Privacy Policy
How MedNotes protects your clinical data
Effective: May 31, 2026
Version: 2.0
HIPAA Compliant
1. Introduction
MedNotes ("we," "our," "the Software") is committed to protecting the privacy of patients and healthcare providers. This Privacy Policy describes how we handle data when you use the MedNotes clinical documentation platform at mednotes.cc.
2. Data We Process
2.1 Clinical Data (Session-Only)
During an active session, MedNotes temporarily processes:
- Audio recordings of physician-patient encounters (for transcription)
- Medical documents uploaded for analysis (lab reports, imaging, clinical notes)
- Transcribed text of clinical encounters
- Refined transcriptions processed through our Clinical Transcription Refiner
- Synthesized clinical notes generated by AI
CRITICAL: All clinical data is processed IN-MEMORY ONLY and is NOT persisted to any storage medium. Data is automatically purged when the browser session ends.
2.2 Clinical Transcription Refiner
MedNotes includes a secondary AI refinement layer that processes raw transcriptions to correct phonetic and code-switching errors in medical terminology (e.g., Arabic-phonetic "سوب" → clinical abbreviation "SOB"). This refinement:
- Runs server-side via a secondary AI model (GPT-4o-mini)
- Processes only the transcription text — no audio data is sent
- Retains no data after the response is returned
2.3 Operational Metadata (Logged)
We log the following NON-PHI operational data for compliance:
- Timestamps of API calls
- Event types (login, transcription, synthesis, export)
- License key identifiers (masked — first 7 characters only)
- API latency and error metrics
- Provider name (never patient data)
2.4 Local Browser Storage
MedNotes uses your browser's localStorage for:
- Session recovery — a snapshot of the current transcript is saved locally every 10 seconds
- Theme and language preferences
- Onboarding state
This data is stored ONLY in your browser and never transmitted to our servers.
3. AI Processing Pipeline
| Step | Data | Processor | Storage |
|---|
| Audio Transcription | Audio recording | Azure OpenAI Whisper | None — in-memory |
| Clinical Refinement | Transcript text | Azure OpenAI GPT-4o-mini | None — in-memory |
| Document OCR | Uploaded images | Azure OpenAI Vision | None — in-memory |
| Note Synthesis | Transcript + docs | Azure OpenAI GPT-4o | None — in-memory |
| Clinical Advisories | Synthesized note | Azure OpenAI GPT-4o | None — in-memory |
4. Data We Do NOT Collect
MedNotes does NOT:
- Store patient health information (PHI) in any database
- Write clinical data to disk or persistent storage
- Use patient data for AI model training
- Share clinical data with third parties
- Track individual patient records across sessions
5. Data Retention
| Data Type | Retention Period |
|---|
| Clinical data (audio, documents, notes) | Zero — purged on session end |
| Operational audit logs | 90 days (configurable) |
| License key records | Until key expiration |
| Server access logs | 30 days |
| Trial signup information | 14 days after trial end |
6. Security Measures
- Encryption in Transit: All data via TLS 1.2+
- Session Management: Auto-lock after 15 minutes of inactivity
- Authentication: JWT-based session tokens
- Rate Limiting: DDoS protection per-IP
- Access Control: License-key gated with tiered permissions
- Audit Trail: All API operations logged (without PHI)
- CSP Enforced: Content Security Policy via Helmet.js
7. HIPAA Compliance
- Covered Entity Responsibility: Healthcare institutions remain the Covered Entity under HIPAA
- Business Associate Agreement: Available for enterprise customers
- No PHI at Rest: By architecture design, no PHI is persisted
- Access Controls: License-based authentication, session timeouts, audit logging
- Breach Notification: Affected parties will be notified within 72 hours
8. Your Rights
- Access: Request information about data processing practices
- Erasure: Clinical data is automatically erased (session-only by design)
- Portability: Export clinical notes in PDF or FHIR R4 format
- Objection: Opt-out of operational metadata logging
9. Contact
For privacy inquiries or data protection requests: