Privacy
Privacy Policy
Journalia AS ("Journalia", "we", "us") provides Journalia AI Scribe, an AI-powered clinical documentation platform for healthcare professionals across Europe. This Privacy Policy explains how we process personal data in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable national data protection laws in EU/EEA Member States.
1. Our role
Journalia acts in two distinct roles depending on the personal data being processed. Controller for: • Account information of healthcare professionals using the platform • Usage and technical data relating to use of the service • Customer support communications • Marketing and visits to our website Processor for: • Audio recordings from clinical consultations • Transcriptions generated from audio recordings • Clinical notes generated by the AI system When acting as Processor, we process personal data, which may include special categories of personal data (health data) within the meaning of Article 9(1) GDPR, strictly on the documented instructions of the healthcare organisation (our customer), which is the Controller. This relationship is governed by a Data Processing Agreement (DPA). Patients seeking to exercise rights regarding clinical data must contact the healthcare organisation directly.
2. Controller details
Journalia AS Norwegian organisation number: 932 953 735 Registered office: Oslo, Norway Email: hei@journalia.no Website: www.journalia.no
3. Categories of personal data
3.1 Where Journalia is the Controller • Account information: name, email address, employer, profession, licence type. • Usage data: features used, times of access, device type. • Technical data: IP address, browser type, operating system, system logs. • Support communications: content you send to us for support and follow-up. 3.2 Where Journalia is a Processor The following categories are processed solely on the documented instructions of the healthcare organisation: • Audio recordings: processed transiently during note generation; not stored persistently. • Transcriptions: text generated from audio recordings. • Clinical notes: structured drafts produced by the AI system, verified by the clinician before being entered into the medical record. These categories may include special categories of personal data within the meaning of Article 9(1) GDPR. The legal basis for such processing is determined and documented by the healthcare organisation as Controller, typically Article 9(2)(h) GDPR (provision of healthcare).
4. Purposes and legal bases
As Controller, we process personal data to: • Provide, administer, and give access to the service (performance of a contract, Art. 6(1)(b) GDPR) • Operate, secure, and improve the platform, and prevent abuse (legitimate interest, Art. 6(1)(f) GDPR) • Comply with legal and regulatory obligations (Art. 6(1)(c) GDPR) • Send relevant communications where lawful under consent or legitimate interest (Art. 6(1)(a) or (f) GDPR) As Processor, we process clinical personal data exclusively on the documented instructions of the healthcare organisation. The Controller determines the purposes and legal bases for that processing.
5. AI processing and automated decision-making
Journalia AI Scribe is a clerical documentation aid. It is CE-marked as a Class I medical device under Regulation (EU) 2017/745 (Medical Device Regulation, "MDR"). The system: • Uses AI to transcribe audio and generate structured drafts of clinical notes • Does not make clinical decisions, provide diagnoses, or recommend treatment • Always produces drafts which the clinician verifies and edits before entry into the medical record No decisions producing legal effects or similarly significantly affecting individuals are made on the basis of automated processing alone within the meaning of Article 22 GDPR. The clinician retains full professional responsibility for the content of the medical record. We do not use customer data to train AI models. Equivalent obligations are contractually imposed on our sub-processors. Where obligations under Regulation (EU) 2024/1689 (the EU Artificial Intelligence Act) apply to Journalia, we comply with them.
6. Retention
We do not retain personal data longer than necessary for the purposes for which it is processed. Specific retention periods vary depending on data type, contractual arrangements, and applicable regulatory requirements. Retention of clinical content (audio, transcriptions, notes) is determined by the healthcare organisation through the Data Processing Agreement.
7. Where personal data is processed
All processing of personal data takes place within the European Union and the European Economic Area (EU/EEA). We do not transfer personal data to third countries outside the EU/EEA without an adequate level of protection or appropriate safeguards under Chapter V GDPR.
8. Sub-processors
We engage selected sub-processors for hosting, infrastructure, AI inference, and transcription. All sub-processors: • Are bound by a written data processing agreement • Process personal data within the EU/EEA only • Cannot use the data for their own purposes • Cannot train their own AI models on customer data An up-to-date list of sub-processors is made available to customers through the Data Processing Agreement.
9. Data security
We have implemented technical and organisational measures appropriate to the risk under Article 32 GDPR, including: • Encryption in transit (TLS 1.2+) and at rest (AES-256) • Access control based on the principle of least privilege • Logging, monitoring and regular security assessments • CE marking of Journalia AI Scribe as a Class I medical device under Regulation (EU) 2017/745 (MDR) • Compliance with "Normen", the Norwegian Code of Conduct for information security and privacy in the healthcare sector, where applicable to Norwegian customers
10. Sharing of personal data
We do not sell personal data. We share personal data only: • With sub-processors as described in section 8 • With the healthcare organisation a customer is associated with, in respect of clinical data • Where required by law, court order, or order of a competent authority • With your explicit consent
11. Your rights
Where Journalia is the Controller, you have the following rights under the GDPR: • Right of access (Art. 15) • Right to rectification (Art. 16) • Right to erasure (Art. 17) • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) • Right to object to processing based on legitimate interest (Art. 21) • Right to withdraw consent at any time, where applicable (Art. 7(3)) Requests should be sent to hei@journalia.no. We will respond within the time limits set out in Article 12(3) GDPR. Where Journalia acts as a Processor, requests concerning clinical data should be addressed to the healthcare organisation that is the Controller. We will assist the healthcare organisation in responding to such requests in accordance with Article 28(3)(e) GDPR.
12. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR). For data subjects in Norway, the competent supervisory authority is the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no). Contact details for supervisory authorities in other EU/EEA Member States are available via the European Data Protection Board (edpb.europa.eu).
13. Cookies
We use cookies and similar technologies on our website to deliver the service, analyse usage, and remember preferences. • Strictly necessary cookies: required for the service to function (no consent required). • Analytics cookies: help us understand how users interact with the service (consent required). • Preference cookies: remember settings such as language and theme (consent required). You may change your consent at any time through the cookie settings on our website.
14. Changes to this Policy
We may update this Privacy Policy to reflect changes in the service, applicable law, or our practices. Material changes will be notified through the service or by email. We recommend that you review this Policy periodically.
15. Contact
Email: hei@journalia.no Postal address: Journalia AS, Oslo, Norway
Last updated: 28 April 2026