Notelyx — Privacy Policy
Effective Date: [DATE]
Last Updated: [DATE]
Introduction
Serno ("Notelyx," "we," "us," or "our"), operates the Notelyx AI-assisted clinical note drafting platform for licensed therapists. This Privacy Policy describes how we collect, use, disclose, and safeguard information about:
- Subscribers — licensed therapists and practices who use the Service;
- End Users — staff who access the Service under a Subscriber's account;
- Visitors — individuals who visit our marketing website at notelyx.app.
This Privacy Policy does not govern Protected Health Information ("PHI") submitted to the Service by Subscribers on behalf of their patients. PHI is governed by the Business Associate Agreement (BAA) executed between Notelyx and each Subscriber, and by applicable HIPAA regulations (45 CFR Parts 160 and 164).
1. Information We Collect
1.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, professional license number, practice name | Account creation, authentication, licensure verification |
| Payment Information | Credit card number, billing address | Billing (processed by third-party payment processor; we do not store full card numbers) |
| Communications | Support requests, feedback, emails | Customer support |
| Session Observations | De-identified post-session notes submitted for AI processing | Generating clinical note drafts |
1.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, session duration | Product improvement, security monitoring |
| Device/Technical Data | IP address, browser type, operating system | Security, fraud prevention, debugging |
| Log Data | Server logs, API request timestamps, error logs | Security, HIPAA audit logging requirements |
| Cookies | Session cookies, preference cookies | Authentication, session management |
See our Cookie & Tracking Policy (05_cookie_policy.md) for details.
1.3 Information from Third Parties
We receive limited data from:
- AWS Cognito: Authentication events (login, logout, MFA events);
- Payment Processors: Payment confirmation, subscription status;
- AWS CloudTrail: Audit log events for HIPAA compliance purposes.
2. How We Use Information
We use information collected for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (clinical note generation, export, storage) | Contract performance |
| Account management and authentication | Contract performance |
| Processing payments and subscriptions | Contract performance |
| HIPAA compliance (audit logging, breach detection) | Legal obligation |
| Security monitoring and fraud prevention | Legitimate interest |
| Customer support | Contract performance; legitimate interest |
| Product analytics (aggregated, de-identified only) | Legitimate interest |
| Marketing communications (with consent) | Consent |
| Complying with legal obligations | Legal obligation |
We do not use PHI for any purpose other than providing the Service as permitted under the BAA.
3. How We Share Information
Notelyx does not sell your personal information. We share information only as follows:
3.1 Service Providers (Sub-processors)
We engage third-party vendors who process data on our behalf:
| Sub-processor | Purpose | Data Shared | BAA in Place |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, storage, authentication, AI processing | Account data, session observations, PHI | Yes |
| Stripe (or applicable processor) | Payment processing | Billing data only | No (no PHI) |
| [Email Provider] | Transactional email | Email address, name | No (no PHI) |
3.2 Legal Requirements
We may disclose information if required by law, subpoena, court order, or government request, or to protect the rights, property, or safety of Notelyx, Subscribers, or the public.
3.3 Business Transfers
In the event of a merger, acquisition, or asset sale, Subscriber information may be transferred as part of that transaction. We will provide notice before PHI is transferred and becomes subject to a different privacy policy.
3.4 With Your Consent
We may share information with third parties when you explicitly consent.
4. Protected Health Information (PHI) and HIPAA
4.1 Business Associate Role. To the extent that Subscribers submit PHI to the Service, Notelyx processes that PHI as a Business Associate under HIPAA. A signed BAA must be in place before any PHI is submitted.
4.2 PHI Protections. All PHI is:
- Encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS);
- Stored in HIPAA-eligible AWS infrastructure;
- Accessible only to authorized personnel with a documented legitimate need;
- Subject to HIPAA minimum-necessary standards.
4.3 AI and PHI. When Subscribers submit session observations for AI note generation:
- Observations are processed via AWS Bedrock (Claude) within Notelyx's HIPAA-compliant AWS environment;
- Anthropic (the model provider) does not retain or use input data via Bedrock;
- Raw observation inputs are automatically deleted within 24 hours of processing;
- Generated notes are retained in accordance with Subscriber account settings and the BAA.
4.4 No PHI for Training. Notelyx does not use PHI to train, fine-tune, or improve AI models.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days post-termination |
| Raw session observations (inputs) | 24 hours after note generation |
| Generated clinical notes | Duration of account + 30 days post-termination (or as configured by Subscriber) |
| Payment records | 7 years (tax and financial recordkeeping) |
| Security and audit logs | 6 years (HIPAA requirement) |
| Cookies | See Cookie Policy |
Upon account termination, Subscriber may export their data within 30 days. After 30 days, all Subscriber data will be securely deleted, subject to legal hold obligations.
6. Your Rights
6.1 General Rights (All Subscribers)
You have the right to:
- Access: Request a copy of the personal data we hold about you;
- Correction: Request correction of inaccurate data;
- Deletion: Request deletion of your account and personal data (subject to legal retention obligations);
- Portability: Receive your data in a machine-readable format;
- Objection: Object to processing based on legitimate interest (where applicable);
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact privacy@notelyx.app.
6.2 California Residents — CCPA/CPRA Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: The categories of personal information collected, used, and disclosed;
- Right to Delete: Deletion of personal information (subject to exceptions);
- Right to Correct: Correction of inaccurate personal information;
- Right to Opt-Out of Sale/Sharing: Notelyx does not sell or share personal information for cross-context behavioral advertising;
- Right to Limit Use of Sensitive Personal Information: You may limit use of sensitive PI to purposes necessary to provide the Service;
- Non-Discrimination: We will not discriminate against you for exercising CCPA rights.
Categories of Personal Information Collected (CCPA):
- Identifiers (name, email, IP address);
- Professional or employment-related information (license number, practice name);
- Financial information (billing data, processed by payment processor);
- Internet or network activity (usage data, log data);
- Inferences drawn to create a profile (usage preferences — not PHI).
To submit a CCPA request: privacy@notelyx.app or toll-free at [PHONE NUMBER].
We will verify your identity before fulfilling requests. We will respond within 45 days (extendable by an additional 45 days with notice).
6.3 Rights Regarding PHI
Your patients' rights regarding their PHI are governed by HIPAA and your obligations as a Covered Entity. Notelyx will assist you in responding to patient rights requests as required under the BAA. Contact privacy@notelyx.app for PHI-related requests.
7. Security
Notelyx implements administrative, technical, and physical safeguards consistent with HIPAA Security Rule requirements and industry best practices, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256, AWS KMS);
- Multi-factor authentication required for all accounts;
- Role-based access controls (RBAC);
- Automatic session timeouts;
- HIPAA-eligible AWS infrastructure (Amplify, Cognito, RDS, Bedrock, S3, CloudTrail);
- Regular security assessments and penetration testing;
- Employee HIPAA training;
- Incident response procedures (see Breach Notification Policy).
Despite our safeguards, no system is perfectly secure. You should promptly report any suspected security incident to security@notelyx.app.
8. Children's Privacy
The Service is intended exclusively for licensed healthcare professionals. We do not knowingly collect personal information from individuals under 18. If we learn we have collected such information, we will delete it promptly.
9. International Data Transfers
Notelyx's infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. If you are an EU or UK user, such transfers are subject to appropriate safeguards under the GDPR (Standard Contractual Clauses or equivalent). See also the Data Processing Agreement (06_data_processing_agreement.md).
10. Third-Party Links
The Service may contain links to third-party websites. Notelyx is not responsible for the privacy practices of such sites.
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy at least 30 days in advance via email or prominent notice within the Service. Continued use after the effective date constitutes acceptance of the revised policy.
12. Contact Us
Privacy Officer: [NAME]
Email: privacy@notelyx.app
Mail: Serno, Südliche Ringstraße [HOUSE NUMBER], 63225 Langen, Hesse, Germany
For HIPAA-related inquiries: privacy@notelyx.app
For security incidents: security@notelyx.app
To report a privacy violation to the government: U.S. Department of Health and Human Services, Office for Civil Rights: hhs.gov/ocr/privacy
Attorney Review Note: Confirm jurisdiction for governing law. Verify CCPA "sale" and "sharing" characterizations. Add GDPR lawful basis table if targeting EU practitioners. Confirm sub-processor list is complete and current. Designate a Privacy Officer by name before going live. Add state-specific notices as needed (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA).