Privacy Policy

Data Controller & Contact Details

The data controller for Vocadoc is Neolyth, a sole proprietorship (eenmanszaak) under Dutch law. You can contact Neolyth using the following details:

Neolyth is responsible for operating the Vocadoc platform and for the processing of personal data in Vocadoc. If you have any questions or requests regarding your personal data, you can use the above contact information.

Supervisory Authority

As Neolyth is established in the Netherlands, the lead supervisory authority for data protection is the Dutch Data Protection Authority, Autoriteit Persoonsgegevens. You have the right to lodge a complaint with the Autoriteit Persoonsgegevens if you believe your data is being processed unlawfully or if your data protection rights have been violated. The contact details of the Autoriteit Persoonsgegevens are:

Personal Data and Purposes of Processing

Vocadoc is a documentation and transcription service designed exclusively for licensed medical professionals. It allows healthcare providers to upload or record audio (such as patient consultations or clinical notes) and converts this into written documentation. The types of personal data we process in Vocadoc include:

• User Account Data: Information about the medical professional using Vocadoc (e.g. name, contact information, login credentials).
• Access Request Data: When you submit a request for access to Vocadoc through our website, we collect your email address, country, healthcare provider status, profession, organization role, documentation hours, technology comfort level, and technical information (IP address, device details, timestamp). This data is processed solely to evaluate your request for platform access and communicate with you about your application status. This information is never shared with third parties and is used exclusively by our internal team for access evaluation purposes.
• Audio Recordings: Voice recordings uploaded by the user, which may contain personal data about patients (including health information).
• Transcriptions and Documents: The text generated from audio recordings, which can include patient medical information.
• Usage Data: Technical logs and usage information (such as IP addresses, device information, and timestamps) for security and audit purposes.

We process this data solely to provide and improve the Vocadoc service, which includes transcribing medical dictations into documents, enabling users to manage their transcription tasks, and ensuring the service is secure and functional. We do not use personal data for any marketing or advertising purposes.

Legal Bases for Processing

All processing of personal data in Vocadoc is conducted in accordance with the EU General Data Protection Regulation (GDPR) and applicable Dutch laws. The legal bases we rely on include:

• Performance of a Contract (GDPR Art. 6(1)(b)): We process the user account data and audio/transcription data as necessary to provide the Vocadoc service to medical professional users, under our terms of service with them. Access request data is also processed under this basis as part of evaluating potential service agreements.
• Legitimate Interests (GDPR Art. 6(1)(f)): We may process certain data (like usage logs and access request information) to secure our platform, prevent abuse, and manage platform access, which is in our legitimate interest and does not override users' or patients' rights. Access requests are processed to maintain the quality and security of our healthcare platform.
• Legal Obligation (GDPR Art. 6(1)(c)): In some cases, we may need to retain or disclose data to comply with legal obligations or regulatory requirements (for example, responding to lawful requests by authorities).

For special categories of personal data (see below), we rely on a specific GDPR provision that allows processing of health data without explicit consent, under strict conditions.

Special Category Data (Health Information)

Vocadoc facilitates the processing of health-related personal data (which is considered a special category of personal data under GDPR) on behalf of medical professionals. This includes information about patients' health that may be contained in audio recordings and transcripts. We only permit access to Vocadoc for users who are licensed healthcare professionals, and any health data is processed under professional secrecy obligations.

The processing of health data in Vocadoc is carried out under the exemption provided by GDPR Article 9(2)(h), which allows processing necessary for medical purposes (such as healthcare provision or management). In accordance with GDPR Article 9(3), such data is handled only by or under the responsibility of professionals who are subject to an obligation of confidentiality (in this case, the medical practitioners using the platform).

Because we rely on this legal basis, explicit consent from the patient is not required for the processing of their health information via Vocadoc, as long as it is being used for medical documentation purposes and kept confidential. This exception under Article 9(2)(h) and 9(3) GDPR permits health data processing without explicit consent in the context of healthcare, provided appropriate safeguards (like professional secrecy) are in place.

