Legal

Privacy Policy

Last updated: April 16, 2026

Effective Date: April 16, 2026
Last Updated: April 16, 2026

Behavioral health clinicians hold some of the most sensitive information a person can share. This Privacy Policy explains what Aimé does, and does not do, with that information.

This Privacy Policy describes how AidMi Health, Inc. (the “Company”, “we”, “us”, or “our”) collects, uses, stores, discloses, and protects information when you use Aimé, including the public website at aime.med, the web application at app.aime.med, Ask Aimé surfaces available through ask.aime.med or app.aime.med/ask-aime, the Aimé Chrome Extension, application programming interfaces, and related services that link to this Privacy Policy (collectively, the “Service”).

If you use the Service as a covered entity or business associate under HIPAA, our Business Associate Agreement (“BAA”) may also apply to PHI. You may request a copy of the BAA, including an executed or countersigned version where required for your records or procurement process. If there is a conflict regarding PHI, the BAA controls.

Behavioral Health Privacy Commitments

Aimé is built for clinicians who handle deeply sensitive behavioral health information. Our commitments include:

  • we do not sell personal information;
  • we do not share personal information for cross-context behavioral advertising;
  • we do not use Customer Content, PHI, raw audio, transcripts, clinical notes, Ask Aimé prompts, chat messages, patient context, or clinical narratives to train first-party or third-party AI models without explicit, opt-in written consent;
  • we delete or discard raw audio after transcription or note generation unless you explicitly enable or request an audio-storage feature or retention is required for legal hold, security investigation, support troubleshooting with appropriate permission, or similar compliance need;
  • we do not have humans review session content for product improvement. Human review of session content may occur only with customer permission, for support or security needs, to comply with law, or to investigate safety, privacy, security, compliance, or service-integrity issues;
  • if we receive a legal demand for Customer Content or PHI, we will make reasonable efforts to notify the relevant customer first so the customer may seek a protective order, move to quash, or pursue another available remedy, unless notice is legally prohibited, immediate disclosure is required, or notice would create a risk of harm, fraud, security compromise, or legal violation.

Notice at Collection for California Residents

California residents: this Privacy Policy, including Section 10, is our notice at collection. Section 10 describes the categories of personal information we collect, the sources, purposes, disclosures, and California privacy rights. We do not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under California privacy law.

1. Information We Collect

1.1 Account, Profile, and Organization Information

When you create an account, sign in, join an organization, request access, start a trial, subscribe to a plan, or communicate with us, we may collect:

  • name;
  • email address;
  • phone number;
  • professional role, specialty, credentials, clinical persona, practice size, organization, and workplace details;
  • country, timezone, and preferences;
  • authentication credentials, password hashes, OAuth identifiers, two-factor settings, session data, account status, and terms-acceptance records;
  • billing email, plan, subscription status, payment metadata, and purchase records;
  • support messages, demo requests, feedback, and administrative communications.

1.2 Clinical and Customer Content

When you use Aimé for clinical documentation, evidence support, transcription, Ask Aimé, EHR workflows, or related features, we may process Customer Content such as:

  • audio recordings or audio chunks that you initiate for recording, dictation, or transcription;
  • transcripts, transcript chunks, speaker labels, timestamps, confidence data, and transcription metadata;
  • generated notes, draft notes, edited notes, note templates, citations, and note metadata;
  • patient identifiers and context you enter, select, upload, query, or import, such as names, MRNs, dates of birth, demographics, diagnoses, medications, allergies, conditions, assessments, clinical documents, goals, treatment plans, risk assessments, session summaries, and other health-related information;
  • Ask Aimé prompts, chat messages, evidence queries, retrieved sources, answers, citations, safety information, reasoning/provenance traces, and related interaction history;
  • billing optimization, audit-defensibility, CPT/ICD, payer, or documentation-support information where features are available;
  • files, documents, imported content, EHR snippets, or other materials you provide.

Customer Content may include PHI when the Service is used in a clinical context.

