Privacy Policy

Last Updated: March 11, 2026

Amstiel LLC ("Amstiel," "we," "us," or "our") operates the SageScript platform and the Gregory desktop application (collectively, the "Products"). This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website at amstiel.com or use our Products.

We are committed to protecting the privacy and security of your information. This commitment is reflected in our technical architecture, our data handling practices, and our compliance with applicable privacy and security regulations, including the Health Insurance Portability and Accountability Act ("HIPAA") where applicable.

Our Products have different data models. SageScript is a cloud-based platform hosted on Microsoft Azure. Gregory is a locally installed desktop application that runs entirely on the user's Windows machine. This Privacy Policy addresses both Products and notes where their data handling differs.

1. Information We Collect

Information You Provide

Account Information. When you create an account for SageScript, we collect your name, email address, firm name, and contact information. Gregory does not require an account and does not transmit account information to Amstiel.

Customer Data (SageScript). When you use SageScript, you may upload audio dictation files and other content for processing. This may include Protected Health Information (PHI) subject to HIPAA. Customer shall not upload PHI to SageScript until a Business Associate Agreement has been executed between Customer and Amstiel.

Customer Data (Gregory). Gregory collects data locally on the user's Windows machine to provide its time tracking functionality. This includes application window titles, application focus and switching events, matter associations made by the user, and time entry records. This data is stored entirely on the local device and is never transmitted to Amstiel or any third party.

Contact Form Submissions. When you submit our demo request form, we collect your name, firm name, email address, phone number, and any additional information you provide.

Payment Information. Payment processing is handled by Stripe, Inc. We do not directly collect or store credit card numbers or bank account details.

Communications. We collect information from communications you send to us, including emails and support requests.

Information Collected Automatically

Usage Data (SageScript). We may collect information about how you interact with SageScript, including features used and actions taken. This data is collected through Azure Application Insights and is used to improve the Product and diagnose technical issues. Usage data is not linked to Customer Data or PHI.

Usage Data (Gregory). Gregory does not collect or transmit usage analytics to Amstiel. All data generated by Gregory remains on the local device.

License Validation (Gregory). Gregory performs local license validation using DPAPI-based license keys. License validation occurs entirely on-device and does not communicate with external servers.

Device and Browser Information. When you use SageScript or our website, we may collect device type, browser type, operating system, and IP address for security and analytics purposes. Gregory does not transmit device information to Amstiel.

Cookies and Similar Technologies. Our website and SageScript may use cookies and similar technologies for session management, authentication, and analytics. We use Azure Application Insights for performance monitoring, which may place cookies on your device. We do not use advertising cookies or third-party tracking cookies. Gregory does not use cookies.

2. How We Use Your Information

Providing the Products. For SageScript: processing audio dictations, generating formatted documents, and delivering the core functionality of the platform. For Gregory: all processing occurs locally on the user's device; Amstiel does not access, process, or receive Gregory data.

Account Management. Creating and managing your SageScript account, authenticating users, and providing customer support.

Communication. Responding to your inquiries, sending service-related notifications, and providing information you request.

Improvement. Analyzing SageScript usage patterns to improve the Product. We do not use Customer Data or PHI for this purpose. We do not receive or analyze Gregory usage data.

Security. Detecting, preventing, and responding to security incidents, fraud, and technical issues related to SageScript and our website.

Legal Compliance. Complying with applicable laws, regulations, and legal processes.

3. AI Processing and Data Retention

3.1 Zero Data Retention on AI Processing (SageScript)

Audio files submitted to SageScript for transcription and formatting are processed using AI services hosted on Microsoft Azure. We maintain a zero data retention policy on AI processing: dictation content is not retained after processing is complete. Audio and transcription data are not stored for model training, analytics, or any purpose other than delivering the immediate processing result to the Customer.

AI models operate in a stateless manner and do not retain or learn from Customer Data. Each processing request is independent. Processed outputs remain entirely within the Customer's tenant and are not accessible to other customers or used to improve AI models.

3.2 Local Data Processing (Gregory)

Gregory performs all data processing locally on the user's Windows machine. No audio, text, or time tracking data is transmitted to Amstiel servers, cloud services, or any third party. Gregory does not use AI processing, cloud APIs, or external services. All time tracking data, matter associations, and generated reports remain under the sole control of the user on their local device.

3.3 Document Integrity (SageScript)

SageScript performs formatting and structural organization of dictated content only. The Product does not generate, add, remove, or alter the substantive content of Customer Data. SageScript structures and formats the dictated content into a legal document but does not produce original medical, legal, or factual content.

3.4 Document and Data Storage

SageScript. Formatted documents generated by SageScript are stored in our database to enable Customer access, review, editing, and download. These documents are stored using encryption at rest and are accessible only to the Customer and its Authorized Users.

Gregory. Time entries, matter data, and exported reports are stored locally on the user's device. Amstiel does not have access to this data. Data retention and deletion are entirely under the user's control.

3.5 PHI Access Minimization

For SageScript, access to Protected Health Information is limited to authorized systems and personnel with a documented business need. All access to PHI is logged. Amstiel employees do not access Customer Data or PHI except as necessary to provide the Product, troubleshoot issues at Customer's request, or comply with legal obligations.

Gregory does not transmit PHI or any other data to Amstiel. If Customer Data processed by Gregory contains PHI, that data remains entirely on the local device under the Customer's control and security policies.

3.6 Data Deletion

SageScript. Customers may delete their documents at any time through the Product. Upon account termination, Customer Data is deleted from production systems after the thirty (30) day export period described in our Terms of Service. Customer Data contained in automated backups is purged in accordance with the backup retention schedule, not to exceed ninety (90) days. Deleted data is not recoverable from backups after the retention period expires.

Gregory. Users may delete time entries, matter data, and exported reports at any time through the application or by removing files from their local device. Upon uninstallation, users may remove all Gregory data from their machine. Amstiel has no ability to access, retain, or recover locally stored Gregory data.

4. How We Share Information

We do not sell, rent, or trade your personal information or Customer Data. We may share information only in the following circumstances:

Service Providers (Subprocessors). We use third-party service providers to operate SageScript. Amstiel maintains a current list of Subprocessors and will provide this list to Customer upon request. Current Subprocessors include:

Gregory does not use Subprocessors and does not transmit data to any third party.

HIPAA Business Associates. Subprocessors that access or process PHI through SageScript are covered under Business Associate Agreements as required by HIPAA. Amstiel will notify Customers at least thirty (30) days prior to engaging any new Subprocessor that will have access to PHI.

Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Amstiel, our customers, or others. This applies only to information in Amstiel's possession (i.e., SageScript data and account information). Amstiel does not possess Gregory data and therefore cannot disclose it.

Business Transfers. In connection with a merger, acquisition, or sale of assets, Customer information in Amstiel's possession may be transferred to the acquiring entity, subject to the terms of this Privacy Policy.

5. Data Security

We implement and maintain administrative, physical, and technical safeguards designed to protect your information.

SageScript Security

Gregory Security

While we implement commercially reasonable security measures, no method of electronic transmission or storage is completely secure.

6. HIPAA Compliance

To the extent that Customer Data includes Protected Health Information as defined under HIPAA, Amstiel acts as a Business Associate with respect to SageScript. Our obligations regarding PHI are governed by the Business Associate Agreement executed between Amstiel and the Customer, which supplements this Privacy Policy. In the event of any conflict between this Privacy Policy and the BAA regarding the handling of PHI, the BAA shall control.

Gregory does not transmit PHI to Amstiel. If Gregory is used in an environment where it may capture PHI-related information in window titles or application data, that information remains on the local device under the Customer's control. Amstiel is not a Business Associate with respect to Gregory data, as Amstiel does not create, receive, maintain, or transmit PHI through Gregory.

6.1 Breach Notification

In the event of a breach of unsecured Protected Health Information related to SageScript, Amstiel shall notify the affected Customer without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the breach. Notification shall include, to the extent known: a description of the nature of the breach, the types of information involved, the date of the breach and the date of discovery, a description of the steps Amstiel is taking to investigate and mitigate harm, and contact information for further inquiries. The parties' respective obligations regarding breach notification are further detailed in the BAA.

7. Data Retention

Account Information. Retained for the duration of the Customer's account and for a reasonable period thereafter.

Customer Data — SageScript (Documents). Retained until deleted by the Customer or for thirty (30) days following account termination, after which it is deleted from production systems. Automated backups containing Customer Data are purged within ninety (90) days.

Customer Data — Gregory. Retained locally on the user's device until deleted by the user. Amstiel has no control over or access to Gregory data retention.

Audio Files (SageScript). Not retained after AI processing is complete.

Usage Data. Retained in aggregated, de-identified form for analytics and service improvement purposes (SageScript only).

Contact Form Submissions. Retained for as long as necessary to respond to your inquiry and for reasonable business purposes.

8. Your Rights and Choices

Access and Export. You may access and export your SageScript Customer Data through the platform at any time. Documents may be exported in DOCX format. Gregory data may be exported as PDF, CSV, or LEDES format directly from the application.

Deletion. You may delete individual documents through SageScript. You may delete time entries and data through Gregory. You may request deletion of your SageScript account by contacting us. Deleted SageScript data is purged from production systems promptly and from automated backups within the backup retention period.

Correction. You may update your SageScript account information through the platform or by contacting us. Gregory data may be edited directly in the application.

Communications. You may opt out of non-essential communications by contacting us. Service-related communications cannot be opted out of.

To exercise any of these rights, contact us at privacy@amstiel.com.

9. Third-Party Services

SageScript may contain links to third-party websites or integrate with third-party services. Gregory does not integrate with or transmit data to third-party services. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices.

10. Children's Privacy

Our Products are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Privacy Policy

Material changes will be communicated to Customers via email or through the applicable Product at least thirty (30) days prior to taking effect.

12. Security

To report a security vulnerability or concern, contact security@amstiel.com. We take all reports seriously and will respond promptly.

13. Contact Us

Amstiel LLC · Lutz, Florida
Privacy: privacy@amstiel.com
Security: security@amstiel.com
General: legal@amstiel.com
Web: amstiel.com