This is your

safe space

What does safety mean to us?

Heidi was built by clinicians for clinicians.

We understand the privilege of handling sensitive personal information and we take it seriously. Supported by our world-class compliance team, we're at the forefront of data safety for AI scribes globally, ensuring your data remains secure.

Whatever your specialty, we’ve made Heidi both safe and joyful to use. Here’s how.

Ticking all your compliance and safety boxes.

Your data is yours.

What data does Heidi store?

Heidi only stores transcripts and notes, and that's it, for as long as you need them. As you speak, Heidi transcribes your words. No audio recordings are ever saved, ensuring there's no hidden playback.
1
As you speak, Heidi listens.

Heidi captures your conversation in real time.
2
Transcript: Every detail, instantly transcribed.
Heidi converts your words into text—accurate, structured, and ready for review.
3
No audio is ever kept.
As soon as Heidi transcribes, the audio disappears—poof!
4
De-identification: Privacy first.
Heidi automatically removes identifiable details from your transcript and notes.
5
Medical notes & documents: Ready in seconds.

From the transcript, Heidi generates structured notes, referral letters, and care plans.
6
Add context anytime.

Need to refine or add details? Upload or type in extra context to make your notes more precise.
7
Delete anytime—you're in control.
Once you've reviewed and transferred your notes to the EMR, you can delete everything—no record kept.
Data & security

How does Heidi protect your data?

Encryption, everywhere. Your data travels through an encrypted tunnel—no unwanted guests allowed—and we test it regularly. From storage to transit, every byte is shielded using strong, industry-standard encryption protocols.

Global compliance and secure storage. We’ve got you covered - HIPAA, GDPR, PIPEDA, APP - the lot. Plus, your data is in safe hands with our best-in-class infrastructure - think ISO27001, SOC2 and Cyber Essentials compliant.

Strict access control. You, the clinician, hold the keys, and ensuring explicit patient consent should be a priority. Heidi’s team can only peek at data if you specifically say, “Hey, help me troubleshoot!” (and even then, we log every step).

De-identification of your data. Before Heidi processes your session, we strip all data of personal identifiers (think ‘Jane Doe’ instead of the patient’s name), so it can’t be traced back.

Heidi doesn’t use any of your data to train our AI.

But how do you make it sound like me? 

We know every clinician has their own style and vision of the perfect note, and that's why our incredible Medical Knowledge team—skilled clinicians turned prompt engineers—create hundreds of templates based on your feedback. Need any tweaks? It's simple: just jump into your template, tell Heidi exactly what you want and where you want it, and she'll remember your changes—you're in charge.

Learn more about Heidi's template magic

Delete means delete. Forever.

Everyone loves Heidi!
“I love how passionate you are about data governance and security. We feel we’re in safe hands.”
– GP Compliance Partner

Every account matters. Free or paid, premium security is always included.

How does Heidi protect your data?

Our compliance team is here to guide you through every step to ensure full compliance when using Heidi in your practice. To get started, you'll need to:

Complete a Data Protection Impact Assessment (DPIA)

We can assist you with this - simply fill out the form at the bottom, or your Data Protection Officer (DPO) may already have one prepared.

Sign a Data Processing Agreement (DPA)

This ensures that data processing responsibilities are clearly defined and compliant with UK regulations.

Obtain Clinical Safety Documentation

You’ll need to obtain our DCB0129 (clinical risk management for manufacturers) and create your DCB0160 (clinical risk management for healthcare organizations), both essential for safe implementation in your practice.

Heidi best practice - for your practice.

Empower your patients with consent.

There are many ways to ask for consent, and we trust that you choose the one that works for you and your patients. To keep it top of mind, you can ask Heidi to remind you at the beginning of your session - just head to your settings.

Remember to check your notes.

There are many ways to ask for consent, and we trust that you choose the one that works for you and your patients. If you need any inspiration, we’ve compiled some examples for you here.

Share access responsibly.