1.3 Chrome Extension and Browser Information

The Aimé Chrome Extension may collect or process information needed to provide extension features, including:

  • authentication tokens and configuration stored locally in your browser;
  • UI preferences, sidebar state, enabled domains, and extension settings;
  • selected patient, session, template, or workflow context;
  • active-tab information when you invoke extension features;
  • supported EHR domain, hostname, URL pattern or path, page type, page title, structural information, headings, landmarks, form-field labels, selectors, and other limited page-structure metadata used to detect EHR surfaces and support note filling;
  • the text you direct the extension to insert into EHR fields;
  • microphone, tab-audio, or recording state when you initiate recording or dictation;
  • local queue data for first-party analytics events.

The extension may request broad browser permissions so it can work across different EHRs and clinical workflows. We design extension features to operate for user-directed Service functions, such as showing the sidebar, detecting supported clinical surfaces, generating notes, capturing context you choose to use with Aimé, and filling notes at your direction. We do not use extension permissions for advertising or general browsing-history tracking.

1.4 Usage, Analytics, Device, and Log Data

We may collect information about how the Service is used, such as:

  • event names and limited event parameters, such as recording started or stopped, note generated, template changed, field fill attempted, or chat response completed;
  • anonymous or pseudonymous client identifiers;
  • user ID and organization ID associated with authenticated events;
  • device type, browser, operating system, IP address, approximate location derived from IP, user agent, timestamps, request IDs, route paths, status codes, performance metrics, errors, and diagnostic logs;
  • security, audit, compliance, access, and administrative logs.

We maintain controls designed to prevent PHI from being included in analytics event names or analytics payloads. Some operational, security, or audit logs may include personal information or PHI where necessary for security, compliance, or service operation.

1.5 Website, Cookies, and Similar Technologies

We and our service providers may use cookies, local storage, pixels, analytics tools, and similar technologies on our websites and within the Service to:

  • operate the Service;
  • keep you signed in;
  • remember settings and preferences;
  • secure accounts and sessions;
  • measure performance and usage;
  • troubleshoot issues;
  • improve our products and communications.

You can control cookies through browser settings. Disabling cookies or local storage may limit functionality.

1.6 Information We Do Not Collect for Advertising

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use PHI for advertising. We do not use the Chrome Extension to collect general browsing history for advertising or tracking.

2. How We Use Information

We use information to:

  • provide, operate, maintain, secure, and support the Service;
  • authenticate users and administer accounts, organizations, roles, permissions, sessions, and subscriptions;
  • record, transcribe, diarize, process, and generate documentation when you initiate or direct those features;
  • generate, edit, store, retrieve, export, and fill clinical notes, templates, summaries, and related documentation;
  • provide Ask Aimé answers, evidence retrieval, citations, source summaries, safety/provenance signals, and related clinical evidence workflows;
  • provide EHR detection, EHR workflow support, note filling, field mapping, and extension functionality at your direction;
  • provide dashboards, session history, patient context, transcript views, compliance tools, and organization administration;
  • process payments, trials, invoices, subscriptions, and billing records;
  • communicate with you about the Service, support, security, billing, updates, and policy changes;
  • monitor, debug, improve, and develop the Service, subject to the privacy commitments and AI-training limits in this Privacy Policy;
  • detect, prevent, investigate, and respond to fraud, abuse, security incidents, privacy incidents, service misuse, and legal claims;
  • comply with legal, regulatory, contractual, and professional obligations.

3. AI, Transcription, and Model Processing

The Service may use AI models, transcription systems, retrieval systems, embeddings, rerankers, caches, and related infrastructure to provide features. Depending on configuration, Customer Content may be processed by our systems and by service providers or Subcontractors that help us provide hosting, storage, transcription, AI/model, retrieval, analytics, security, support, or other services.

When PHI is processed in production, we use provider configurations and contractual safeguards intended for healthcare use where applicable. We do not use Customer Content, PHI, raw audio, transcripts, clinical notes, Ask Aimé prompts, chat messages, patient context, or clinical narratives to train first-party or third-party AI models without explicit, opt-in written consent. We do not permit subprocessors to use PHI or Customer Content to train their general-purpose models for their own purposes.

