Privacy Policy

Table of Contents

1. Summary of Key Points
2. Description of the Services
3. Information We Collect
4. How We Use Your Information
5. Legal Bases for Processing
6. How We Share Information
7. Cross-Border Transfers (Including Canadian Users)
8. Data Retention
9. How We Protect Information (Safeguards)
10. Healthcare Data and HIPAA
11. Your Privacy Rights and Choices
12. Canadian Users (PIPEDA)
13. Children's Privacy
14. Changes to This Policy
15. Contact Us

1) Summary of Key Points

• Information we process: names, email addresses, account details, app usage/technical data, and transcribed clinical notes (which may include health information).
• Voice recordings: We do not collect or store voice recordings. Real-time transcription occurs on the device; we store only the resulting text notes.
• How we use information: to provide and secure the Services, support users, improve features, and comply with legal obligations.
• Sharing: we share information only as needed with vetted service providers, with professional customers (e.g., the dental practice) that control patient records, and when required by law or in a corporate transaction.
• Security: we use administrative, technical, and physical safeguards designed to protect sensitive information.
• Your rights: depending on where you live, you may request access, correction, deletion, or other actions regarding your personal information.
• Canadian users: we provide additional PIPEDA information, including cross-border transfer transparency, access/correction processes, breach notifications, and escalation options.

2) Description of the Services

CareNotes is a software platform designed to help healthcare providers—particularly dental professionals—streamline clinical documentation through structured input, automation, and optional AI-assisted features.

3) Information We Collect

We collect information in three main ways: (A) information you provide, (B) information collected automatically, and (C) information from your organization (if applicable).

A. Information You Provide

• Account and registration information (e.g., name, email address, login credentials, organization/practice name).
• Clinical documentation content, including transcribed clinical notes and related metadata you enter, upload, or generate through the Services. These notes may include sensitive information and may contain health information about patients.
• Support and communications (e.g., emails to support, feedback, survey responses, event RSVPs).

B. Information Collected Automatically

• Device and app information (device type, operating system, app version, language settings).
• Log data (IP address, timestamps, crash/error logs, diagnostic data).
• Usage data (features used, actions taken in the app, performance metrics).
• Analytics data to help us understand how the Services are used and to improve reliability and user experience.

C. Information From Your Organization (Professional Customers)

If you use CareNotes through a dental practice or other organization, we may receive information from that organization related to provisioning and managing your account (e.g., your role, permissions, or organizational identifiers).

Microphone and Storage Permissions

• The mobile app may request access to microphone (for real-time, on-device transcription only) and/or storage (to store or export text notes on your device).
• We do not collect or store voice recordings. Transcription is performed on the device, and CareNotes stores only the resulting text notes.

4) How We Use Your Information

• Provide the Services (create accounts, authenticate users, generate and manage clinical notes, enable features you request).
• Operate and maintain the Services (debugging, performance monitoring, crash analytics, customer support).
• Security and fraud prevention (protect accounts, detect suspicious activity, enforce policies).
• Improve and develop the Services (feature improvements, quality assurance, research and development using appropriate safeguards).
• Communications (service notices, administrative messages, and responses to support requests; marketing communications where permitted and with appropriate choices).
• Legal compliance (comply with applicable laws, respond to lawful requests, and protect rights and safety).

No Audio Storage: CareNotes does not store voice recordings. Transcription occurs locally on your device. We store only text outputs (e.g., clinical notes) and relevant account/technical data.

5) Legal Bases for Processing

Depending on your jurisdiction and how you use the Services, we process personal information based on one or more of the following legal bases:

• Consent (e.g., where required, or for certain optional features and communications).
• Contractual necessity (to provide the Services you request).
• Legitimate interests (such as securing and improving the Services, where permitted and balanced against privacy rights).
• Legal obligations (e.g., compliance, recordkeeping, security requirements).
• Vital interests (rare situations involving safety or preventing harm).

6) How We Share Information

We do not sell personal information. We share information only as needed for the purposes described in this Privacy Policy, including:

A. Service Providers (Vendors / Subprocessors)

• We use trusted third-party service providers to help us operate the Services (for example: cloud hosting, databases, analytics, error monitoring, customer support tooling, and security services). These providers may process personal information on our behalf under contractual obligations that include confidentiality, security requirements, and limitations on use.
• Subprocessor transparency: We may use multiple service providers depending on the Services you use and where you are located. You may request additional information about our service providers by contacting info@cnotes.ai.

B. Your Organization (Professional Customer)

If you use CareNotes through a dental practice or organization, that organization may have access to information associated with your account and clinical documentation created in the Services, consistent with the organization's policies and applicable law.

C. Legal and Safety

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with law, regulation, legal process, or lawful governmental requests;
• Enforce our terms and policies;
• Protect our rights, privacy, safety, or property, and/or that of users or others.

D. Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our business or assets, information may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality and security measures.

7) Cross-Border Transfers (Including Canadian Users)

CareNotes is based in the United States, and we may store or process personal information in the United States or other locations where we or our service providers operate. If your personal information is transferred outside of your province, territory, or country, it may be subject to the laws of the jurisdiction where it is processed and may be accessible to law enforcement or other authorities under those laws.

We take steps designed to protect personal information when it is processed by service providers, including contractual protections and security safeguards.

8) Data Retention

We retain personal information only for as long as necessary to:

• Provide and maintain the Services;
• Meet professional customer requirements and user requests;
• Comply with legal, regulatory, accounting, or audit obligations;
• Resolve disputes and enforce agreements.

When information is no longer needed, we take steps to delete, de-identify, or anonymize it in accordance with our retention practices and applicable law. Retention periods may vary depending on the type of data and the context of processing.

9) How We Protect Information (Safeguards)

We use safeguards designed to protect personal information—especially sensitive information—against loss, theft, unauthorized access, disclosure, copying, use, or modification. Our safeguards may include:

• Encryption in transit and at rest (where appropriate);
• Access controls (role-based access, least-privilege practices);
• Logging and monitoring to detect and respond to suspicious activity;
• Secure development and change management practices;
• Vendor security reviews and contractual security obligations;
• Administrative policies and training for personnel with access to sensitive data.

No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.

10) Healthcare Data and HIPAA

CareNotes may act as a Business Associate under HIPAA when providing Services to covered entities such as dental practices. Where applicable, we follow HIPAA Security Rule standards and contractual obligations in our Business Associate Agreement (BAA).

AI Processing

CareNotes uses OpenAI to power AI-assisted features such as voice transcription and clinical note generation. OpenAI operates under a HIPAA Business Associate Agreement with CareNotes and adheres to a Zero Data Retention policy—your data is processed but never stored by OpenAI.

• Audio handling: CareNotes performs transcription locally on the device and does not store voice recordings. We store only the resulting text notes and related account/technical data.
• Breach notification: If we discover a breach involving protected health information (PHI) subject to HIPAA, we will provide notifications as required by HIPAA and our contractual obligations.

11) Your Privacy Rights and Choices

Depending on your location and applicable law, you may have rights to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete personal information;
• Request deletion of certain personal information (subject to legal or contractual retention requirements);
• Withdraw consent where processing is based on consent (this may affect your ability to use certain features);
• Opt out of marketing communications (you can use the unsubscribe link or contact us).

To exercise rights, email info@cnotes.ai. We may need to verify your identity before responding.

If you are using CareNotes through a dental practice or organization, certain requests may need to be routed through that organization depending on how information is controlled within the Services.

12) Canadian Users (PIPEDA)

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to our handling of your personal information.

A. Accountability and Privacy Officer

CareNotes is responsible for personal information under its control. We have designated our Chief Information Officer (CIO) as the Privacy Officer for PIPEDA-related inquiries.

Contact: info@cnotes.ai

B. Purposes and Consent

We collect, use, and disclose personal information for the purposes described in this Privacy Policy. We seek consent where required, including through onboarding flows, feature prompts, and your continued use of the Services. If we intend to use personal information for a new purpose that requires consent, we will provide notice and obtain consent as required.

C. Access and Correction (30 Days)

You may request access to your personal information and request corrections by emailing info@cnotes.ai. We aim to respond within 30 days, subject to permitted extensions under PIPEDA. If we cannot provide access, we will explain why, subject to legal limitations.

D. Cross-Border Processing

Your personal information may be stored or processed outside of Canada, including in the United States. In that case, it may be subject to foreign laws and accessible to foreign authorities. See Section 7 above.

E. Breach Notification and Records (PIPEDA)

If a breach of security safeguards creates a real risk of significant harm to an individual, we will provide notifications as required by PIPEDA, which may include:

• Notifying affected individuals; and
• Notifying the Office of the Privacy Commissioner of Canada.

We also maintain records of security breaches as required by applicable law.

F. Questions, Complaints, and Escalation

If you have questions or concerns about our privacy practices, contact our Privacy Officer at info@cnotes.ai. If your concern is not resolved, you may contact the Office of the Privacy Commissioner of Canada (OPC).

13) Children's Privacy

The Services are intended for use by professionals and are not directed to children. We do not knowingly collect personal information directly from children as consumers. If you believe a child has provided personal information to us outside of a professional healthcare context, contact info@cnotes.ai so we can take appropriate steps.

14) Changes to This Policy

We may update this Privacy Policy from time to time. We will revise the "Last Updated" date and, if changes are material, we will provide additional notice as required by applicable law.

15) Contact Us

CareNotes L.L.C.
120 E 56th St, 6th Floor
New York, NY 10022
United States

Email: info@cnotes.ai

Instagram: @carenotes.ai