Spruce Patient Inviter — Chrome Extension Last updated: February 6, 2026
Summary: This extension processes screenshots locally in your browser. Patient data extracted from screenshots is sent only to OpenAI (for AI extraction) and Spruce Health (for invitation delivery). No data is collected, stored, or transmitted to any other party. All credentials and deduplication records remain on your device.
1. What Data We Process
When you click "Scan Patients," the extension:
Captures a screenshot of your current browser tab (requires the activeTab permission).
Sends the screenshot to the OpenAI API for AI-powered text extraction of patient names, phone numbers, and email addresses.
Searches Spruce Health to check if a patient already has an account or pending invitation.
Creates contacts and sends invitations on Spruce Health for patients you select.
2. Where Data Is Sent
OpenAI API (api.openai.com) — Screenshot images are sent for AI extraction. Covered by a HIPAA Business Associate Agreement (BAA) with zero data retention configured.
Spruce Health API (via spruce-proxy.cff-704.workers.dev) — Patient name, phone, and email are sent to create contacts and deliver invitations. Spruce Health is HIPAA-compliant.
No data is sent to any other servers, analytics services, or third parties.
3. What Is Stored Locally
The extension stores the following in Chrome's local storage (chrome.storage.local), which remains on your device only:
API credentials: Your OpenAI API key, Spruce API key, and Internal Endpoint ID.
Deduplication records: A list of previously invited patient phone numbers, emails, and names to prevent duplicate invitations.
This data is never transmitted to any external server. It is removed if you uninstall the extension.
4. Permissions Used
activeTab — Allows the extension to capture a screenshot of the currently active tab when you click "Scan Patients." Only activates when you explicitly click the button.
storage — Stores your API credentials and deduplication data locally on your device.
5. HIPAA Compliance
This extension is designed for use in healthcare settings with HIPAA compliance in mind:
OpenAI API is used under a Business Associate Agreement (BAA) with zero data retention.
Spruce Health is a HIPAA-compliant healthcare communication platform.
No patient data is stored on external servers beyond what Spruce Health requires for invitation delivery.
All credentials and deduplication records are stored on-device only.
6. Data Retention
Screenshots: Processed in-memory only. Never saved to disk or any server.
AI extraction: OpenAI processes with zero data retention (no training, no logging under BAA).
Local dedup records: Persist until you uninstall the extension or clear Chrome extension data.
7. Your Rights
You can:
View your stored data via Chrome's developer tools (Extensions > Storage).
Delete all stored data by uninstalling the extension.
Remove your API credentials at any time via the extension's Settings page.
8. Contact
For questions about this privacy policy or the extension's data practices, contact: