This Privacy and Data Protection Overview applies to the NoteyDoc website and browser extension operated by NoteyDoc LLC.

Last updated: May 6, 2026

Protecting patient privacy and sensitive health information is central to the design of NoteyDoc. This page explains, in plain language, how information is handled by the NoteyDoc browser extension and related web services. It is provided for transparency and is not a substitute for legal advice.

1. What NoteyDoc is designed to do

NoteyDoc is a documentation assistant that helps clinicians turn their own words into more structured clinical notes. In everyday use:

• Clinicians type or paste their own fragments, bullet points, or descriptions into NoteyDoc.
• NoteyDoc uses machine learning language models to process that input and return suggested wording or structure.
• The clinician reviews, edits, and copies final text into their EHR or documentation system.

NoteyDoc does not make medical diagnoses, select billing codes, or automatically submit documentation to payers or EHR systems.

2. Categories of information that may be processed

Depending on how you use the tool, the following categories of information may be entered into NoteyDoc:

• Free text clinical fragments describing a visit, intervention, or patient status.
• Non-identifying context such as discipline (OT, PT, SLP), setting, and visit type.

Because free text fragments may sometimes contain protected health information or personally identifiable information, it is critical that you use NoteyDoc in a way that is consistent with your local regulations and your organization’s data handling policies.

3. Information you are encouraged not to include

To reduce privacy risk, avoid entering directly identifying patient details into NoteyDoc unless and until a documented Business Associate Agreement or equivalent arrangement is in place and you have authorization from your organization. Examples include:

• Full legal names, initials with other identifiers, or contact information.
• Exact dates of birth, full addresses, phone numbers, email addresses, or insurance IDs.
• Medical record numbers or any facility specific patient ID that could identify an individual.
• Highly specific details that, in combination, uniquely identify a patient.

3A. Use of patient profiles and PHI

NoteyDoc offers an optional patient profile feature that allows you to organize your work by case. When you save or load a note from a patient profile, the most recent generated or edited version of that note is stored on NoteyDoc's backend infrastructure so it can be retrieved on your next visit. See Section 14 for current subprocessors.

What is stored: the latest saved or loaded note content associated with each profile, along with the profile label you assign.

How long it is retained: profile content is retained until you delete the profile or the individual note. Deletion is immediate and removes the content from the active database.

Who can access it: access to stored profile content is restricted to authorized NoteyDoc personnel on a need-to-know basis for purposes such as troubleshooting and abuse prevention. Stored content is not reviewed in the ordinary course of operating the service.

Security and encryption: data is encrypted in transit using Transport Layer Security and encrypted at rest on NoteyDoc's backend infrastructure (AES-256 via our managed Postgres provider, Supabase). Access is restricted to authorized personnel with administrative controls in place. Until your organization has an executed Business Associate Agreement with NoteyDoc and has approved the workflow, do not enter PHI or directly identifiable patient information into patient profiles.

Patient profiles are designed for non-identifying workspace organization (for example, "Patient A" or "Knee Rehab Case"). Do not enter directly identifiable patient information into NoteyDoc unless your organization has an executed Business Associate Agreement with NoteyDoc and has approved its use.

3B. HIPAA and Business Associate Agreements

NoteyDoc operates under a two-track model with respect to protected health information (PHI):

• Individual users without a BAA: if you use NoteyDoc as an individual clinician on the Free, Unlimited, or Unlimited Pro plans without an executed Business Associate Agreement, you must not enter PHI or identifiable patient information into the tool. Use only non-identifying visit fragments with patient identifiers removed.
• Clinics and teams with a BAA: NoteyDoc can provide a Business Associate Agreement for eligible clinic and team customers before PHI is submitted to NoteyDoc. If your organization requires HIPAA-covered use, PHI should not be entered until the applicable agreement is executed and your organization has approved the workflow. Once a BAA is executed, your organization may use NoteyDoc to process PHI subject to the terms of that agreement and your internal policies.

To request a BAA, contact partnerships@noteydoc.com. BAAs are available to clinic and team customers. The BAA must be executed and your account must be flagged as PHI-enabled by NoteyDoc before PHI may be submitted.

4. How processing occurs (local and cloud)

The NoteyDoc extension is developed with a focus on minimizing the amount of information that leaves your browser. Some advanced features, such as AI-assisted drafting, involve sending your input to secure cloud-based processing services.

The general architecture is:

• Local operations: Where possible, settings, preferences, and non-sensitive configuration are stored locally in the browser.
• Cloud processing: When AI-assisted drafting is used, the text you submit is transmitted through NoteyDoc's backend to OpenAI under an executed Business Associate Agreement with zero data retention, solely to return the requested output. Under this configuration, OpenAI does not log, store, or retain any inputs or outputs, and your content is never used to train any model. This goes beyond OpenAI's standard API protections and applies to every NoteyDoc generation request.

5. Intended data retention practices

The goal of NoteyDoc is to retain the minimum amount of information needed to provide the service. The core principles are:

• No permanent storage of note content for drafting purposes unless you explicitly enable it, for example an optional patient profile you choose to save.
• Short-lived processing: Input text sent to OpenAI is processed in real time under our Business Associate Agreement with zero data retention. It is not stored or retained on OpenAI's servers and is never used to train any model.

Optional saved features, such as patient profiles, retain content until the user deletes it or the account is deleted.

6. Legal basis for processing (where applicable)

If you are located in a region with comprehensive data protection laws, the legal basis for processing your personal data as a clinician may include:

• Legitimate interests in providing and improving a documentation support tool for clinicians.
• Contractual necessity where you have entered into an agreement to use the service.
• Consent for specific optional features, such as email updates or saving reusable phrase libraries tied to an account.

Where protected health information or other sensitive patient data is involved, additional agreements and strict organizational policies apply. You remain responsible for complying with those requirements.

7. Security measures

NoteyDoc uses industry standard security measures, such as:

• Encryption in transit (TLS) for all communications between the extension, the website, and backend services.
• Encryption at rest (AES-256) for stored data on our managed database infrastructure.
• Restricted access to production systems and logs on a need to know basis.
• Separation of development and production environments.
• Use of reputable hosting providers with strong physical and logical security controls.

No security measure is perfect and no online service can guarantee absolute security, but security is treated as a core requirement.

8. Use of analytics and cookies

NoteyDoc currently uses minimal internal usage tracking (anonymous event counts and aggregated performance metrics) to monitor service health and improve features. We do not currently use third-party analytics platforms such as Google Analytics. If we add third-party analytics in the future, we will update this policy and reflect the change with an updated "Last updated" date.

Where any analytics or similar technologies are used, we:

• Avoid collecting directly identifying personal information.
• Use aggregated or pseudonymous identifiers instead of real names or email addresses.
• Provide opt-out mechanisms where supported by the platform.

If cookies or similar technologies are used on the website, a clear notice and explanation is provided.

8A. Billing and payment information

Paid NoteyDoc subscriptions are processed by Stripe, our third-party payment processor. When you subscribe, Stripe collects and processes your payment information (such as card details and billing address) directly. NoteyDoc does not store full payment card numbers on its own systems and receives only limited information from Stripe needed to manage your subscription, such as subscription status and the last four digits of your card.

Stripe's handling of your payment information is governed by Stripe's own privacy policy, available at stripe.com/privacy.

9. Your responsibilities as a clinician or user

You are solely responsible for the content you enter into NoteyDoc and for ensuring that your use complies with applicable law, your professional obligations, and your organization's policies. NoteyDoc's input screening is a safeguard, not a guarantee. Specifically, you are responsible for:

• Ensuring that your use of the tool complies with local laws, regulations, and employer policies.
• Reviewing and editing all drafted content before it becomes part of the legal medical record.
• Avoiding the inclusion of unnecessary identifiers or highly sensitive details when using drafting tools.
• Ensuring that no identifiable patient data is entered unless permitted by your organization and applicable regulations.
• Securing your devices, browsers, and user accounts with appropriate access controls.

10. Third-party services and model providers

NoteyDoc uses a small set of vetted third-party providers to operate the service: OpenAI for AI text processing, and the infrastructure providers listed in Section 14. When these services are used:

• Providers are selected for security, reliability, and the strength of their data protection commitments.
• Text submitted for AI-assisted drafting is sent to OpenAI under our executed Business Associate Agreement with zero data retention. OpenAI does not store, log, or retain any inputs or outputs, and the content is never used to train any model.
• Business Associate Agreements and data processing agreements are executed with applicable providers before any data is shared.

You should periodically review this page to understand which providers are in use and how they handle data.

11. International transfers

Depending on your location and the location of the hosting infrastructure, information that you submit to NoteyDoc may be processed in a different country. When information crosses borders, reasonable steps are taken to ensure that it is protected in line with applicable legal requirements.

12. Your rights and choices

Subject to your local laws, you may have rights such as:

• Accessing information about the personal data NoteyDoc holds about you as a user.
• Requesting corrections to inaccurate account information.
• Requesting deletion of stored user-level data, including saved patient profiles.
• Opting out of non-essential communications or analytics.

US state privacy rights: if you are a resident of California or another US state with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana), you may have additional rights under those laws, including the right to know what personal information is collected about you, the right to delete that information, and the right to opt out of certain types of processing. NoteyDoc does not sell personal information.

How to exercise your rights: to make a request, contact support@noteydoc.com. We aim to respond within the timeframes required by applicable law (typically within 30 to 45 days). Account deletion requests are processed promptly and result in immediate removal of your stored data, including any saved patient profiles.

Because NoteyDoc is not intended to store complete medical records or act as a system of record, these rights relate to your user account or configuration, not the underlying clinical charts maintained by your employer or EHR vendor.

13. Age requirement

NoteyDoc is intended for use by licensed or supervised clinicians who are at least 18 years old. We do not knowingly collect personal information from individuals under 18. The Service is not designed for use by minors and minors should not create accounts. If you believe a minor has provided personal information to NoteyDoc, please contact support@noteydoc.com so we can remove it.

14. Subprocessors

NoteyDoc relies on the following key subprocessors to operate the Service:

• Supabase — database and authentication infrastructure
• Stripe — payment processing
• OpenAI — AI text processing under an executed Business Associate Agreement with zero data retention. Inputs and outputs are not stored, retained, or used to train models.

This list may be updated as our infrastructure evolves. Significant changes will be reflected by updating the "Last updated" date at the top of this document. Customers operating under a Business Associate Agreement may request a current list of subprocessors that handle PHI by contacting partnerships@noteydoc.com.

15. Data Breach Notification

If NoteyDoc becomes aware of a data breach affecting your personal information, we will notify you and applicable authorities as required by law. Notifications will describe the nature of the breach, the categories of information involved, and the steps we are taking in response. Notification will be provided within the timeframes required by applicable law. For incidents involving PHI processed under a Business Associate Agreement, breach notification is governed by the terms of the applicable BAA.

16. Contact

If you have questions about this page, data handling, or privacy in general, you can contact NoteyDoc at:
Email: support@noteydoc.com
This privacy and data protection overview is updated as the product matures. Significant changes are reflected by updating the "Last updated" date at the top of this section.