Vocadoc does not allow any other use of special category data. We do not process health data for marketing, research, or any purpose outside of assisting healthcare providers in treating or documenting care for their patients.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described above, or to meet legal requirements. Specific retention periods for key data types are as follows:

• Access Request Data: Information submitted through access request forms is retained securely in our internal database for the duration necessary to process your application and communicate with you about access to our platform. This data is stored until your request is resolved (approved or denied) and for a reasonable record-keeping period thereafter (typically 12 months), unless you request earlier deletion. Access request data is never shared with third parties and is accessible only to authorized Neolyth team members involved in the evaluation process.
• Audio Recordings: Uploaded audio files are deleted shortly after a successful transcription and document generation. Once Vocadoc has created the text document from your audio, the original audio file is removed from our active systems.
• Temporary Files and Cache: Any temporary data or cached copies created during the transcription process are automatically purged immediately upon completion of processing. This ensures that no residual data lingers on our servers.
• Failed Transcriptions: In case a transcription task fails or is interrupted, Vocadoc will retain the encrypted audio file so that you have the opportunity to retry the transcription. This audio remains stored securely in encrypted form until you either successfully re-run the transcription or manually delete the task. If the task is deleted or completed on retry, the audio file is promptly removed.
• User Account Data: Information like your account details (name, email) is kept for as long as you maintain an account with us. If you delete your account, we will erase or anonymize your personal data within a reasonable period, unless we are required to retain it longer by law.
• Transcriptions/Documents: The written documents generated from audio may be stored in your account until you delete them or as governed by our application's functionality. You have control to delete documents you no longer need. We may also implement routine purges of old data in accordance with our data retention policies (we will inform users of such policies within the application).
• Operational Backups: Encrypted database and file backups are retained for 30 days on a rolling basis. Backups are GPG-encrypted and stored on infrastructure subject to the same security measures as our primary systems.

All deletions of audio and transcripts are done in a secure manner. Please note that removal from our active database may be followed by a brief period in secure backups, but in that case we will continue to protect the data and delete it according to our backup retention schedule (30 days).

Data Security Measures

We take the security of personal data seriously. Vocadoc employs technical and organizational measures to protect data against unauthorized access, disclosure, or loss. These measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest. Audio files and backups are stored in encrypted form. Backups are additionally GPG-encrypted to a hardware-token-secured key.
• Access controls to ensure only authorized personnel and the authorized user (medical professional) can access the data. Access to systems is limited to known IP addresses via SSH key authentication only, with no direct exposure of origin servers.
• Monitoring and logging of access to detect any unauthorized activities, including centralized logging of administrative actions and data exports.
• Regular security assessments and updates to our infrastructure, including container image vulnerability scanning and prompt application of security patches.

Any audio content is transmitted securely for processing, and as noted, stored in encrypted form when at rest during processing or in temporary queues. Only the user who uploaded the audio (and any persons they authorize within their medical practice) can access the resulting transcriptions.

International Data Transfers and Hosting

Vocadoc primarily operates on servers located in the European Union. Our main infrastructure is self-managed and hosted in Nijmegen, Netherlands, which means personal data (including audio and documents) is processed and stored on servers in the Netherlands by default. We also use certain reputable third-party service providers to support our service, and we ensure all such providers handle data in compliance with EU data protection standards:

Data Storage and Processing Architecture

All persistent patient data (audio recordings awaiting processing, transcriptions, generated documents, and associated metadata) is stored exclusively on Neolyth's own-premise servers in Nijmegen, Netherlands, or on Hetzner Online GmbH infrastructure in Germany. Both locations are within the EU, and all data at rest is encrypted.

Amazon Web Services (AWS) is used within the EU solely for transient processing: encryption key management (KMS), temporary object caching (S3), and AI inference (Bedrock). Audio or content may flow through AWS during active processing, but patient data at rest is never stored on AWS. Encrypted audio may be temporarily cached in Amazon S3 (EU-central-1) only until the corresponding document has been finalized, after which it is immediately and irreversibly deleted. All AWS processing is limited to the EU-central-1 (Frankfurt) region and other EU regions.

Edge Routing and Content Delivery

To provide reliable and resilient access, Vocadoc routes traffic through EU-based infrastructure operated by Worldstream B.V. (Netherlands) as the primary gateway and Hetzner Online GmbH (Germany) for geo-redundant failover, secondary application hosting, and internal operational services (including email). During normal operation the primary gateway handles all traffic; during failover or secondary-origin operation, Hetzner-hosted systems may process the same categories of personal data as the primary infrastructure. All systems are located within the EU. No personal data is permanently stored outside the EU.

Payment Processing

Billing and payment processing is handled by Stripe Payments Europe, Ltd. Stripe processes client account and contact data only (such as name, email address, and payment instrument details) for the purposes of billing, identity verification, and fraud prevention. Stripe does not process or have access to any health data or patient data. Stripe is incorporated in the EEA (Ireland), with international transfers governed by Standard Contractual Clauses (SCCs). Stripe's own Data Processing Agreement applies to all data it processes on our behalf. For details, see Stripe's privacy documentation at stripe.com/privacy.

No Storage Outside EU

We do not store personal data on servers outside the European Economic Area (EEA). In cases where we might need to work with a service provider outside the EEA, we will ensure that an adequate transfer mechanism is in place (such as EU Commission-approved Standard Contractual Clauses).

Safeguards for Transfers

All our cloud and service providers have committed to GDPR-compliant data protection terms. We have signed Standard Contractual Clauses (SCCs) with our subprocessors where required, to ensure that any transfer of personal data outside the EU is protected. AWS, for instance, includes SCCs in its data processing addendum. Additionally, many of our providers (like AWS) have adopted supplemental measures and maintain certified compliance with frameworks like ISO 27018 for cloud privacy.

AWS Bedrock (AI Services)

When we use AI services such as AWS Bedrock to assist with transcriptions or document generation, we ensure that no personal data is retained by those AI systems beyond the immediate processing. According to AWS, Amazon Bedrock does not store or log the content of your requests or outputs, and does not use them to train models or share them with third parties. This means any audio or text we send to such AI services is transiently processed and not kept by AWS.

By keeping our hosting and services within the EU and using strong contractual protections, we maintain control over your data and safeguard it under European data protection standards.

Cookie Policy

Vocadoc uses cookies to ensure the correct functioning of the service and, with your consent, to measure the effectiveness of our marketing campaigns. Below we explain which cookies we use, their purposes, and how you can manage your preferences.

Necessary cookies

• Authentication cookies: to keep you securely logged in to your account as you navigate through the platform.
• Preference cookies: to remember your selected language (English, Dutch, or German) and other interface preferences, so that you have a consistent user experience.
• Cookie consent cookie (vocadoc_cookie_consent): to remember your cookie preferences so we do not ask you again on every visit.

Analytics and marketing cookies

With your explicit consent, we use Google Ads conversion tracking cookies to measure the effectiveness of our advertising campaigns. These cookies are only set after you accept analytics cookies via our cookie banner. The following cookies may be set:

• _ga: a Google Analytics cookie used to distinguish users. Duration: up to 2 years.
• _gid: a Google Analytics cookie used to distinguish users. Duration: 24 hours.
• _gac_*: Google Ads conversion tracking cookies used to attribute website visits to advertising campaigns. Duration: 90 days.

These cookies are set by Google LLC. Google may process this data in accordance with its own privacy policy. No personal medical data, patient information, or health records are ever shared with Google or any advertising service.

Your cookie choices

When you first visit Vocadoc, a cookie banner allows you to accept all cookies or only necessary cookies. You can change your preferences at any time by clicking "Manage preferences" in the cookie banner or via your account settings. If you reject analytics cookies, no Google tracking scripts are loaded and no analytics cookies are set.

The legal basis for placing analytics and marketing cookies is your consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive). Necessary cookies are placed based on our legitimate interest in providing a functional service and are exempt from the consent requirement.

To opt out of analytics cookies, use the cookie preferences manager accessible via the banner or contact us at vocadoc@neolyth.io. When you reject analytics cookies, all previously set Google cookies are automatically cleared from your browser.

Session Recording & Platform Analytics

To improve the Vocadoc platform and user experience, we use self-hosted session recording technology (OpenReplay). This tool records interactions with the Vocadoc interface (such as clicks, scrolls, and page navigation) to help us identify and fix usability issues.

OpenReplay is self-hosted on our own infrastructure in Nijmegen, Netherlands. No session recording data is shared with third parties or transferred outside our EU infrastructure.

Patient data is automatically masked in session recordings. Medical content, patient information, and sensitive data appear as asterisks or are completely removed from recordings. Network requests to sensitive endpoints (authentication, patient data, medical records, payments) have their payloads stripped from recordings.

Session recordings may capture: page navigation patterns, click and scroll behavior, form field interactions (input content is masked by default), browser and device information, and session duration. Session recordings do not capture: patient medical data (masked), authentication credentials (stripped), payment information (stripped), or any content marked as sensitive.

We process this data based on our legitimate interest (GDPR Art. 6(1)(f)) in maintaining and improving the quality, security, and usability of our platform. This processing does not override users' rights, as the data collected is limited to interface interactions with sensitive content masked.

Session recording data is retained on our self-hosted infrastructure for a limited period necessary to analyze and improve the platform. Recordings are automatically purged after this period.

Users who wish to opt out of session recording can contact us at hello@neolyth.io. We are developing an in-app opt-out mechanism for a future release.

Data Protection Officer

Currently, Neolyth is not legally required to appoint a Data Protection Officer (DPO). Under GDPR Article 37, a DPO is mandatory if an organization's core activities involve large-scale processing of sensitive data or systematic monitoring of individuals on a large scale.

Neolyth's processing operations (through Vocadoc) do not meet these thresholds. For example, we facilitate processing of health data, but not on a scale that is considered "large-scale" in the context of a single medical practice, and we do not engage in large-scale profiling or monitoring of individuals.

We continually monitor our data processing volume and practices. If our business or the scope of processing changes such that appointing a DPO becomes required by law, we will promptly do so and update this Privacy Policy with the DPO's contact information.

In the meantime, our internal team handles data protection inquiries, and you can reach out to us via the contact details above for any privacy-related questions.

Your Data Protection Rights

As an individual whose personal data may be processed through Vocadoc (for instance, as a patient whose information is being transcribed, or as a user of the service), you have certain rights under the GDPR. These include:

• Right of Access: You can request confirmation of whether we are processing your personal data, and if so, request a copy of that data.
• Right to Rectification: You have the right to ask us to correct any inaccurate or incomplete personal data that we hold about you.
• Right to Erasure: You can request that we delete your personal data when it is no longer necessary for the purposes for which it was collected, or if you believe it is being processed unlawfully. (For example, a patient can request their data be removed from Vocadoc records if applicable, recognizing that the data is typically under the control of the medical professional using Vocadoc.)
• Right to Restriction of Processing: You can ask us to restrict (temporarily halt) the processing of your personal data in certain circumstances, for instance, if you contest the accuracy of the data or have objected to processing (pending a decision on that objection).
• Right to Data Portability: For data you have provided directly to us and which we process by automated means based on consent or contract, you can request to receive that data in a structured, commonly used, machine-readable format, or ask us to transfer it to another data controller where technically feasible. Vocadoc provides a self-service data export via the platform interface, delivered in structured plaintext (JSON) over an encrypted connection. Upon written request, we can also provide an additionally encrypted export file.
• Right to Object: You have the right to object to certain processing activities we undertake based on legitimate interests. If such a request is received, we will consider your objection and will no longer process the data unless we have compelling legitimate grounds to continue or if it is needed for legal claims.
• Right not to be subject to automated decisions: Vocadoc does not use your personal data for any decision which produces legal or similarly significant effects solely based on automated processing (no automated decision-making or profiling is performed).
• Right to Withdraw Consent: In general, we do not rely on consent for processing in Vocadoc (except possibly for setting up an account or receiving communications). However, if at any point you have given consent for a particular processing activity, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of your rights, you may contact us at hello@neolyth.io or use the other contact details provided above. We may need to verify your identity and, if you are a patient whose data was entered by a medical professional, we might need to coordinate with that professional to fulfill your request (since Vocadoc acts as a processor for the medical professional in those cases).

We will respond to all legitimate requests and provide information or action free of charge within one month, as required by GDPR, unless the request is complex or numerous, in which case we may inform you of an extension.

Finally, as noted, you also have the right to lodge a complaint with the supervisory authority (Autoriteit Persoonsgegevens in the Netherlands) if you believe we have infringed your privacy rights.

Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will revise the "last updated" date at the top of the policy.

If any material changes are made, we will provide a prominent notice (such as on our website or via email notification to account holders) and obtain consent if required by law.

We encourage you to review this Policy periodically to stay informed about how we are protecting your personal data.