Privacy Policy

Introduction

Wellbyn ("Wellbyn", "we", "us") provides an AI-assisted medical documentation and coding platform that helps healthcare providers record clinical encounters, generate clinical notes, and produce medical billing codes. This Privacy Policy describes how we collect, use, share, and protect information, including protected health information (PHI), and the rights available to individuals.

Wellbyn is operated by Wellbyn, Inc., a Delaware corporation based in the United States.

Our role under HIPAA

When Wellbyn processes patient information on behalf of a healthcare provider or clinic, the provider is the HIPAA Covered Entity and Wellbyn acts as a Business Associate. We process PHI only to provide our services to that provider and as permitted under a Business Associate Agreement (BAA) and applicable law. We do not use or disclose PHI for our own purposes, and we never sell personal information or PHI.

Information we collect

Account and provider information: name, email, role, clinic affiliation, and authentication data for the clinicians and staff who use the platform.

Patient and clinical information (PHI), processed on behalf of providers: patient identifiers (name, date of birth, contact details, and where supplied, insurance information), audio recordings of clinical encounters, transcripts, clinical notes, diagnoses, and medical billing codes (ICD-10 / CPT).

Technical information: IP address, browser and device type, and usage logs, used to operate, secure, and improve the service.

How we use information

• To transcribe encounters and generate clinical notes and codes.
• To authenticate users and secure access to the platform.
• To operate, maintain, troubleshoot, and improve the service.
• To comply with legal obligations and enforce our agreements.

We do not use PHI to train third-party AI models, and PHI is not used for advertising.

How we share information / subprocessors

We share information only with subprocessors that help us deliver the service, each bound by appropriate confidentiality and, where applicable, HIPAA Business Associate obligations:

• Amazon Web Services (AWS) — cloud hosting, database, file storage, authentication, and AI model inference (Amazon Bedrock). PHI processed via AWS remains within AWS and is not disclosed to model providers.
• Deepgram — speech-to-text transcription of encounter audio.

We may also disclose information to comply with the law, respond to lawful requests, enforce our agreements, or protect the rights, safety, and property of Wellbyn, our customers, or others.

Data storage and location

Information is stored and processed in the United States using AWS infrastructure. Data is encrypted in transit and at rest.

Security

We maintain administrative, physical, and technical safeguards designed to protect personal information and PHI, including encryption in transit and at rest, role-based access controls, secrets management, network isolation, and continuous security monitoring. No method of transmission or storage is completely secure, but we work to protect information consistent with HIPAA and industry standards.

Data retention

We retain PHI for as long as needed to provide the service to the relevant provider and as required by the applicable Business Associate Agreement and law. Providers may request return or deletion of their data in accordance with their agreement with us.

Your rights

Patients seeking to access, correct, or delete their health information should contact their healthcare provider, who controls that information as the Covered Entity. For other personal information Wellbyn holds about you, you may contact us using the details below to exercise applicable rights.

Changes to this policy

We review this policy at least annually and update it when our practices change. The "Last updated" date above reflects the most recent revision.

Contact us

Questions, concerns, or privacy requests can be directed to:

Wellbyn, Inc.
Email: security@wellbyn.ai