Privacy Policy
Last updated: 19 January 2025
This Privacy Policy describes how NoteMate (ABN 33 659 424 629) ("NoteMate", "we", "us", or "our") collects, uses, and handles your information when you use our clinical documentation platform ("Service").
1. Zero-Knowledge Architecture
1.1 Core Principles
Our software architecture ensures that:
The application cannot access or decrypt your sensitive clinical content
Clinical documentation is stored locally on your device
We cannot access, view, or retrieve your clinical content
You maintain complete control over your sensitive information
Content is temporarily transmitted for processing (transcription and generation)
1.2 Data Categories
We handle different types of data with specific protections:
Content Data (Local Storage):
Clinical documentation on your device
Generated transcripts and documents
Audio recordings before processing
Generated clinical content
Operational Data (Minimal Storage):
Authentication data managed by Clerk
Usage metrics and quotas
Payment information via Stripe
Application monitoring data
Template storage and management
Processing Data (Temporary):
Audio recordings during transcription
Text during document generation
Transmitted securely and immediately discarded
2. Data Processing and Partners
2.1 Third-Party Services
We use the following third-party services with strict data processing agreements:
Clerk (United States)
Purpose: Authentication and user management
Data Handling:
User authentication
Session management
Security monitoring
User profiles
Security Measures:
SOC 2 Type 2 certified
Enterprise-grade encryption
MFA support
Fraud prevention
OpenAI (United States)
Purpose: Audio transcription and text processing
Data Handling:
Temporary audio transcription
Real-time text processing
No data retention
No training or model fine-tuning
Security Measures:
SOC 2 Type 2 certified
Data encrypted in transit
Strict access controls
Regular security audits
Redis (United States)
Purpose: Database operations and usage tracking
Data Handling:
Rate limiting data
Usage quotas
Application metrics
No user content storage
Security Measures:
Australian data center
SOC 2 Type 2 certified
Network isolation
Encryption at rest
Stripe (United States)
Purpose: Payment processing
Data Handling:
Payment information only
PCI DSS Level 1 certified
No access to clinical data
Security Measures:
Encryption for all data in-transit
Fraud detection
Regular assessments
Compliance monitoring
2.2 Data Processing Principles
All data processing follows these principles:
Temporary and immediate processing only
Subject to strict data processing agreements
Compliant with Australian privacy laws
Limited to essential operations
Regular security and compliance audits
3. Security Measures
3.1 Technical Security
We protect your data through:
Encryption for all data in transit
Zero-knowledge architecture preventing data access
Secure authentication using Clerk
Multi-factor authentication options
Regular security assessments and penetration testing
3.2 Operational Security
Our operational security includes:
Regular security audits
Access control and monitoring
Incident response procedures
Security patch management
4. Data Protection Obligations
4.1 Our Commitments
We commit to:
Protecting your privacy and data security
Processing data only as necessary
Maintaining appropriate security measures
Promptly responding to security incidents
Regular compliance reviews
4.2 Your Responsibilities
You are responsible for:
Maintaining local device security
Protecting access credentials
Obtaining patient consent
Following professional privacy obligations
Reporting security concerns promptly
5. Healthcare Use Requirements
5.1 Patient Consent
When using NoteMate in healthcare settings, you must:
Obtain explicit patient consent before recording
Document consent in medical records
Inform patients about:
The purpose of recording
Temporary processing details
Local device storage
Security measures in place
Follow local healthcare privacy regulations
5.2 Professional Obligations
You must maintain:
Appropriate clinical records
Patient privacy protocols
Professional standards compliance
Organisational policy compliance
6. Your Privacy Rights
6.1 Legal Rights
Under Australian privacy law, you have the right to:
Access your personal information
Correct your personal information
Request account deletion
Withdraw processing consent
Lodge privacy complaints
Receive data breach notifications
6.2 Exercise of Rights
To exercise these rights:
Email us at contact@notemate.io
Provide necessary identification
Specify your request clearly
Allow up to seven (7) days for response
7. Data Incidents
7.1 Our Response
In case of a data incident, we will:
Investigate immediately
Notify affected users
Implement containment measures
Conduct root cause analysis
Take preventive actions
7.2 Notification Process
We will notify you of incidents:
Within required timeframes
With incident details
With recommended actions
Through secure channels
8. Jurisdiction and Governing Law
8.1 Governing Law
This Privacy Policy is governed by the laws of Victoria, Australia.
8.2 Jurisdiction
Any privacy disputes will be subject to the exclusive jurisdiction of the courts of Victoria, Australia.
9. Changes to Policy
9.1 Updates
We may update this Privacy Policy by:
Posting changes on our website
Notifying you via email
Providing in-app notifications
Requiring acknowledgment if necessary
9.2 Effect
Changes will be effective upon posting, with continued use constituting acceptance.
Contact
For privacy-related inquiries, please email contact@notemate.io.
Privacy complaints may also be directed to:
Office of the Victorian Information Commissioner
PO Box 24274
Melbourne VIC 3001
