Skip to content

Privacy Notice

Last updated: April 2026

This privacy notice for Zerapy ("Zerapy," "we," "us," or "our") describes how and why we might collect, store, use, and share ("process") your information when you use our services ("Services"), such as when you:

  • Visit our website at https://zerapy.ai, or any website of ours that links to this privacy notice
  • Access or use our provider platform at provider.zerapy.ai
  • Interact with our AI-powered clinical documentation, exercise program, patient engagement, or remote therapeutic monitoring tools
  • Engage with us in other related ways, including sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at support@zerapy.ai.

Summary of Key Points

  • What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with Zerapy, the choices you make, and the features you use. This may include clinical audio recordings, documentation content, patient demographic data, and usage data.
  • Do we process any sensitive personal information? We may process sensitive personal information, including protected health information (PHI), when necessary to provide our clinical documentation and monitoring services, with your consent or as otherwise permitted by applicable law.
  • Do we process information using artificial intelligence? Yes. Our Services use AI models to generate clinical documentation (SOAP notes, ICD-10 and CPT codes), exercise programs, patient communications, and remote therapeutic monitoring records. See "AI Processing" below for details.
  • How do we keep your information safe? We maintain HIPAA-compliant safeguards with enterprise-grade security controls. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • What are your rights? Depending on your geographic location, applicable privacy law may grant you certain rights regarding your personal information.

1. What Information Do We Collect?

Information You Provide to Us

We collect personal information that you voluntarily provide when you register for the Services, use our clinical tools, or contact us. The personal information we collect may include:

  • Names, email addresses, phone numbers, and professional credentials
  • Practice and organization information (name, address, NPI number)
  • Account credentials (usernames and passwords)
  • Payment and billing information
  • Clinical content you create or input through our platform, including session notes, patient demographic information, and treatment plans

Information Processed Through AI Services

When you use our AI-powered features, we process the following types of information to generate clinical documentation and deliver our Services:

  • Clinical audio. If you use Zera Scribe, we process audio recordings of clinical sessions to generate SOAP notes and suggest billing codes. Audio is processed in real time and is not retained after documentation is generated unless you choose otherwise.
  • Patient health information. We process patient demographic data, diagnosis information, treatment history, exercise adherence data, and remote therapeutic monitoring records as needed to deliver our documentation, exercise program, and RTM services.
  • Exercise and engagement data. When patients interact with Zera HEP exercise programs or Zera Engage communications, we collect exercise completion data, adherence metrics, patient-reported outcomes, and communication records.

Information Collected Automatically

We automatically collect certain information when you visit or use the Services, including:

  • Device and browser information (IP address, browser type, operating system)
  • Usage data (pages visited, features used, timestamps, AI Units consumed)
  • Log and diagnostic data

We may use cookies and similar tracking technologies to collect some of this information.

2. AI Processing

Zerapy uses artificial intelligence to power its core Services. This section explains how AI is used and how we protect your data in the process.

  • Purpose. AI models generate clinical documentation (SOAP notes, ICD-10 and CPT code suggestions), home exercise programs, patient communications, and remote therapeutic monitoring documentation.
  • Human oversight. All AI-generated clinical documentation is presented to the provider for review and approval before it becomes part of the clinical record. Providers are responsible for reviewing, editing, and approving all AI-generated content.
  • Data use for model improvement. We do not use your clinical data or protected health information to train AI models without your explicit written consent. De-identified, aggregated usage data may be used to improve service quality.
  • Third-party AI services. We may use third-party AI infrastructure providers to process data. All such providers are bound by Business Associate Agreements and maintain HIPAA-compliant security practices.

