Privacy Policy & PDPA Compliance Statement

1. Scope and Adherence to PDPA

Be Smart Global, LLC (a Delaware entity) (“we”, “us”, “our”) is dedicated to protecting clinical and health records in accordance with the Personal Data Protection Act (PDPA) of Singapore and Ministry of Health (MOH) security guidelines. This Privacy Policy details how we handle information in our operations on our secure server cluster serving the Singapore market. We act as a data intermediary under the PDPA when processing data on behalf of Singapore clinics and healthcare providers.

2. Processing of Personal and Health Data

In providing our ambient AI medical scribe and documentation assistance, our systems temporarily process voice recordings or text dictations to compile clinical draft SOAP notes. This information is processed solely to perform our contractual service of drafting structured records for practitioners.

3. Zero-Trust Local Browser-Side Redaction

To ensure patient personal data does not exit your local workspace or enter international cloud networks in cleartext, DocReport implements a local redaction pass in the practitioner's browser:

• Patient Names & Dates of Birth: Automatically replaced client-side with secure placeholders (e.g. `[SG_PATIENT_NAME_1]`).
• NRIC & FIN Numbers: Automatically scrubbed and replaced with secure tokens.
• Contact Information: Phone numbers, email addresses, and home addresses are stripped out entirely.

Only anonymized clinical narratives are sent to remote AI services (such as Vertex AI) for transcription and structure. Identifying information is cached only in your local browser memory.

4. Zero-Knowledge Local AES-GCM Encryption

When case records or clinical notes are saved to our cloud database (Firestore), they are encrypted on your local device using a private practice key stored strictly in your browser's local database. We do not transmit or store this key on our servers, ensuring your database records remain protected.

5. Cross-Border Data Disclosure

Because our global services run on premium international servers to minimize latency, processing occurs in secure data centers globally. However, because clinical data is redacted and encrypted client-side before leaving your browser, no cleartext personal data is transferred across borders, ensuring full compliance with the PDPA Transfer Limitation Obligation.

6. Audio Record Management

Audio recordings of consultations are processed strictly in-memory to generate clinical transcripts. Once the note is drafted, the audio data is destroyed in secure memory nodes. We do not retain, listen to, or compile patient audio logs. Transcripts are never used to train public or private AI models.

7. Data Protection Officer (DPO) and Inquiries

Inquiries regarding account deletion, correction of records, or general compliance questions can be sent to our Data Protection Officer at dpo@docreport.us.