaries: Subject to clinic choice; stored in the clinic’s account. The clinic controls whether SOAP notes are persisted and for how long.
- Non-content metadata: timestamps, duration, clinician/clinic identifier, job identifiers, and processing status.
- Audit logs: immutable records of actions (who exported, who deleted, who viewed) that do not include consultation content.

ID:
- Ringkasan SOAP terstruktur: Disimpan hanya jika klinik memilih. Klinik menentukan apakah ringkasan SOAP dipertahankan dan periode retensinya.
- Metadata non-konten: timestamp, durasi, ID klinik/dokter, job id, status pemrosesan.
- Audit log: catatan tindakan (siapa mengekspor, menghapus, melihat) yang tidak berisi isi konsultasi.

6. Third parties & Data Processing Agreements (DPA)

EN:
Ginidok may employ third-party processors (cloud infrastructure, STT services, monitoring). We adhere to the following rules:

Vendors must sign a DPA that forbids persistent storage, indexing, use for model training, or secondary use of audio/transcriptions.
Vendors must allow audits and provide attestation of compliance upon request.
We list vendor categories in our public FAQ and will provide vendor names and signed DPA confirmations to clinics on request.

ID:
Ginidok dapat menggunakan pihak ketiga (cloud, STT, monitoring). Aturan kami:

Vendor harus menandatangani DPA yang melarang retensi persisten, indexing, penggunaan untuk training model, atau penggunaan sekunder atas audio/transkrip.
Vendor harus mengizinkan audit dan menyiapkan attestation atas kepatuhan bila diminta.
Kami akan mencantumkan kategori vendor di FAQ publik dan menyediakan nama vendor serta konfirmasi DPA untuk klinik bila diminta.

7. Retention & deletion

EN:
- Audio & raw transcriptions: not retained. Any temporary copies are wiped immediately after processing.
- SOAP summaries (if stored): retention period is configurable by the clinic. Default retention period: 25 years. Clinics must select retention policies during onboarding.
- Deletion requests: We will remove SOAP data from active storage within 7 days after a verified deletion request. We will purge from backups within 14 days, subject to legal hold obligations.

ID:
- Audio & transkrip mentah: tidak disimpan. Salinan sementara dihapus setelah pemrosesan.
- Ringkasan SOAP (jika disimpan): periode retensi dapat dikonfigurasi oleh klinik. Default: 25 tahun. Klinik memilih kebijakan retensi saat onboarding.
- Permintaan penghapusan: Kami akan menghapus data SOAP dari penyimpanan aktif dalam 7 hari setelah permintaan terverifikasi. Purge dari backup dalam 14 hari, kecuali ada kewajiban hukum.

8. User rights

EN: Clinics, clinicians, and patients may exercise the following rights (subject to identity verification and legal constraints):

Access & export: Clinics and patients may request access to and export of any stored SOAP summaries in machine-readable JSON/CSV.
Correction: Request correction of SOAP summary information. Corrections will be logged and the original retained in audit with a change record.
Deletion: Request deletion of stored SOAP summaries. Deletion will follow the schedule in Section 7.
Withdraw consent: Clinicians or patients can withdraw consent for future recordings; withdrawal will not retroactively delete data already processed but will block future recording sessions until re-consent.
Opt-out of model training: If you opt out, your data will not be used to train Ginidok models or shared in any de-identified/training dataset.

ID: Klinik, dokter, dan pasien dapat meminta hal berikut (dengan verifikasi identitas):

Akses & ekspor: Meminta akses dan ekspor ringkasan SOAP dalam JSON/CSV.
Koreksi: Meminta koreksi item pada ringkasan SOAP. Perubahan dicatat di audit log.
Penghapusan: Meminta penghapusan ringkasan SOAP sesuai jadwal di Bagian 7.
Penarikan persetujuan: Menarik persetujuan untuk perekaman di masa depan; tidak menghapus data yang telah diproses.
Opt-out training: Jika memilih opt-out, data Anda tidak akan digunakan untuk melatih model Ginidok.

How to submit requests: Contact admin@ginidok.com (or your clinic admin). Include account, clinic id, and request type. We will acknowledge within [Z] business days.