3. How Do We Process Your Information?

We process your personal information for a variety of purposes, including:

  • To provide, operate, and maintain our Services, including AI-powered documentation, exercise programs, and RTM
  • To facilitate account creation, authentication, and management
  • To process payments and manage billing (AI Units, RTM add-ons)
  • To communicate with you about your account, updates, and support
  • To monitor usage, track AI Unit consumption, and generate analytics
  • To send marketing and promotional communications (with your consent; you can opt out at any time)
  • To comply with legal obligations, including HIPAA requirements
  • To protect against fraud, unauthorized access, and security threats

4. When and With Whom Do We Share Your Information?

We may share your data with the following categories of third parties who perform services on our behalf:

  • Cloud infrastructure providers (Google Cloud Platform)
  • AI processing services
  • Payment processors (Stripe, Inc.)
  • Analytics and monitoring services
  • Communication services (email, SMS)
  • EHR integration partners (when you enable integrations)

All third parties that process protected health information on our behalf are bound by Business Associate Agreements. We do not sell your personal information or protected health information to third parties.

We may also share your information in connection with business transfers (mergers, acquisitions, or asset sales), to comply with legal obligations, or to protect our rights and safety.

5. HIPAA and Protected Health Information

When Zerapy processes protected health information (PHI) on behalf of a healthcare provider (Covered Entity), we operate as a Business Associate under HIPAA. Our obligations include:

  • Maintaining administrative, technical, and physical safeguards as described on our HIPAA Compliance page
  • Executing Business Associate Agreements with Covered Entities and with our own subcontractors
  • Reporting breaches of unsecured PHI in accordance with the HITECH Act
  • Limiting use and disclosure of PHI to the minimum necessary for the intended purpose

For more information about our HIPAA practices, visit our HIPAA Compliance page. To request a Business Associate Agreement, visit our BAA page.

6. Cookies and Tracking Technologies

We may use cookies and similar tracking technologies (such as web beacons and pixels) to collect information about how you interact with our website. You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services.

7. How Long Do We Keep Your Information?

We retain your personal information for as long as necessary to fulfill the purposes described in this privacy notice, unless a longer retention period is required by law. Clinical documentation and records may be retained for the duration required by applicable healthcare record retention laws. When we no longer have a legitimate business need to process your information, we will delete or anonymize it.

8. How Do We Keep Your Information Safe?

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • AES-256 encryption at rest
  • TLS 1.2 or higher encryption in transit
  • Role-based access controls with multi-factor authentication
  • Immutable audit logging of all access to protected health information
  • Enterprise-grade security controls
  • Regular security risk assessments

Despite our safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using industry-leading practices.

9. What Are Your Privacy Rights?

General Rights

Depending on your location, you may have the right to:

  • Access and obtain a copy of your personal information
  • Request correction of inaccurate personal information
  • Request deletion of your personal information
  • Object to or restrict certain processing of your personal information
  • Withdraw consent at any time (where processing is based on consent)
  • Opt out of marketing communications

To exercise any of these rights, contact us at support@zerapy.ai.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These include the right to know what personal information we collect and how it is used, the right to request deletion, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your privacy rights.

Zerapy does not sell personal information. To exercise your California privacy rights, contact us at support@zerapy.ai.

Virginia Residents (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act, including the right to access, correct, delete, and obtain a copy of your personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling. Zerapy does not sell personal data to third parties. To exercise your rights, contact us at support@zerapy.ai.

EU/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, we process your personal information based on consent, contractual necessity, legitimate interests, or legal obligation. You may have additional rights including data portability and the right to lodge a complaint with your local data protection authority.

10. International Data Transfers

Our servers are located in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States. We take appropriate measures to protect your information in accordance with this privacy notice and applicable law.

11. Do-Not-Track Signals

We do not currently respond to Do-Not-Track browser signals, as no uniform standard for recognizing and implementing these signals has been established.

12. Updates to This Notice

We may update this privacy notice from time to time. The updated version will be indicated by a revised "Last updated" date. If we make material changes, we may notify you by posting a prominent notice on our website or by sending you a direct notification.

13. Contact Us

If you have questions or comments about this notice, you may contact us at:

Zerapy
11160-C1 South Lakes Dr
Reston, VA 20191
United States
support@zerapy.ai