Capital Typing Privacy Policy

Effective Date: April 17, 2026 Last Updated: April 17, 2026

Introduction

When you use our services, you are trusting us with sensitive information — whether that is a medical dictation, a legal deposition, an academic interview, a customer service inquiry, or business data we process on your behalf. We take that responsibility seriously.
This Privacy Policy is designed to help you understand what information Capital Typing ("Capital Typing," "we," "us," or "our") collects, why we collect it, how we use and protect it, and the choices and rights you have with respect to that information. We have written it in plain language wherever possible and included a glossary of key terms at the end.
This policy applies to:

• The Capital Typing website at capitaltyping.com and any of its subdomains;
• Our mobile applications, including any apps we publish on the Google Play Store or Apple App Store;
• Our transcription, data entry, translation, virtual secretarial, and online customer support services (collectively, the "Services"); and
• Any communications you have with us by email, phone, chat, or postal mail.
• If you have questions about this policy, or you want to exercise any of the rights described in it, you can contact us using the information at the end of this page.

Who We Are

Capital Typing is a U.S.-based business process outsourcing company founded in 2002 and headquartered in Williston, South Carolina. We provide transcription services (medical, legal, academic, corporate, insurance, media, and general), data entry and data processing, language translation, online customer support, and virtual secretarial services to clients in the United States and internationally.
Because our work often involves confidential third-party material — patient records, legal testimony, corporate communications, research data — our business depends on maintaining strict confidentiality, regulatory compliance, and information security. This policy reflects that.

Information We Collect

The types of information we collect depend on how you interact with us. The main categories are: (1) information you provide directly, (2) information we collect automatically when you visit our website or use our app, (3) client content submitted for processing, and (4) information we receive from third parties.
Information you provide to us
You may provide information to us directly when you:

• Request a quote or fill out a contact form on our website;
• Create a client account or portal login;
• Sign a services agreement, statement of work, confidentiality agreement, or Business Associate Agreement;
• Upload files for transcription, data entry, or translation;
• Apply to work for us as a transcriptionist, translator, or virtual assistant;
• Communicate with us by email, phone, live chat, or mail;
• Submit payment for services; or
• Subscribe to newsletters or service updates.

The information you provide typically includes your name, business name, title, mailing address, billing address, email address, phone number, payment information (processed through our payment provider), and the content of your communications with us.

Information we collect automatically

When you visit our website or use our mobile applications, we automatically collect limited technical information that is generated by your browser or device. This includes:

• Log data — IP address, browser type and version, operating system, referring and exit pages, pages viewed, the date and time of each request, and the length of each visit.
• Device information — device model, operating system version, unique device identifiers, mobile network information, and crash or diagnostic data from our apps.
• Usage information — the features you interact with, the files you upload or download, and error messages you encounter.
• Location information — an approximate geographic location derived from your IP address. We do not collect GPS-level location data from our website, and our mobile apps request location permissions only where a specific feature requires it.

Client content

In the course of delivering our Services, we receive content that you or your organization submits for processing. Depending on the project, this can include audio recordings, video recordings, scanned documents, images, spreadsheets, databases, mailing lists, forms, survey responses, customer correspondence, and other materials.
This content may contain personal information about third parties — for example, patients referenced in a medical dictation, witnesses in a legal recording, or participants in an academic interview. We treat all such content as strictly confidential and process it only for the purpose the client has engaged us to perform.
 

Information from third parties

In limited circumstances, we may receive information about you from third parties, such as:

• A referral source who recommends our Services to you;
• A shared client or channel partner who engages us jointly with another vendor;
• Payment processors who confirm the status of a transaction;
• Background-check providers and reference-check contacts (for job applicants); and
• Publicly available sources such as business directories, when we verify a prospective client's contact information.

Cookies and similar technologies

Our website uses cookies and similar technologies (such as pixel tags and local storage) to recognize your browser, remember your preferences, measure traffic, and improve site performance. You can read more about how we use these technologies in the Cookies and Tracking Technologies section below.

How We Use Information

We use the information we collect for a limited set of business and operational purposes. Unlike many online services, we do not use your information for advertising, profiling, or personalized marketing, and we do not sell your personal information or client content to anyone.

To deliver the Services

The primary reason we collect information is to deliver the Services you or your organization have requested. This includes processing the files you upload, routing work to qualified transcriptionists or other team members, returning completed work to you, and providing customer support throughout the engagement.
 

To communicate with you

We use your contact information to respond to inquiries, provide project updates, send invoices and receipts, notify you of changes to our Services or policies, and deliver service-related communications such as security alerts. If you have opted in, we may also send occasional newsletters or updates about our Services; you can unsubscribe at any time.
 

To process payments

We use your billing information to process payments for services, issue refunds when applicable, and maintain accurate financial records. Payment card details are handled by PCI-compliant third-party payment processors and are not stored on our own servers.

To maintain, secure, and improve our Services

We use log data, usage information, and diagnostic data to monitor the reliability of our website and apps, detect and prevent fraud or abuse, diagnose technical issues, and improve our systems over time. We analyze aggregated, de-identified data to understand how our services are used and where we can make them better.
 

To comply with legal and contractual obligations

We use information as needed to comply with applicable laws, regulations, court orders, and contractual obligations — including tax and accounting requirements, responses to valid legal process, and our obligations under signed agreements such as Business Associate Agreements or confidentiality agreements.
 

To protect Capital Typing, our clients, and the public

We use information to protect the security, integrity, and availability of our Services, detect and investigate fraud or abuse, enforce our terms of service, and protect the rights, property, and safety of Capital Typing, our clients, our employees, and the public.

HIPAA and Protected Health Information

Capital Typing provides medical transcription and related healthcare-adjacent services. When we handle Protected Health Information ("PHI") on behalf of a HIPAA Covered Entity (or another Business Associate), we act as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the HITECH Act and implemented in 45 CFR Parts 160 and 164.
 

Business Associate Agreements

Before we begin any engagement involving PHI, we require a signed Business Associate Agreement (BAA) with the Covered Entity or upstream Business Associate. The BAA sets out each party's responsibilities for safeguarding PHI, breach notification, permitted uses and disclosures, subcontractor obligations, return or destruction of PHI at termination, and each party's compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Healthcare clients who need a BAA before engaging us may request one at any time using the contact information below.
 

Safeguards for PHI

Our HIPAA safeguards are designed to meet the Security Rule's requirements for administrative, physical, and technical protections.

• Administrative safeguards. We maintain written HIPAA policies and procedures, a designated Privacy Officer and Security Officer, documented workforce training, role-based access controls, sanction policies for workforce violations, periodic risk assessments, and signed confidentiality agreements with every workforce member and subcontractor who may come into contact with PHI.
• Physical safeguards. Access to facilities and workstations where PHI is processed is restricted to authorized personnel. Devices used to process PHI are managed, secured, and inventoried. Paper records, when they exist, are stored in locked locations and shredded upon disposal.
• Technical safeguards. PHI is transmitted over encrypted channels and stored in encrypted form. We use multi-factor authentication, strong password policies, audit logging, automatic session timeouts, and secure deletion procedures. We do not permit PHI to be processed on unsecured personal devices.
• Subcontractor management. Any subcontractor who handles PHI on our behalf must sign a downstream Business Associate Agreement with us and meet the same safeguards that apply to Capital Typing.
• Breach notification. In the event of a suspected or confirmed breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and within the timelines required by HIPAA and the BAA, and we will cooperate in any resulting investigation, notification, or mitigation.

Permitted uses and disclosures

We use and disclose PHI only as necessary to perform the Services under the BAA, as required by law, and for limited business-operations purposes expressly permitted by HIPAA. We do not use PHI for marketing, we do not sell PHI, and we do not use PHI to train artificial intelligence systems for any purpose other than delivering the Services the client has engaged us to perform.
 

Minimum necessary

Consistent with HIPAA's minimum-necessary standard, we limit access to PHI to the specific workforce members who need it to perform an assigned task, and we limit the PHI disclosed to the minimum reasonably necessary to accomplish the intended purpose.

Other Regulatory Frameworks

Depending on the type of work a client engages us to perform, other confidentiality and privacy frameworks may apply in addition to, or instead of, HIPAA. We take these obligations seriously and enter into appropriate agreements where required.

• Attorney-client privilege and legal work product. For legal transcription and legal data entry, we treat all materials as confidential attorney work product and can sign confidentiality and non-disclosure agreements tailored to the firm's requirements.
• Gramm-Leach-Bliley Act (GLBA). For financial-sector clients, we can support safeguards consistent with the GLBA Safeguards Rule.
• Family Educational Rights and Privacy Act (FERPA). For academic clients processing student education records, we can execute agreements consistent with FERPA's school-official exception.
• State consumer privacy laws. We comply with applicable obligations under the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and similar state laws as they take effect.
• GDPR and UK GDPR. For clients in the European Economic Area and the United Kingdom, we can act as a data processor under Article 28 data processing agreements and support Standard Contractual Clauses for international transfers where required.

How We Share Information

We share information only as needed to operate our business and deliver our Services. We do not sell personal information, and we do not rent, trade, or otherwise disclose it to third parties for their own marketing purposes.
 

With authorized personnel and contractors

We share information internally with the Capital Typing employees and contractors who need it to perform their role — transcriptionists, editors, project managers, account managers, billing staff, and IT/security personnel. All personnel are bound by written confidentiality obligations, receive role-appropriate training, and, where applicable, are covered by downstream Business Associate Agreements.
 

With service providers and subprocessors

We use a limited set of third-party service providers to support our operations. These include:

• Cloud hosting and infrastructure providers that host our website, client portals, and storage;
• Secure file transfer providers used to receive and deliver client files;
• Communications providers for email, telephony, and customer support;
• Payment processors for billing and collections;
• Accounting and bookkeeping providers;
• Cybersecurity providers that help us detect and prevent threats; and
• Professional advisors such as lawyers, auditors, and insurers.

Each provider is bound by contractual privacy and security obligations, and providers who handle PHI sign a Business Associate Agreement with us. A current list of subprocessors is available to clients on request.
 

For legal reasons

We may disclose information when we have a good-faith belief that disclosure is necessary to:

• Comply with applicable law, regulation, subpoena, court order, or other valid legal process;
• Cooperate with law enforcement or regulatory authorities;
• Enforce our agreements, terms of service, or policies;
• Detect, prevent, investigate, or respond to fraud, security threats, or technical issues; or
• Protect the rights, property, or safety of Capital Typing, our clients, our employees, or the public.

Where we are legally permitted to do so, we will notify the affected client before producing their information in response to legal process, so that they have an opportunity to object or seek a protective order.
 

In connection with a business transaction

If Capital Typing is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its business or assets, information may be transferred to the successor or acquiring party as part of that transaction. Any successor will be bound by this Privacy Policy (or a successor policy providing equivalent protections), and affected clients will be notified before their information becomes subject to a materially different privacy policy.
 

With your consent

We may share information in other circumstances with your consent or at your direction — for example, when you ask us to send a completed transcript to a third party on your behalf.

Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information and client content against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These safeguards include:

• Encryption. We use industry-standard encryption for data in transit (TLS) and for data at rest where applicable. Client files are transferred through encrypted channels.
• Access controls. Access to systems and data is granted on a role-based, least-privilege basis, enforced by unique user accounts, strong passwords, and multi-factor authentication where appropriate.
• Workforce training and confidentiality. Every member of our workforce completes confidentiality and information-security training and signs a confidentiality agreement. Personnel handling PHI receive HIPAA-specific training.
• Secure workstations. Workstations used to process client content are configured and managed to meet our security standards.
• Monitoring and logging. We log access to systems that process sensitive information and periodically review logs for anomalies.
• Incident response. We maintain a written incident-response plan and conduct exercises to validate it.
• Vendor management. Third-party providers that handle personal information or client content are assessed for security and bound by contractual obligations, including, where applicable, Business Associate Agreements.

