AuraLync

Privacy Policy

Last updated: May 12, 2026

AuraLync ("we", "us", "our") provides cloud-based practice management software for audiology and ENT clinics at auralync.com. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to our website, the AuraLync application, and the Service generally.

1. Two kinds of users

AuraLync's customers are clinics and providers ("Practices"). Practices use our software to deliver care to their patients ("Patients"). This Policy describes our practices in both relationships. Where we process Patient information on behalf of a Practice, the Practice is the data controller and we are a service provider or business associate acting under the Practice's instructions.

2. Information we collect from Practices

  • Account information. Practice name, billing address, NPI, contact information for owners and staff, and login credentials.
  • Payment information. Processed by Stripe; we do not store full card numbers on our servers.
  • Customer Data. Everything the Practice uploads into the Service, including patient records, audiograms, appointments, fittings, devices, communications, invoices, and clinical notes. Customer Data may include Protected Health Information ("PHI") as defined under HIPAA.
  • Usage data. Pages viewed, features used, errors encountered, and similar product analytics, captured to operate, secure, and improve the Service.
  • Device and connection data. IP address, browser type, operating system, time zone, and approximate location derived from IP address.
  • Communications with us. Support tickets, emails, and feedback you send.

3. Information we collect from Patients

When Practices use AuraLync, we may process Patient information on the Practice's behalf, including:

  • Demographic and contact information (name, date of birth, gender, address, phone, email).
  • Insurance information (carrier, member ID, plan).
  • Clinical information (audiograms, hearing loss history, devices fitted, clinical notes, recordings authorized for AI scribe).
  • Communications history (SMS, email, calls).
  • Documents uploaded by or on behalf of the Patient.

Patient information is processed under the direction of the Practice. Questions or requests from Patients about their information should be directed to the Practice that provided their care.

4. How we use information

  • To provide, maintain, secure, and improve the Service.
  • To authenticate users and protect against unauthorized access, fraud, and abuse.
  • To process payments and send billing communications.
  • To communicate with you about your account, product updates, security advisories, and service announcements.
  • To respond to support requests.
  • To comply with legal obligations and enforce our Terms.

We do not sell personal information. We do not use Customer Data or PHI for advertising or to train general-purpose machine learning models.

5. AI features and how data is used

Some Service features use third-party large language models and speech-to-text providers to generate drafts, summaries, transcripts, and clinical notes (collectively, "AI Outputs"). When a Practice uses these features, the inputs (such as recorded audio, audiogram images, or chart text) are transmitted to the AI provider for processing and returned as output. We use providers that contractually commit not to retain inputs for training their general-purpose models. AI providers used currently are Anthropic (Claude) for text and vision and Deepgram (Nova-3 Medical) for speech-to-text in the scribe feature only. Both providers offer HIPAA Business Associate Agreements that AuraLync executes prior to processing PHI in production.

6. Sub-processors

We rely on the following service providers to operate AuraLync:

  • Supabase — hosted Postgres database, authentication, and object storage
  • Vercel — application hosting and content delivery
  • Anthropic — large language model (Claude) and vision for clinical drafting, audiogram interpretation, audiogram image parsing, and communication drafts
  • Deepgram — clinical speech-to-text (Nova-3 Medical model) for the AI scribe feature only
  • Twilio — SMS and voice messaging
  • Resend — transactional and campaign email
  • Stripe — payment processing
  • Intuit (QuickBooks Online) — optional accounting sync
  • Daily.co — optional telehealth video

The current list of sub-processors is also available on request. We provide reasonable notice before adding new sub-processors that process PHI.

7. HIPAA

AuraLync is designed to support HIPAA compliance. When a Practice uploads PHI, AuraLync acts as a Business Associate under HIPAA. Practices that intend to process PHI in production must execute our Business Associate Agreement. We maintain administrative, physical, and technical safeguards reasonably designed to protect PHI, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and regular security reviews.

8. Sharing of information

We share information only as follows:

  • With service providers acting on our behalf, under written contracts and (where PHI is involved) Business Associate Agreements.
  • To comply with legal obligations, court orders, or lawful government requests.
  • To enforce our Terms or protect the rights, property, and safety of AuraLync, our users, or others.
  • In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections and continued application of this Policy.

We do not sell or rent personal information.

9. Data retention

We retain Customer Data for as long as a Practice maintains an active subscription. After termination, Customer Data is retained for 30 days to allow export, after which it is deleted from production systems within a reasonable period unless retention is required by law. Backups are retained for up to 90 days and are deleted on rolling schedules. We retain account and billing records for as long as needed to comply with tax, audit, and accounting obligations.

10. Your rights and choices

Depending on where you reside, you may have rights to access, correct, delete, restrict, or port personal information about you, and to object to certain processing. Practice users can exercise many of these rights directly within the Service. Patients should contact the Practice that provided care. To make a request directly to AuraLync, email privacy@auralync.com. We will verify your identity and respond within the time required by applicable law.

11. State-specific notices (United States)

Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with consumer privacy laws have specific rights under those laws. We honor verified requests to know, delete, correct, and opt out of "sale" or "sharing" of personal information as defined in those laws. We do not knowingly engage in such sales or sharing.

12. International transfers

AuraLync is operated from the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States and in countries where our sub-processors operate. We use contractual safeguards required by applicable law for such transfers.

13. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against loss, theft, misuse, and unauthorized access. These include encryption in transit and at rest, multi-factor authentication, role-based access controls, audit logging, vulnerability management, and ongoing employee security training. No security program is perfect, and we cannot guarantee the security of information transmitted to or stored on the Service.

14. Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from a child under 13 except when a Practice provides care to a minor patient, in which case the information is processed on the Practice's behalf and subject to the Practice's policies and applicable law.

15. Cookies and similar technologies

We use cookies and similar technologies to authenticate sessions, remember preferences, and analyze how the Service is used. You can control cookies through your browser settings; disabling certain cookies may affect functionality. We do not use third-party advertising cookies.

16. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

17. Contact

Questions about this Privacy Policy or our privacy practices? Email privacy@auralync.com.