We may use de-identified or aggregated information, where permitted by law and the BAA, for internal analytics, security, operations, quality improvement, product improvement, research, and development. Where Customer Content includes PHI, de-identification will be performed in accordance with 45 C.F.R. Section 164.514(a)-(c), using a permitted method such as Safe Harbor or Expert Determination. Routine product-improvement uses are focused on operational telemetry, performance data, error data, security signals, usage patterns, and aggregate workflow information rather than reading therapy narratives or clinical transcripts. De-identification rights do not override our no-clinical-data-model-training commitment.

We do not sell, license, publish, or externally share de-identified therapy narratives, clinical transcripts, clinical notes, Ask Aimé prompts, patient context, or patient-level clinical insights as clinical research or commercial data products without explicit, separate written authorization. This does not prevent us from using operational telemetry, performance data, error data, security signals, usage patterns, or aggregate workflow information for internal Service improvement, security, reliability, and compliance purposes.

4. Audio and Recording Data

Recording, dictation, transcription, and audio capture begin only when you initiate or direct them. Audio may be transmitted over encrypted connections in chunks or streams to provide transcription, diarization, or related Service features.

Unless you explicitly enable or request an audio-storage feature, provide an instruction that requires retention, or retention is required for legal hold, security investigation, support troubleshooting with appropriate permission, or similar compliance need, raw audio is processed temporarily and deleted or discarded after transcription or note generation. Transcripts, notes, session metadata, and related Customer Content may be retained as described in this Privacy Policy, the Terms of Service, the BAA, your settings, and applicable agreements.

You are responsible for obtaining all required patient consents, authorizations, and notices before recording or processing patient information through the Service.

5. How We Share Information

We do not sell personal information. We do not rent personal information. We may disclose information as follows:

  • Service providers and Subcontractors. We use providers for hosting, storage, databases, AI/model processing, transcription, authentication, security, monitoring, analytics, payment processing, email, support, and operations. They are required to protect information and use it only to provide services to us, subject to applicable agreements.
  • Customer-directed disclosures. We disclose information when you direct us to do so, including when you fill notes into an EHR, export content, connect integrations, invite users, or share information through the Service.
  • Within your organization. Organization administrators and authorized users may access information according to your organization’s settings, roles, and permissions.
  • Legal and safety. We may disclose information to comply with law, regulation, subpoena, court order, legal process, professional obligation, or governmental request, or to protect rights, safety, security, and the integrity of the Service.
  • Business transfers. We may disclose information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, subject to appropriate protections.
  • Professional advisors. We may disclose information to lawyers, auditors, insurers, accountants, and advisors under confidentiality obligations.
  • De-identified or aggregated information. We may disclose de-identified or aggregated information where permitted by law and applicable agreements.

If we receive a subpoena, court order, warrant, or other legal process seeking Customer Content or PHI, and where legally permitted and reasonably practicable, we will make reasonable efforts to notify the relevant customer before disclosing the requested information so the customer may seek a protective order, move to quash, or pursue another available remedy. We may disclose information without prior notice if notice is legally prohibited, if the legal process requires immediate disclosure, or if we reasonably believe notice would create a risk of harm, fraud, security compromise, or legal violation.

You may request a current list of applicable subprocessors by emailing team@aime.med with the subject line “Subprocessor List Request”.

6. Security

We implement administrative, physical, and technical safeguards designed to protect information, including PHI where applicable. Safeguards may include:

  • encryption in transit and encryption at rest for production storage systems where applicable;
  • access controls, role-based permissions, unique user IDs, least-privilege policies, and session controls;
  • OAuth-based authentication flows and support for additional authentication controls where available;
  • audit logging for access to and actions involving sensitive resources;
  • tenant and organization separation controls;
  • logging and error-handling controls designed to reduce PHI exposure;
  • analytics controls designed to prevent PHI in event payloads;
  • monitoring, vulnerability management, backup, disaster recovery, and incident response procedures.

No system is completely secure. You are responsible for maintaining the security of your devices, browsers, accounts, credentials, EHR sessions, and local exports.

7. Chrome Extension Permissions

The Aimé Chrome Extension may request permissions to operate. Common permissions include:

PermissionPurpose
storageStore authentication tokens, settings, queued analytics events, recording state, and UI preferences locally in your browser.
activeTabDetect or interact with the active tab when you invoke extension features.
scriptingInject the Aimé sidebar and related scripts into pages when needed for extension features.
tabsSupport sidebar toggling, keyboard shortcuts, tab-aware workflows, and recording transfer or state handling.
identityEnable browser-based sign-in flows such as Google Sign-In.
contextMenusSupport user-directed context-menu workflows, such as storing or inserting selected notes or snippets.
host_permissions and content scriptsAllow the sidebar overlay, EHR detection, field mapping, and note filling to work across supported EHR domains and other domains you configure or choose to use.

When you invoke, configure, or enable extension features, the extension may access the active tab, supported clinical surfaces, or pages you choose to use with Aimé solely to provide Service functionality, such as displaying the sidebar, detecting fields, capturing user-directed context, or inserting text you choose to fill. We do not use extension permissions for advertising or general browsing-history tracking.

8. Data Retention

We retain information for as long as reasonably necessary to provide the Service, maintain accounts, comply with legal obligations, resolve disputes, enforce agreements, and support security and audit requirements.

Retention periods may include:

  • Account and organization data: retained while your account or organization remains active and for up to seven years thereafter as needed for legal, billing, tax, audit, security, and operational purposes, unless a longer period is required by law, contract, dispute, or security need.
  • Clinical Customer Content: transcripts, notes, patient context, documents, Ask Aimé messages, and related metadata are retained while your account or organization is active unless deleted through available controls, requested for deletion, or otherwise governed by an agreement. After account or organization closure, we will delete or de-identify available Clinical Customer Content from active systems within ninety (90) days of closure or verified deletion request, subject to legal obligations, backup retention, audit logs, the BAA, security needs, and technical limitations. For PHI governed by the BAA, return or destruction after termination follows the BAA’s ninety (90) day return-or-destruction framework after written election, subject to the BAA’s exceptions.
  • Raw audio: processed temporarily for transcription and related features and deleted or discarded after transcription or note generation unless you explicitly enable or request an audio-storage feature, provide an instruction that requires retention, or retention is required for legal hold, security investigation, support troubleshooting with appropriate permission, or similar compliance need.
  • Analytics events: first-party analytics events are designed to exclude PHI and may be retained for up to 90 days, unless otherwise needed for security or legal purposes.
  • Audit and security logs: audit logs and security records may be retained for longer periods, including up to six years where needed for HIPAA, security, legal, or compliance purposes.
  • Backups and residual copies: deleted information may remain in encrypted backups, logs, archives, caches, or disaster-recovery systems for up to 90 days until overwritten or deleted according to our retention practices, unless longer retention is required by law, contract, legal hold, security investigation, backup integrity, audit logs, security logs, dispute resolution, or compliance obligations.

When you request deletion of your account or Customer Content, we will delete or de-identify available Customer Content from active systems within ninety (90) days of a verified request, subject to legal obligations, backup retention, audit logs, the BAA, security needs, and technical limitations.

9. Your Choices and Rights

Depending on your location, role, and applicable law, you may have rights to:

  • access information;
  • correct inaccurate information;
  • delete information;
  • export information;
  • object to or restrict certain processing;
  • opt out of certain communications;
  • appeal certain privacy decisions where applicable.

The table below summarizes common requests and where to start. These options are subject to identity and authority verification, applicable law, the BAA, technical limits, legal obligations, and any controls available in the Service.