No system is perfectly secure, and we cannot guarantee absolute security. However, we work continuously to strengthen our safeguards and to respond promptly to any incident that does occur.

Data Retention

We retain information only as long as necessary to deliver the Services, meet our legal and contractual obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of information and the applicable client contract.

• Client content (files submitted for processing). Unless a client instructs us otherwise or a contract requires a different period, we delete client source files and completed work products from our active systems within a defined period after project completion, typically 30 to 90 days. PHI is handled in accordance with the applicable BAA and is returned or destroyed at the end of the engagement.
• Account and contact records. We retain client account and contact information for the duration of the business relationship and for a reasonable period afterward to support recurring engagements, resolve disputes, and meet recordkeeping requirements.
• Billing and tax records. We retain financial records for the period required by applicable tax and accounting laws (typically seven years in the United States).
• Employment and contractor records. We retain records relating to our workforce for the period required by applicable employment laws.
• Website logs and diagnostic data. We retain server logs and diagnostic data for a limited period (typically 30 to 180 days) for security and troubleshooting purposes.
• Backups. Data that has been deleted from our active systems may persist in encrypted backups for a limited additional period before it is overwritten as part of our normal backup rotation.

When we no longer need information, we delete it or, where appropriate, de-identify it so it can no longer be associated with you.

Your Rights and Choices

Depending on where you live and the nature of your relationship with us, you may have specific rights with respect to your personal information. We honor these rights regardless of whether the law technically requires us to do so in your particular case.
 

Access, correction, and deletion

You have the right to request access to the personal information we hold about you, to request that we correct inaccurate information, and — subject to certain legal and contractual exceptions — to request that we delete it. Where we act as a service provider or processor for a client (for example, handling PHI under a BAA or personal data under a GDPR Article 28 agreement), we will direct such requests to the client, who is the controller of that information.
 

Portability

You have the right to request a copy of your personal information in a structured, commonly used, machine-readable format.
 

Objection and restriction

You have the right to object to, or request that we restrict, certain types of processing, such as direct marketing.
 

Withdrawal of consent

Where we rely on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
 

California residents

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we have collected, the right to request deletion, the right to correct inaccurate information, the right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined in the CCPA), and the right to limit the use of sensitive personal information. California residents also have the right not to be discriminated against for exercising these rights.
 

Residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws

Residents of these states have rights similar to those described above, including the right to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising, the sale of personal data, and certain profiling activities.
 

European Economic Area, United Kingdom, and Switzerland

Residents of the EEA, UK, and Switzerland have rights under the GDPR and UK GDPR, including the rights described above as well as the right to lodge a complaint with a supervisory authority.
 

Submitting a request

To exercise any of these rights, contact us using the information at the end of this policy. We will respond within the timeframes required by applicable law. To protect your information, we may need to verify your identity before fulfilling certain requests. You may also designate an authorized agent to make a request on your behalf, subject to reasonable verification.

Cookies and Tracking Technologies

We use cookies and similar technologies on our website to support core functionality, remember your preferences, and understand how visitors use the site. The main categories are:

• Strictly necessary cookies, which are required for the website to function (for example, maintaining a session while you are logged in to a client portal);
• Preference cookies, which remember choices you have made, such as language;
• Analytics cookies, which help us understand aggregate traffic patterns and improve the site; and
• Security cookies, which help us detect and prevent fraud and abuse.

We do not use advertising or cross-site tracking cookies on capitaltyping.com.
You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies, though doing so may affect certain features of the site. Many browsers also honor "Do Not Track" and Global Privacy Control (GPC) signals, and we treat a GPC signal from a California resident as a valid opt-out of the sale or sharing of personal information.