To protect the confidentiality of your patients’ consults, please avoid sharing your account access. We've made our templates easy to share through our template library, and anyone can try Heidi for free. Curious about giving Heidi a go? Simply create a free account.

Quick answers

Heidi Safety FAQs

Is Heidi Health Insurance Portability and Accountability Act (HIPAA) compliant?

Absolutely, Heidi’s compliant in the U.S. in accordance to HIPAA. Our commitment to HIPAA underscores our dedication to maintaining the highest standards of privacy and trust within the healthcare industry. We use a continuous compliance management system that makes sure we are always vigilant for our HIPAA compliance, instead of a point in time audit which can lead to vulnerabilities in between audits. We implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of the personal health information (PHI) Heidi handles. Learn more about HIPAA compliance here.

Do you provide a Business Associate Agreement (BAA)?

Yes we do. As part of our practices to fully comply with HIPAA, we enter into BAAs with all vendors and partners who may have access to PHI. If your organisation/practice wishes to have BAA in place for implementing Heidi, you can request it through the form below.

Do you have a Data Protection Impact Assessment (DPIA) and Data Processing Agreement (DPA)?

Yes! We have DPIAs for all jurisdictions that we operate in. If you need a copy, please don’t hesitate to reach out to our amazing compliance team through the form below.

Can Heidi access my patient’s information?

Short answer, no. Before Heidi processes your session, we strip all data of personal identifiers (think ‘Jane Doe’ instead of the patient’s name), so it can’t be traced back. Your patient’s data remains protected and Heidi does not and will not contact your patients for any purposes.

Are audio recordings saved?

No, Heidi does not store any audio. As you speak, Heidi types, and the audio immediately goes *poof*. Even if you’re uploading an audio file that was recorded offline, the audio is only stored on your device, and Heidi doesn’t retain any of it once it’s been transcribed.

Where are Heidi’s servers storing my data?

Locally. Heidi’s “brain” (aka servers) stays strictly in the region you’re based in, keeping everything in line with data localisation requirements under regulations like GDPR.

How does Heidi mitigate data breaches?

Step 1: Prevention. Heidi implements the best in class infrastructure - think ISO27001, SOC2 and Cyber Essential compliant, while also being penetration tested every year. The architecture of our data storage also ensures that your protected health information (PHI) is de-identified and processed separately to the rest of the transcript. The reality is though, we have to be prepared for anything, and so all of our users, free or paid, are insured and receive the highest standard of compliance. 

How do you tackle ‘hallucinations’?

First, you might be wondering what AI scribe hallucinations are? Well, AI sometimes generates content that might be nonsensical or incorrect - think hearing things that weren’t said. And while we’re striving to improve the technology to avoid this from happening, here are some other ways to tackle these:

  • Our experienced Medical Knowledge team regularly reviews our models, templates and checks the outputs for accuracy.  
  • Your feedback and input is invaluable. We encourage you to review all notes before transferring them to your EHR system. 

Can my Heidi medical notes be subpoenaed?

If your notes are stored in Heidi at the time they have been subpoenaed, we are legally required to comply and may need to provide access upon request - the short answer being yes.

If you have, however, deleted your notes, they are permanently wiped out from our systems, and we are unable to retrieve them.

You say you’re compliant. But how do you prove it

Have any more questions?

We’re here to answer them.

Hungry for more?

Watch our Heidi Compliance series.

Designed by clinicians, for clinicians

Use Cases
Psychologists
Dietitian
Vets
Medical Doctors
Nurses
Allied Health
Podiatrists
Compliance
SafetyTrust CentreGDPRHIPAAUKCanadaAU/NZ
Company
Contact usBlogCustomersOur StoryMedia
Open Roles
10+
Product
PricingChangelogDownloadsSystem StatusResource CentreHeidi GuidesSystem Requirements
Resources
DevelopersReferralsHelp CentreCookie SettingsFAQs
Legal
Privacy PolicyPrivacy Policy (Swiss)Terms of ServiceUsage PolicyUKGDPR PolicyAccessibility
© 2025 Heidi. All rights reserved.