You canHow
Export available transcripts, notes, and related Customer ContentUse available in-product controls, or email team@aime.med.
Request deletion of your account or available clinical Customer ContentUse available in-product controls, or email team@aime.med with the subject line “Account Deletion”.
Request a copy of the BAA or an executed/countersigned versionEmail team@aime.med with the subject line “BAA Copy or Countersignature Request”.
Ask which subprocessors handle information for the ServiceEmail team@aime.med with the subject line “Subprocessor List Request”.
Opt out of arbitration and the class action waiverEmail team@aime.med within 30 days of first accepting the Terms, as described in the Terms of Service.
Request a California privacy rights actionEmail team@aime.med with the subject line “California Privacy Request”.

To exercise rights, contact team@aime.med. We may need to verify your identity and authority before responding.

If information is PHI processed on behalf of a covered entity, HIPAA rights requests may need to be directed to the covered entity. We will reasonably cooperate with covered entities as required by the BAA and applicable law.

10. California Privacy Notice

This section applies to California residents and describes how we collect, use, and disclose “personal information” as defined by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”). To the extent information is PHI governed by HIPAA and a BAA, HIPAA may govern that information and some CPRA provisions may not apply.

This section also provides additional notice-at-collection details for California residents.

10.1 Categories of Personal Information We Collect

Depending on how you use the Service, we may collect:

  • Identifiers: name, email address, phone number, account IDs, user IDs, organization IDs, IP address, client IDs, and similar identifiers.
  • Customer records information: contact information, billing information, professional information, and support communications.
  • Protected classification characteristics: information you provide or that appears in Customer Content, such as age, sex, gender, or other demographic information.
  • Commercial information: plan, subscription, trial, payment, invoice, transaction, and product-use records.
  • Internet or electronic network activity: browser, device, log, cookie, usage, event, EHR-page metadata, extension interactions, and diagnostic data.
  • Geolocation data: approximate location derived from IP address.
  • Audio and electronic information: audio you initiate, transcripts, notes, chat messages, and related electronic content.
  • Professional or employment-related information: clinical role, specialty, credentials, organization, practice size, and EHR information.
  • Sensitive personal information: account credentials, authentication data, precise health information contained in Customer Content, and other information that may be sensitive under applicable law.
  • Inferences: preferences, workflow settings, and product-use inferences used to provide and improve the Service.

10.2 Sources

We collect personal information from you, your organization, your authorized users, your browser or device, the Service, integrations you configure, service providers, and third-party systems you direct us to interact with.

10.3 Purposes

We collect, use, and disclose personal information for the purposes described in Sections 2 through 6, including providing the Service, security, support, billing, compliance, analytics, debugging, and product improvement.

10.4 Disclosures

We may disclose personal information to service providers, Subcontractors, professional advisors, legal authorities, corporate transaction counterparties, your organization, and others as described in Section 5.

10.5 Sale or Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

10.6 Sensitive Personal Information

We use sensitive personal information only as reasonably necessary to provide the Service, ensure security and integrity, prevent fraud, comply with law, manage accounts, and as otherwise permitted by applicable law.

10.7 California Privacy Rights

Subject to exceptions, California residents may have rights to know/access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.

To submit a request, email team@aime.med with the subject line “California Privacy Request”. Authorized agents may submit requests where permitted by law, subject to verification.

11. Children’s Privacy

The Service is intended for adult professional users and is not directed to minors. We do not knowingly permit individuals under 18 to create accounts or use the Service as users. If we learn that a user is under 18, we will take steps to terminate the account and delete the user’s personal information, subject to legal obligations.

Professional Users may use the Service to process patient information, including information about minors, as Customer Content on behalf of their organizations and under applicable agreements, including the BAA where applicable.

12. International Transfers

The Service is operated from the United States. Information may be processed and stored in the United States and other jurisdictions where we or our service providers operate. If you access the Service from outside the United States, you understand that information may be transferred to and processed in jurisdictions whose laws may differ from those in your location.

13. Do Not Track

Some browsers offer a “Do Not Track” signal. Our websites and Service do not currently respond to Do Not Track signals.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the Service, by email, by website notice, or by other reasonable means. Continued use after the effective date of an updated Privacy Policy constitutes acceptance where permitted by law.

15. Contact

Questions or requests: