CareNotes
Trust Center

Security & Privacy
You Can Verify

Patient privacy is built into how CareNotes works — audio never leaves the device, transcripts and notes are processed under HIPAA safeguards, and your data is never used to train AI models.

Audio never stored

Speech-to-text runs on your device. No patient audio is recorded, uploaded, or retained — by us or anyone.

U.S. data storage

For U.S. customers, transcripts and notes are stored on U.S. infrastructure, encrypted in transit and at rest.

No training on your data

Your PHI is never used to train, fine-tune, or improve AI models. Providers are contractually prohibited from it.

BAA with every practice

We sign a Business Associate Agreement before PHI is processed — a separate BAA per legal entity.

Least-privilege access

No routine access to PHI. Rare support access is authorized, logged, and audited.

Zero Data Retention AI

AI providers process PHI under BAAs. Our primary provider (OpenAI) operates under an executed BAA with Zero Data Retention — data isn't logged, stored, or saved to disk.

How we handle patient information

Is any patient audio recorded, uploaded, or stored?

No. Speech-to-text and speaker diarization run entirely on your device using CareNotes' own on-device technology, purpose-built and optimized for clinical documentation. Audio is processed locally, never leaves the device, and is never sent to any third party for transcription. No temporary audio files are created or retained. Only the resulting text is used to generate a note.

Where are transcripts and notes stored?

On your device (encrypted) and, if you enable cloud sync, in our Google Cloud backend. For U.S. customers, that infrastructure is located in the United States.

Is my data encrypted?

Yes — in transit (TLS) and at rest. On-device data is protected by iOS Data Protection and the device keychain, and cloud data is encrypted at rest by Google Cloud.

Can CareNotes staff access my patients' PHI?

Not routinely. In the rare case that investigating a support issue requires access to specific data, it is granted only when necessary, limited to authorized personnel, and logged and audited.

Is my data used to train AI models?

No. Patient audio, transcripts, notes, your edits, and prompts are never used to train, fine-tune, or improve AI models. This is enforced contractually with our providers and in the app's architecture.

Is AI processing covered by a BAA and Zero Data Retention?

Yes. AI providers that process PHI do so under HIPAA Business Associate Agreements. Our primary provider (OpenAI) is engaged under an executed HIPAA Business Associate Agreement with a Zero Data Retention configuration — request data is not logged for human review, not stored persistently, and not saved to disk.

Do you sell or share patient data?

Never. CareNotes does not sell PHI or personal information, and we do not share it with advertisers or data brokers. Data is used only to provide the service to your practice.

Who owns the notes and data?

Your practice does. CareNotes acts as a Business Associate that processes data on your behalf; the clinical records remain yours, and you can export them at any time.

How is data deleted?

Deleting a note removes it from your device and, if synced, the cloud. Closing your account purges cloud copies (region-aware) and wipes local files. Encrypted disaster-recovery backups expire within 30 days and are never used for operations, analytics, or training.

How do you secure account access?

Access follows least-privilege, role-based principles, with multi-factor authentication supported for accounts and app-integrity attestation on every request. Access to PHI is logged.

Is CareNotes HIPAA compliant, and will you sign a BAA?

Yes. CareNotes maintains a HIPAA compliance program with administrative, physical, and technical safeguards, workforce training, and periodic reviews. We sign a Business Associate Agreement with each subscribing practice before any PHI is processed — a separate BAA per legal entity.

How do you handle a security incident or breach?

We follow a documented incident-response process. For a breach of unsecured PHI, affected practices are notified without unreasonable delay and no later than 60 days after discovery, consistent with HIPAA.

Documentation

Available now, or on request for security reviews.

Security contact

Questions about privacy, security, or a signed BAA?

info@cnotes.ai

Responsible disclosure

Found a potential vulnerability? Please report it privately to info@cnotes.ai and give us a reasonable window to remediate before public disclosure.