Mobile Applications

Our mobile applications collect only the information needed to deliver their stated functionality. Each app discloses, at the point of collection, the specific permissions it requests (such as microphone access for dictation recording, or storage access for uploading files), and you can revoke those permissions through your device settings at any time.
We do not integrate advertising SDKs or cross-app tracking into our mobile applications, and we do not share app data with advertising networks. Our Google Play Data Safety disclosures reflect the specific data practices of each app version and are updated when those practices change.

Children's Privacy

Our Services are intended for business and adult use. We do not knowingly collect personal information from children under the age of 13 (or the equivalent minimum age in the relevant jurisdiction). If we learn that we have collected personal information from a child in violation of applicable law, we will delete it promptly. If you believe a child has provided us with personal information, please contact us using the information below.
Note that our clients may engage us to process content — such as academic recordings — that includes information about children. In those engagements, we rely on the client's representation that any required parental consent or other legal basis for processing has been obtained.

International Data Transfers

Capital Typing is based in the United States, and our primary systems and personnel are located in the United States. Some of our workforce and service providers are located in other countries. If you are located outside the United States, your information will be transferred to, stored in, and processed in the United States and potentially other countries where our service providers operate.
Data protection laws vary across jurisdictions. When we transfer personal data internationally, we rely on appropriate legal transfer mechanisms where required — such as the Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement, and equivalent instruments — and we apply the safeguards described in this policy regardless of where the information is processed.

Third-Party Links and Services

Our website and apps may contain links to third-party websites, services, or resources that are not operated by Capital Typing. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before providing your information to it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we do, we will revise the "Last Updated" date at the top of this page. If the changes are material, we will provide a more prominent notice — for example, by posting a banner on our website or, where appropriate, by emailing clients directly. We encourage you to review this policy periodically.
We will not reduce your rights under this Privacy Policy without your explicit consent where such consent is required by applicable law.

How to Contact Us

If you have questions about this Privacy Policy, want to exercise any of your rights, need a Business Associate Agreement for HIPAA-regulated work, or want to report a potential privacy or security concern, please contact us:
Capital Typing 
Attn: Privacy Officer PO Box 275 Williston, SC 29853 United States
Phone: 1-800-784-9402 Email: [email protected]
We will respond to privacy inquiries within a reasonable time and, where required by law, within the specific deadlines applicable to your request.

Key Terms

Business Associate. Under HIPAA, a person or entity that performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of Protected Health Information.
Business Associate Agreement (BAA). A written contract between a Covered Entity and a Business Associate (or between Business Associates) that satisfies HIPAA's requirements for safeguarding PHI.
Client content. Audio, video, documents, images, data, and other materials that clients submit to us for processing as part of the Services.
Controller. Under data protection laws such as the GDPR, the party that determines the purposes and means of processing personal data. Our clients are typically the controllers of information they send us for processing.
Cookie. A small text file placed on your device by a website, which can be used to remember preferences, maintain a session, or measure traffic.
Covered Entity. Under HIPAA, a health plan, health care clearinghouse, or health care provider that transmits health information electronically in connection with certain transactions.
Personal information. Information that identifies, relates to, describes, or could reasonably be linked with a particular individual, directly or indirectly. The precise legal definition may vary by jurisdiction.
Processor. Under data protection laws such as the GDPR, the party that processes personal data on behalf of a controller. Capital Typing typically acts as a processor with respect to client content.
Protected Health Information (PHI). Individually identifiable health information that is transmitted or maintained in any form by a Covered Entity or Business Associate, as defined by HIPAA.
Services. Our transcription, data entry, translation, virtual secretarial, and online customer support services.
Subprocessor. A third party that processes personal information on behalf of Capital Typing in connection with our delivery of the Services.
Unique identifier. A string of characters that can be used to uniquely identify a browser, app, device, or account.