Last Updated: April 13, 2026
This Privacy Policy describes how Wren Clinical LLC ("Wren Clinical," "we," "us"), a Washington limited liability company, collects, uses, and handles information when you use the Wren Clinical platform at app.wrenclinical.com (including its in-app session recorder) and the optional Wren Recorder browser extension (together, the "Platform").
Wren Clinical is a HIPAA Business Associate. Handling of Protected Health Information (PHI) submitted through the Platform is governed by the Business Associate Agreement, not this Privacy Policy. This Privacy Policy governs account information, usage data, and other non-PHI information we collect.
The categories of information described below (account, subscription and billing, usage, technical, and operational log data) contain no session content, no Client identifiers, and no Protected Health Information. PHI that you submit to the Platform is described separately in Section 4 and is governed by the Business Associate Agreement.
Account Information. When you create an account, we collect your name, email address, and practice name. This is processed through Clerk, our authentication provider.
Subscription and Billing Information. We collect information necessary to manage your subscription and calculate usage charges. Payment card data is processed and stored by Stripe; Wren Clinical does not store payment card numbers. The information Wren Clinical stores in connection with billing is limited to your Stripe customer identifier, your Stripe subscription identifier, the current billing period dates, and the state of the subscription (active, past due, canceled, etc.).
Usage Data. We log usage data for each interaction with our AI features, including the type of action taken (e.g., document generation, transcription), the AI model used, token or duration counts, the cost recorded at the time of the action, and timestamps. This data is associated with your account and is used for billing accuracy, platform monitoring, and aggregate analytics.
Customer Data You Submit. You may submit session audio (via the in-app recorder or the Wren Recorder browser extension), session transcripts, clinical notes, and other practice-related content to the Platform. The in-app recorder and Wren Recorder share the same back-end transcription and storage pipeline, so the handling described in this Policy applies equally to both. This content may constitute PHI and is governed by the Business Associate Agreement. See Section 4 for details on how this data is handled.
Technical Data. We may collect standard technical information such as browser type, IP address, and device information through our hosting infrastructure.
Operational Logs and Audit Trails. We maintain system-level logs and audit trails for operational security, billing reconciliation, and compliance. These include records of administrative actions (e.g., hard deletion requests processed, reconciliation cron results), logged with timestamps and actor identifiers.
We use information we collect to:
We do not sell your personal information. We do not use your information for advertising.
Wren Clinical uses Claude AI models provided by Anthropic via Amazon Web Services (AWS) Bedrock to generate clinical documentation drafts. Amazon Web Services is a HIPAA Business Associate with a signed BAA in force with Wren Clinical. Under our agreement with AWS, data sent to Bedrock is not retained by AWS or Anthropic and is not used to train AI models.
When you record a session — using either the in-app recorder or the Wren Recorder browser extension — audio is transmitted to AssemblyAI for transcription. AssemblyAI is a HIPAA Business Associate with a signed BAA in force with Wren Clinical. Wren Clinical and AssemblyAI do not retain your audio after transcription is complete, and do not use your audio or transcripts to train AI models.
Wren Clinical does not use your Customer Data — including session audio, transcripts, clinical notes, or generated documentation — to train, fine-tune, or improve any AI model.
Session Audio (in-app recorder and Wren Recorder). When you record a session, audio is uploaded over TLS to Wren Clinical's secure infrastructure and then transmitted to AssemblyAI for transcription. Upon successful transcription, audio is deleted immediately from both AssemblyAI and Wren Clinical's temporary storage. Audio chunks that fail to transcribe or are abandoned (for example, a browser tab closed mid-upload) are automatically and permanently deleted within three (3) days by an AWS S3 lifecycle rule, as a backstop.
Session Transcripts. Transcripts produced by AssemblyAI (or uploaded directly by you) are stored in encrypted form in your account. You may configure an automatic retention window on each transcript between a minimum of 2 days and a maximum of 30 days. If you do not change the setting, the default window is 8 days. Transcripts older than your configured window are automatically and permanently deleted from Wren Clinical's storage. Transcripts are immediately deleted from AssemblyAI's temporary storage at the time of transcription.
Chat with AI. Text you submit to Wren's chat feature is sent to AWS Bedrock for processing. Chat content is not retained in Wren Clinical's databases once a response has been produced, and the on-screen chat history exists only in your browser — it is cleared when you refresh the page or close the tab.
Saved Documents. Clinical notes and other documents you save to your Document Library are stored in encrypted form in your account storage (AWS S3, AES-256 encryption at rest, TLS in transit). Saved documents are retained while your account is active and are handled at account closure as described in Section 8.
Guides and Practice Instructions. Guide content and practice instructions you configure are stored in your account and are not PHI.
| Data Type | Where Stored | Retention |
|---|---|---|
| Account information | Clerk | Governed by Clerk's data retention policy |
| Session audio (in-app recorder and Wren Recorder) | AssemblyAI (transient) + AWS S3 (temporary) | Deleted immediately from both AssemblyAI and Wren Clinical upon successful transcription; abandoned or failed audio chunks deleted within 3 days by lifecycle rule |
| Saved transcripts | AWS S3 (encrypted) | User-configurable per transcript, 2–30 days, default 8 days |
| Saved documents | AWS S3 (encrypted) | Active account; handled at closure per Section 8 |
| Chat with AI | Browser only | Current browser session only — cleared on page refresh or tab close |
| Usage logs | AWS DynamoDB | Retained for billing, tax, and compliance purposes; no PHI |
| Operational logs and audit trails | AWS S3 / CloudWatch | Retained for compliance and security purposes; no PHI |
| Guides and practice instructions | AWS S3 (encrypted) | Active account; handled at closure per Section 8 |
We share data only as necessary to provide the Platform. Our current subprocessors are listed at wrenclinical.com/legal/subprocessors. Subprocessors that process PHI are required to execute a HIPAA-compliant Business Associate Agreement with Wren Clinical.
