Privacy Policy

Welcome to using the Gosta AI Operating System service! This Privacy Policy describes how Gosta Labs Oy processes personal data — including Personal Data (GDPR, EU) and Protected Health Information (PHI) (HIPAA, U.S.) — in connection with the Gosta AI Operating System service, and describes your rights.

For European Economic Area (EEA) users, the more detailed register description maintained by your organisation also applies. For U.S. users, additional information about PHI processing under HIPAA is set out later in this Policy.

For EEA users: The hospital or healthcare organization acts as the data controller. Gosta Labs Oy, as the provider of the Gosta AI Operating System service, acts as the data processor on behalf of the data controller. The contact information of the data controller can be found in the data controller’s privacy policy.

For U.S. users: The healthcare provider organization (hospital, clinic, or health system) acts as the Covered Entity and data controller. Gosta Labs Oy acts as a Business Associate and data processor, processing PHI on behalf of and under instruction from the Covered Entity pursuant to a Business Associate Agreement (BAA). Details of the BAA arrangement are set out in Section 4 of this Policy.

The purpose of personal data processing is to enable the Gosta AI Operating System service to generate clinical note drafts from clinical consultation audio recordings and, where applicable, data retrieved from Electronic Health Record (EHR) systems.

For EEA users: The legal basis for processing is the patient or customer relationship with the data controller (Covered Entity / hospital) and the legal obligations imposed on the data controller to maintain a healthcare patient or customer register. More information can be found in the hospital’s privacy policy.

For U.S. users: Gosta Labs Oy processes PHI as a Business Associate under HIPAA, pursuant to a Business Associate Agreement with the Covered Entity. Processing of PHI is permitted to the extent necessary to perform the services described in the BAA and these Terms of Service. Gosta Labs Oy applies the minimum necessary standard to all uses and disclosures of PHI.

The Gosta AI Operating System service processes the following categories of personal data and, for U.S. users, Protected Health Information (PHI):

The Gosta AI Operating System does not store any data for a prolonged period. The service processes personal data until a clinical note draft is created, after which both the audio recording and the resulting transcript are automatically deleted. The created clinical note draft is temporarily stored in the healthcare provider user's browser, from where it is deleted when the staff user removes it or closes the browser.

A technical log is created from the use of the service. Gosta Labs Oy’s administrators access logs for troubleshooting only when necessary. More information about log retention periods can be found in the wellbeing area’s register description.

Gosta Labs Oy collects audit log data to ensure system security, integrity, and compliance with applicable obligations. Audit logs record system activity such as user actions and timestamps and are designed not to include patient personal data or clinical content.

Audit logs are retained for up to two (2) years for security monitoring, incident investigation, and accountability purposes.

The personal data and PHI processed by the service are based on:

Service users only have access to clinical note drafts of their own clients or patients. There is no access to the recordings of consultations or their resulting transcripts by professional users or patients. Only the professional user involved in the patient’s care has access to the clinical note draft or any other draft documentation.

Gosta Labs Oy may engage the following categories of subprocessors who may process personal data or PHI in connection with the service:

A current list of subprocessors that handle PHI is available upon request. Please contact [email protected].

The Gosta AI Operating System system stores data locally in the professional user’s browser until the professional user deletes the data. The data are automatically removed when the browser is closed.

The final client or patient clinical notes are transferred to the hospital’s client or patient information system, where they are retained for a longer period. The retention period and its basis are provided in the hospital’s privacy policy.

For U.S. users, PHI retention is governed by the applicable BAA and HIPAA’s minimum necessary and data retention requirements. Audio recordings and transcripts are deleted immediately after note generation. Technical and audit logs are retained for up to two (2) years.

For EEA healthcare provider customers, personal data are not transferred to any organization or party outside the European Economic Area, unless the individual EEA customer organization has agreed to specific cross-border transfers in the applicable data processing agreement.

For U.S. healthcare provider customers, PHI is processed and stored within the United States on U.S.-based cloud infrastructure, in accordance with the applicable BAA and HIPAA requirements. PHI of U.S. patients is not transferred to locations outside the United States without the prior authorization of the Customer and in accordance with applicable law.

Where personal data is processed by subcontractors or cloud providers across jurisdictions, Gosta Labs Oy ensures appropriate data transfer mechanisms are in place (e.g., Standard Contractual Clauses for EEA transfers, BAAs for U.S. PHI transfers).

The data subject has the right to access their personal data. The data subject can view their personal data in the same way as other client or patient records about them.

Since the Gosta AI Operating System does not store data for a prolonged period, data cannot be directly rectified by the Gosta AI Operating System or Gosta Labs Oy.

However, the data subject has the right to request the correction of inaccurate data transferred to the client or patient information system. Correction requests should be directed to the data controller (see the contact information in the privacy policy).

All PHI and personal data processed by the Gosta AI Operating System service are deleted automatically after user's Gosta session ends.

The right to erasure of data in the client or patient information system is determined according to the hospital’s register description.

The data subject has the right to request the restriction of the processing of their personal data. Such a request should be directed to the data controller. If the data subject does not permit the processing of their data, a manual entry is made in the client or patient information system.

The data controller is not obligated to provide the data contained in the service in a structured, commonly used, and machine-readable format to another data controller, as the service use is not based on the consent of the data subject.

The data subject has the right to lodge a complaint with a supervisory authority, particularly in the member state where their permanent residence or place of work is located or where the alleged violation occurred, if the data subject believes that the processing of their personal data infringes this regulation, without prejudice to any other appropriate administrative or judicial remedy.

Gosta Labs Oy generates anonymous, statistical information from service usage data for the continued development of the service (e.g., performance of language models used in the service or the number of characters edited by a professional user in a draft record). Individual users cannot be identified from the anonymous data. Such anonymous, aggregated data is not PHI and is not subject to GDPR or HIPAA.

In the U.S. only: Any use of data for AI model training or service improvement beyond anonymous aggregated analytics will be conducted only using data that has been de-identified in accordance with applicable standards (45 C.F.R. § 164.514 for PHI; equivalent anonymization standards for EEA personal data), or with explicit written consent from the applicable healthcare provider organization.

This Privacy Policy has been updated on 5th of June 2026: to include HIPAA privacy policy. There were no changes concerning European Union citizens/Gosta service users in EU/EEA.