9. Security measures

EN: Ginidok implements administrative, technical, and physical measures designed to protect data:

Encryption in transit (TLS 1.2+) and encryption at rest for persisted SOAP summaries.
Ephemeral keys for processing jobs and frequent key rotation.
Least privilege and role-based access control (RBAC). MFA for clinician/admin accounts.
Regular security assessments, vulnerability scans, and penetration testing.
Production monitoring/alerting without content logging; sensitive fields redacted from logs.

ID: Ginidok menerapkan kontrol administratif, teknis, dan fisik:

Enkripsi saat transit (TLS 1.2+) dan enkripsi saat istirahat untuk SOAP yang disimpan.
Kunci ephemeris untuk job pemrosesan dan rotasi kunci berkala.
Prinsip least privilege dan RBAC. MFA untuk akun klinik/admin.
Penilaian keamanan reguler, vulnerability scan, dan penetration test.
Monitoring produksi tanpa log konten; bidang sensitif direduksi.

10. Logging, debugging, and developer access

EN:
- Application logs will not contain consultation audio or raw transcriptions.
- Access to stored SOAP notes by engineering is restricted, must be justified, explicitly authorized, and is fully logged.
- For debugging, we will prefer synthetic or scrubbed production-like data; any access to live SOAP data requires documented approval and a recorded justification.

ID:
- Log aplikasi tidak berisi audio atau transkrip mentah.
- Akses engineering ke SOAP dibatasi, harus beralasan, mendapat otorisasi, dan dicatat.
- Untuk debugging, gunakan data sintetis atau yang sudah disamarkan; akses ke data live membutuhkan persetujuan tertulis.

11. Legal requests & limitations

EN: We may disclose data when compelled by law (e.g., subpoenas). Because Ginidok does not retain audio or raw transcriptions, only stored SOAP summaries (or vendor-held copies, if any) can be produced. We will notify affected users unless legally prohibited.

ID: Kami dapat mengungkap data jika diwajibkan oleh hukum. Karena Ginidok tidak menyimpan audio/transkrip, hanya ringkasan SOAP yang dapat diserahkan. Kami akan memberitahukan pengguna kecuali dilarang hukum.

12. Breach notification & incident response

EN: In the event of a security incident affecting stored data, Ginidok will:

Contain and mitigate the incident.
Notify affected parties and applicable supervisory authorities within 48 hours as required by law.
Provide a summary of the incident, data types affected, remediation steps, and contact for follow-up.

ID: Jika terjadi insiden yang mempengaruhi data yang disimpan, Ginidok akan:

Mengendalikan dan mengurangi dampak.
Memberitahu pihak terkait dan otoritas dalam 48 jam seperti yang diwajibkan oleh hukum.
Menyediakan ringkasan insiden, tipe data yang terpengaruh, langkah remidiasi, dan kontak.

13. Children & vulnerable populations

EN: Ginidok is not intended for use by minors without parental/guardian consent. Clinics must ensure applicable parental consents are obtained for patients under local age thresholds.

ID: Ginidok tidak ditujukan untuk penggunaan anak-anak tanpa izin orang tua/wali. Klinik harus memastikan persetujuan orang tua untuk pasien di bawah usia yang berlaku.

14. Changes to this policy

EN: We may update this policy to reflect changes in our practices or legal requirements. We will post changes on our website and highlight material changes in the app. The “Last updated” date at the top will reflect the revision date.

ID: Kami mungkin memperbarui kebijakan ini untuk menyesuaikan praktik atau kewajiban hukum. Perubahan akan dipublikasikan dan perubahan material akan diinformasikan di aplikasi. Tanggal “Terakhir diperbarui” akan menunjukkan revisi.

15. Contact & Data Subject Requests

EN: For questions, DSARs (data subject access requests), or DPA inquiries, contact:
admin@ginidok.com (replace with real email).
Provide account/clinic id and your request. We will acknowledge within 3 business days.

ID: Untuk pertanyaan, permintaan akses data, atau pertanyaan DPA, hubungi:
admin@ginidok.com (ganti dengan email nyata). Sertakan account/clinic id dan jenis permintaan. Kami akan mengakui dalam 3 hari kerja.