We do not share your personal information or Customer Data with third parties for their own marketing or commercial purposes.
We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of Wren Clinical, its users, or others.
Wren Clinical maintains administrative, physical, and technical safeguards to protect information we hold, including encryption at rest (AES-256) and in transit (TLS) for all stored Customer Data, strict logical tenant isolation, least-privilege access controls, and audit logging of administrative actions. Security measures applicable to PHI are described in the Business Associate Agreement.
No system is perfectly secure. If you become aware of a security issue, please contact us at support@wrenclinical.com.
In the event of a security breach affecting personal information of Washington residents (including therapist account or billing data), Wren Clinical will notify affected Washington residents in accordance with RCW 19.255.010 without unreasonable delay and no later than thirty (30) calendar days after discovery. Notifications will include our contact information, the types of personal information involved, the timeframe of exposure (including breach and discovery dates), and — where financial account information is involved — the toll-free contact numbers for the three major credit reporting agencies. If a breach affects more than 500 Washington residents, Wren Clinical will also notify the Washington State Attorney General's Office within thirty (30) days as required by RCW 19.255.010(8).
Access and Export. You may access and export your saved documents and guides at any time through your account.
Closure Initiated by You (Self-Cancel). You may close your account through your account settings. When you confirm closure, Wren Clinical prepares a ZIP export of your saved documents, guides, and non-expired transcripts, and provides a secure download link that expires fifteen (15) minutes after generation. Once the download link expires or you confirm the export has been downloaded, all of your Customer Data is permanently deleted and your Stripe subscription, if any, is cancelled with a final one-time invoice covering any unbilled usage.
Closure Initiated by Wren Clinical (Administrative Cancel). If Wren Clinical closes your account for operational or business reasons, we prepare a ZIP export and email you a secure download link that expires after seven (7) days. Once the link expires or is used, all of your Customer Data is permanently deleted and your Stripe subscription, if any, is cancelled with a final one-time invoice covering any unbilled usage.
Hard Deletion (on Request). You may request permanent hard deletion of your account at any time by emailing support@wrenclinical.com from the address associated with your account. Hard deletion removes all Customer Data, usage records tied to you, and account identifiers — it is complete and irreversible. Because no tombstone record is retained, we will not be able to verify that an account with your identifiers previously existed after the hard deletion is complete.
Auto-Closure of Abandoned Trials. Accounts whose 14-day free trial has expired and that have not started a paid subscription are automatically closed thirty (30) days after trial expiration.
Individual Document Deletion. You may delete individual transcripts, documents, or guides within your account at any time.
PHI Rights. Rights with respect to PHI (access, amendment, accounting of disclosures) are governed by the Business Associate Agreement and your obligations to your Clients under HIPAA.
The Washington My Health MY Data Act (MHMD Act) grants Washington residents rights with respect to consumer health data collected by entities with which they have a direct relationship.
Wren Clinical is a business-to-business platform. Our customers are licensed mental health professionals and practices, not their Clients. Wren Clinical does not collect health data directly from Clients. We have no direct relationship with the Clients of our customers, we do not know who those Clients are, and we have no ability to identify or respond to data requests from Clients.
Separately, the therapist account data that Wren Clinical collects directly (name, email address, practice name, authentication tokens, and usage metadata) is not "consumer health data" as defined by RCW 19.373.010 because it is not linked or reasonably linkable to any individual's past, present, or future physical or mental health status, and therefore falls outside the scope of the Washington My Health MY Data Act.
Wren Clinical separately publishes a Washington Consumer Health Data Privacy Policy to satisfy the publication requirement of RCW 19.373.020(1).
Rights with respect to Client Protected Health Information — including rights of access, amendment, and restriction — are governed by HIPAA and run against the therapist or practice that holds those records, not against Wren Clinical. Clients who wish to exercise rights with respect to their own clinical records should contact their therapist directly.
Wren Clinical does not sell consumer health data. We do not share consumer health data for advertising or marketing purposes. We do not use health data to serve targeted advertising.
If you are a Wren Clinical customer (a licensed provider or practice) and have questions about how we handle your account data, contact us at support@wrenclinical.com.
The Platform is intended for mental health professionals and supervised trainees. We do not knowingly collect information from individuals under 18.
Wren Clinical may update this Privacy Policy at any time by posting a revised version at wrenclinical.com/privacy. For material changes, Wren Clinical will provide at least 30 days' notice by email to the address associated with your account. Non-material changes such as clarifications or corrections take effect upon posting. Continued use of the Platform after the effective date of any update constitutes acceptance. If you do not agree to a material update, your sole remedy is to terminate your account before the effective date of the change.
Questions about this Privacy Policy may be directed to support@wrenclinical.com.