Privacy Policy - NoteAssist

1. Introduction

NoteAssist ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-assisted report writing application for healthcare professionals.

This policy complies with the General Data Protection Regulation (GDPR), the Norwegian Personal Data Act, and other applicable privacy laws.

2. Data Controller

NoteAssist
Email: support@noteassist.tech
Website: www.noteassist.tech

For privacy inquiries, please contact our Data Protection team at the email above.

3. Information We Collect

3.1 Account Information

Email address (required for authentication)
Password (encrypted using industry-standard hashing)
Full name (optional)
Professional role (optional)
Organization/workplace (optional)

3.2 User-Generated Content

Reports, journals, and documentation you create
Checklists and task lists
Deviation reports
Voice recordings (processed in real-time, not stored)

3.3 Technical Data

Device type and operating system
App version
Language preferences
Login timestamps
Error logs (anonymized)

3.4 Usage Data

Features used within the app
AI generation statistics (count only, not content)
Subscription status

4. How We Use Your Data

Purpose	Legal Basis (GDPR)
Providing our services	Contract performance (Art. 6(1)(b))
AI-powered report generation	Contract performance (Art. 6(1)(b))
Voice-to-text transcription	Explicit consent (Art. 6(1)(a))
Sending service notifications	Legitimate interest (Art. 6(1)(f))
Improving our services	Legitimate interest (Art. 6(1)(f))
Processing payments	Contract performance (Art. 6(1)(b))
Preventing fraud and abuse	Legitimate interest (Art. 6(1)(f))

5. AI Processing and Data Handling

5.1 How AI Works in NoteAssist

Your input (keywords, dictation) is sent to AI models via encrypted connections
AI generates professional reports based on your input
Your content is processed in real-time and not used to train AI models

5.2 Third-Party AI Services

We use industry-leading AI providers with strict data processing agreements. Your data is:

Transmitted via TLS 1.3 encryption
Not retained by AI providers after processing
Never used to improve or train third-party models

6. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

Service Provider	Purpose	Location
Supabase	Database hosting & authentication	EU (Frankfurt)
AI Model Providers	Report generation	EU/US (with SCCs)
Stripe	Payment processing	EU
Resend	Transactional emails	EU

All third parties are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance.

7. International Data Transfers

Your data is primarily stored within the European Economic Area (EEA). When data is transferred outside the EEA:

We use Standard Contractual Clauses (SCCs) approved by the EU Commission
We verify adequate protection levels exist
You can request information about specific safeguards

8. Data Retention

Data Type	Retention Period
Account data	Until account deletion + 30 days
Reports & content	Until you delete them or close your account
Voice recordings	Not stored (real-time processing only)
Payment records	7 years (legal requirement)
Server logs	90 days

After account deletion, all personal data is permanently removed within 30 days, except where legal retention requirements apply.

9. Data Security

We implement comprehensive security measures:

Encryption: AES-256 at rest, TLS 1.3 in transit
Authentication: Secure password hashing (bcrypt)
Access control: Role-based access, principle of least privilege
Infrastructure: ISO 27001 certified cloud providers
Monitoring: 24/7 security monitoring and intrusion detection
Backups: Encrypted daily backups with disaster recovery

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right	Description	How to Exercise
Access	Obtain a copy of your data	Settings → Export Data
Rectification	Correct inaccurate data	Settings → Profile
Erasure	Delete your data ("right to be forgotten")	Settings → Delete Account
Data Portability	Receive data in machine-readable format	Settings → Export Data
Restriction	Limit how we process your data	Contact support
Object	Object to certain processing	Contact support
Withdraw Consent	Revoke previously given consent	App settings or contact support

To exercise these rights, contact us at support@noteassist.tech. We will respond within 30 days.

11. Cookies and Local Storage

NoteAssist uses local storage (not cookies) to:

Remember your login session
Store your language preference
Save your theme preference (light/dark)
Track onboarding completion

No third-party tracking cookies are used within the app.

12. Children's Privacy

NoteAssist is designed for healthcare professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

13. Health Data (Special Category Data)

While NoteAssist helps create healthcare documentation, we process data as a data processor on your behalf:

You are the data controller for patient-related content
You are responsible for ensuring appropriate consent and legal basis
We do not access, analyze, or use the content of your reports beyond providing our services
We recommend not including directly identifiable patient information when possible

14. Changes to This Policy

We may update this Privacy Policy periodically. When we make significant changes:

We will notify you via email or in-app notification
The "Last updated" date will be revised
Continued use after changes constitutes acceptance

15. Complaints

If you believe we have violated your privacy rights, you have the right to lodge a complaint with:

Norwegian Data Protection Authority (Datatilsynet)
Postboks 458 Sentrum
0105 Oslo, Norway
www.datatilsynet.no

16. Contact Us

For any privacy-related questions or concerns:

Email: support@noteassist.tech
Response time: Within 5 business days