Privacy Policy

Last updated March 29, 2026

What Eval Fill Does

Eval Fill is a Chrome extension that helps physical therapists generate clinical documentation (SOAP notes) using AI. It accepts session input from the therapist and produces structured clinical notes.

Data We Collect

Account Information

• Email address and name (for authentication)
• Clinic name (optional)

Session Data

• The voice transcript captured during your session (audio is streamed to Deepgram for transcription; we do not store the audio itself)
• Clinical session input you enter (patient identifiers, symptoms, treatments, assessments)
• Generated SOAP notes
• Note edit history

EMR Form Data (only when you click Auto-Fill)

• The labels, types, and currently-filled values of the visible form fields on your active EMR tab. We send this to our AI service so it can map your clinical narrative to the correct fields. We do not store this form data after the request completes — it is used solely for that single mapping operation.

Usage Data

• Number of notes generated
• Timestamps of activity

Data We Do Not Collect

• Social Security numbers, insurance IDs, or any other government identifiers
• Browsing history, page contents, or activity from any tab other than the EMR tab you explicitly choose to fill
• Data from any web page when you are not actively recording or filling — the extension is inert until you click Start Session or Auto-Fill

Note: when you dictate a session, the AI extracts whatever clinical narrative you spoke, which may include the patient's name if you said it. The transcript and resulting note are stored under your account. We recommend using clinic-internal identifiers rather than full names while we are pre-launch and before BAAs with downstream providers are in place.

How Data Is Processed

Session input is sent to the Anthropic Claude API to generate SOAP notes. Anthropic does not use API data to train their models (per their commercial API terms). Generated notes are stored in our database.

Data Storage

Data is stored in AWS RDS (PostgreSQL) hosted in the United States with:

• AES-256 encryption at rest (RDS-managed)
• TLS 1.2+ in transit, with server certificate validation against the AWS RDS root chain
• User-scoped access enforced at the application layer (every database query filters by the authenticated user's identity)
• Daily automated backups with point-in-time recovery

Microphone Access

Eval Fill requests microphone access only when you start a recording session. Audio is streamed in real time to Deepgram (a HIPAA-eligible speech-to-text provider) for transcription over a TLS WebSocket. We do not store the audio itself; only the resulting text transcript is persisted under your account so it can be processed into a SOAP note. Note: until our Business Associate Agreement with Deepgram is fully executed (in progress as of this release), pilot users should dictate de-identified sessions only — use clinic-internal identifiers rather than full patient names.

Data Sharing

We do not sell, rent, or share your data with third parties except:

• Anthropic (AI processing) receives session input to generate notes
• AWS (database hosting) stores your account, sessions, and notes
• Railway (API hosting) runs the API server that your extension talks to
• Deepgram (speech recognition) receives streamed audio for real-time transcription; HIPAA-eligible provider, BAA in progress

Your Rights

• You can view all your stored notes in the History tab
• You can delete individual notes or request full account deletion
• You can copy any note to your clipboard

Security

• API keys and secrets are stored server-side only, never in the extension
• All communication uses HTTPS / TLS
• Authentication uses opaque bearer session tokens issued by our identity layer; tokens are validated server-side on every request and expire after 7 days of inactivity
• Database queries are scoped at the application layer to the authenticated user
• Database connections to AWS RDS use TLS with full server-certificate validation

HIPAA Notice

Eval Fill is designed with healthcare data privacy in mind. For the pilot and testing phase, we recommend using de-identified patient data. Before processing real Protected Health Information (PHI), we will execute Business Associate Agreements with each infrastructure provider in the data path — AWS, Anthropic, Deepgram, and Railway. Agreements with AWS and Railway are signed; Anthropic and Deepgram are in progress as of this release.

Changes to This Policy

We may update this policy as Eval Fill develops. Significant changes will be communicated through the extension.

Contact

For privacy questions or data deletion requests: info@virdar.co