Privacy Policy | Cheryl AI

                THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
            

                Plain-language summary: Cheryl reads your EHR screen in Chrome to help you chart and bill. Patient data is sent to OpenAI for AI processing (covered by a signed BAA with zero data retention). We do not store patient data on our servers. We collect your email and usage metrics to improve the product.
            

1. Who We Are

Cheryl AI ("Cheryl," "we," "us," or "our") is a clinical documentation and billing optimization Chrome extension for healthcare providers. Our product is operated by Cheryl AI, based in Toronto, Canada.

Privacy Officer: Kathy Feng
Email: privacy@cherylmd.com
Phone: Available upon request via email

2. Information We Collect

2.1 Information You Provide

Account information: Email address, name, clinic name, EHR system used
Payment information: Processed by our payment provider (Stripe). We do not store credit card numbers.
Support communications: Messages you send to our support team

2.2 Clinical Data Processed by the Extension

Screen content: When you click "Read Page," the extension reads the visible content of your EHR screen (patient demographics, chart notes, intake forms, etc.)
Your clinical input: Shorthand notes, voice transcriptions, or natural language instructions you provide
Generated outputs: SOAP notes, billing suggestions, and compliance checks produced by the AI

                Important: Clinical data is processed in real-time and is NOT stored on Cheryl's servers. It is transmitted directly to OpenAI's API for processing, then returned to your browser. After your session ends, no patient data remains in our systems.
            

2.3 Usage Data

Feature usage patterns (which tools you use, frequency)
Error logs and performance metrics
Browser type and extension version

Usage data is anonymized and does not contain patient information.

3. How We Use Your Information

To provide the service: Generate SOAP notes, run billing analysis, display compliance checks
To improve the product: Analyze anonymized usage patterns to improve features
To communicate: Send product updates, billing receipts, and support responses
To comply with law: Respond to legal requests and enforce our terms

We do not sell your personal information or clinical data to third parties. We do not use patient data to train AI models.

4. HIPAA Compliance

4.1 Business Associate Agreement (BAA)

Cheryl enters into a Business Associate Agreement (BAA) with each healthcare provider or covered entity that uses our service. The BAA governs our obligations under the HIPAA Privacy Rule and Security Rule regarding any Protected Health Information (PHI) we process on your behalf.

4.2 OpenAI Sub-Business Associate

We use OpenAI's API (GPT-4o) for AI processing. We have a signed BAA with OpenAI covering their handling of PHI as a sub-business associate. OpenAI processes data in accordance with their Enterprise Privacy commitments:

Data sent via the API is not used to train OpenAI's models
Zero data retention: Under our BAA, API request data is deleted immediately after the response is returned — PHI is not stored on OpenAI's servers
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)

Data flow: EHR screen content → Cheryl extension → encrypted transmission (HTTPS/TLS) → OpenAI API (zero retention) → AI output returned to extension → displayed to you. No PHI remains in any system after your session.

4.3 Technical Safeguards

Encryption: All data transmitted between the extension, our servers, and OpenAI is encrypted via TLS 1.2+
No persistent PHI storage: Patient data is not stored on Cheryl's servers. It exists only in your browser session and during API transit.
Access controls: Only you (the provider) can initiate screen reading. The extension does not read your screen automatically.
Minimum necessary: The extension reads only the visible page content — not browser history, other tabs, or stored passwords.

5. Data Sharing

We share data only with:

OpenAI — For AI processing (covered by BAA)
Stripe — For payment processing
Analytics providers — Anonymized usage data only (no PHI)
Legal authorities — When required by law or to protect rights

We do not sell, rent, or share patient data with advertisers, data brokers, or any other third parties.

6. Data Retention

Patient/clinical data: Not retained. Processed in real-time, not stored.
Account data: Retained while your account is active. Deleted within 30 days of account closure upon request.
Usage analytics: Retained in anonymized form for up to 24 months.
Support communications: Retained for up to 3 years for quality and legal purposes.

7. Your Rights

HIPAA Rights

If we process PHI on your behalf, your patients have the right to:

Access their PHI that we process
Request amendment of their PHI
Receive an accounting of disclosures of their PHI
Request restrictions on uses and disclosures of their PHI
Receive confidential communications
Be notified of a breach of unsecured PHI

These rights are exercised through you, the covered entity. We will assist you in fulfilling these obligations as required by our BAA.

Your Rights as a User

Access the personal information we hold about you
Correct inaccurate information
Delete your account and associated data
Export your data in a portable format
Opt out of marketing communications

To exercise any of these rights, contact us at privacy@cherylmd.com.

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information. You may request disclosure of the categories and specific pieces of personal information we collect. Note: PHI governed by HIPAA is exempt from CCPA, but account data (email, subscription) is not. Contact us to make a request.

California AB 489 (Effective January 1, 2026)

In compliance with California AB 489, we disclose that: Cheryl uses artificial intelligence to generate clinical documentation and billing suggestions. Cheryl does not hold a healthcare license and does not provide medical advice. All AI-generated outputs must be reviewed by a licensed healthcare provider before use. For clinical questions, consult your healthcare provider directly.

Washington Residents (My Health My Data Act)

Washington residents have rights under RCW 19.373, including the right to have health data deleted and the right to withdraw consent for the collection of health data. We do not sell health data. To exercise your rights, contact us at privacy@cherylmd.com.

Canadian Residents (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You may access, correct, or withdraw consent for the use of your personal information by contacting us.

8. Chrome Extension Permissions

The Cheryl Chrome extension requests the following permissions:

activeTab: To read the content of the current tab when you click "Read Page"
sidePanel: To display the Cheryl sidebar alongside your EHR
storage: To save your preferences and session state locally in your browser

The extension does not access your browsing history, other tabs, bookmarks, downloads, or any data outside the active tab you explicitly choose to read.

Chrome Web Store Compliance: The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

9. AI-Generated Content Disclosure

Cheryl uses AI (OpenAI GPT-4o) to generate clinical documentation and billing suggestions. In compliance with applicable regulations:

All AI-generated SOAP notes, billing codes, and clinical suggestions are assistive tools only — not clinical determinations
A licensed healthcare professional must review and approve all AI-generated content before incorporating it into patient records
AI-generated content may contain errors. Cheryl does not guarantee the accuracy, completeness, or clinical appropriateness of any output
Cheryl does not hold a healthcare license and does not diagnose, treat, or prescribe

10. Security Incident Response

In the event of a data breach involving PHI, we will:

Notify affected covered entities within 60 days as required by the HIPAA Breach Notification Rule (45 CFR 164.410)
Provide details of the breach, data involved, and steps taken to mitigate harm
Cooperate with HHS investigations as required
Maintain a log of all breaches for at least 6 years

11. Complaints

If you believe your privacy rights have been violated, you may:

Contact our Privacy Officer at privacy@cherylmd.com
File a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint

We will not retaliate against you for filing a complaint.

12. Children's Privacy

Cheryl is designed for licensed healthcare providers. We do not knowingly collect information from individuals under 18. If you believe a minor has provided us with personal information, contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the extension at least 30 days before they take effect. The effective date is listed at the top of this page. Continued use of Cheryl after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, HIPAA requests, or to request a BAA:

Privacy Officer: Kathy Feng
Email: privacy@cherylmd.com
General: info@cherylmd.com