Echomedic

Privacy Policy & Terms of Use

Last updated: March 3, 2026

1. Data Controller

Echomedic AS (org. nr. 935 870 631) is the data controller for the processing of personal data described in this privacy policy. Echomedic AS is located at Stensberggata 29, 0170 Oslo, Norway.

2. Data We Collect

When you use the Echomedic app, we process the following categories of data:

Audio Data

Audio is captured at 16 kHz PCM via an attached microphone and streamed in real-time to our transcription API. Audio is processed in memory only and is never stored. Complete audio recordings never exist at any point.

HelseID Authentication Data

When you log in via HelseID (the Norwegian health sector identity provider), we receive your user ID, name, and HPR number (health personnel registry number). This data is stored locally in the iOS Keychain for the duration of your session and is deleted when you log out.

What We Do Not Collect

We do not collect analytics data, device identifiers, location data, IP addresses, usage statistics, or any other telemetry. We do not use any third-party analytics SDKs, advertising frameworks, or tracking technologies. The app does not use cookies.

3. Legal Basis for Processing

We process personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

  • Article 6(1)(b) — Performance of a contract: Processing is necessary to provide the transcription service you have requested as part of your professional use of the app.
  • Article 9(2)(h) — Health data processing: Audio from emergency responses may contain health-related information (special category data under GDPR Article 9). Processing is necessary for the provision of health care, in accordance with Norwegian health legislation (Helseregisterloven, Normen) and is carried out by or under the responsibility of a health professional bound by professional secrecy.

4. How We Process Your Data

Audio is streamed in real-time from the app to our transcription API hosted within the EU/EEA. The audio stream is processed in memory to generate a text transcription. The resulting transcription text is then processed by our sub-processors (see Section 6) to extract structured medical notes, which are returned to the app. All audio data is discarded immediately after transcription — it is never written to disk, stored in a database, or retained in any form.

5. Data Retention

  • Audio data: Not retained. Processed in real-time memory only and immediately discarded.
  • Transcription data: Deleted immediately after structured notes are extracted and returned to the app.
  • Session data (HelseID): Stored in iOS Keychain during your session. Deleted upon logout.

6. Third-Party Data Sharing and Sub-Processors

We do not sell, share, or disclose your personal data to third parties for their own purposes.

To provide the service, transcription text is processed by the following sub-processors for the purpose of extracting structured medical notes:

  • Microsoft Corporation (Azure OpenAI Service) — processes transcription text to retrieve structured clinical data. Data is processed within the EU/EEA (Sweden Central region). Microsoft does not retain input or output data beyond the API call when configured for zero data retention, which Echomedic has enabled. Processing is governed by a Data Processing Agreement (DPA) with Microsoft.
  • Google LLC (Vertex AI) — processes transcription text to retrieve structured clinical data. Data is processed within the EU/EEA. Processing is governed by a Data Processing Agreement (DPA) with Google.

These sub-processors process transcription text only — audio data is never shared with third parties. No sub-processor retains patient data beyond the duration of the API request.

Audio transcription (speech-to-text) is performed by Echomedic's own infrastructure hosted within the EU/EEA. HelseID authentication is handled by Norsk Helsenett SF in accordance with their own privacy policy.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access — You may request information about what personal data we process about you.
  • Right to rectification — You may request correction of inaccurate personal data.
  • Right to erasure — You may request deletion of your personal data, subject to legal obligations.
  • Right to restriction — You may request that we restrict the processing of your data.
  • Right to data portability — You may request your data in a structured, machine-readable format.
  • Right to object — You may object to the processing of your personal data.

To exercise any of these rights, please contact us at odin.berre@echomedic.no.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit (TLS 1.2+) for all data transmission; no persistent storage of audio or transcription data; session data stored in the iOS Keychain (hardware-encrypted); access controls and authentication via HelseID; regular security assessments and compliance reviews. Echomedic follows Normen (Norm for informasjonssikkerhet og personvern i helse- og omsorgssektoren) as our baseline for information security in the healthcare sector.

9. Contact Information

For questions regarding this privacy policy or your personal data, please contact:

Echomedic AS, Stensberggata 29, 0170 Oslo, Norway

Email: odin.berre@echomedic.no

Phone: +47 472 34 255

10. Supervisory Authority

If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet, P.O. Box 458 Sentrum, 0105 Oslo, Norway — www.datatilsynet.no

11. Terms of Use

The Echomedic app is intended for use by authorized healthcare professionals in prehospital emergency medical services. By using the app, you agree that:

  • You are a licensed healthcare professional with a valid HPR number.
  • You will use the app in accordance with applicable laws, regulations, and professional standards.
  • Transcriptions and generated notes are decision-support tools and do not replace clinical judgment. You are responsible for reviewing and approving all generated content before it is entered into the patient record.
  • You will not attempt to reverse-engineer, modify, or misuse the app or its services.

Echomedic AS provides the app 'as is' and does not guarantee uninterrupted availability. We reserve the right to modify or discontinue the service with reasonable notice.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the app or via email. Continued use of the app after changes constitutes acceptance of the updated policy.