Noted — Privacy & Compliance

The demo vs. the product

This demo is not HIPAA-compliant. It uses your browser's built-in speech recognition, which sends audio to Google (Chrome) or Apple (Safari) to turn it into text. That means real patient words would leave your device. Do not use this demo with real patient information.

The shipped product — the iOS, Android, and Windows apps — does it differently. There, everything that matters for privacy happens on your device:

• Speech-to-text runs on the device using Apple's or Android's built-in on-device recognition (no cloud).
• The clinical note is written by a small AI model running on your device.
• Patient notes are saved in an encrypted on-device vault.
• The only thing the product talks to over the internet is a public psychology literature server — never patient data.

What encryption does — and doesn't — cover

Encryption is one of several HIPAA requirements. It is necessary, not sufficient.

What Noted's encryption covers:

• Anything sent over the internet uses TLS (HTTPS).
• Anything saved on the device uses the platform's full-disk encryption (automatic on modern iPhones, iPads, Android phones, and Windows 10/11 with BitLocker).
• The patient vault is additionally protected by the device's screen lock (passcode / Face ID / Touch ID / Windows Hello).

What encryption alone does not cover (other HIPAA rules do):

• Who is allowed to see what — that's access control. Noted uses per-therapist login and session timeout.
• A record of who saw what and when — that's audit logging. Noted records every read and write to the vault.
• Training, policies, vendor agreements, breach response — those are administrative safeguards, documented in our HIPAA risk analysis (available to Business Associate partners).
• Physical things: device disposal, stolen laptop procedure, workstation location — those are your practice's policies, and we provide a template.

Our design posture: "HIPAA-aligned by design"

Most therapy-note tools on the market are cloud services. They see every word of every session. They protect it — but they still have it. That creates a large HIPAA surface area, requires Business Associate Agreements with them, and means a breach on their end is your liability.

Noted is different. The product does not see patient data. Therefore:

• There is no cloud copy of your session audio, transcript, or notes to protect.
• There is no cloud copy to breach.
• You do not need a BAA with us for patient data, because we never hold patient data.

You still need the basics your practice is already doing: device passcodes, a screen-lock policy, employees trained on what not to share, a written privacy notice for patients.

Questions we get asked

Does the AI learn from my notes? No. The AI runs on your device and never sends what it reads or writes anywhere.

Does anyone at Noted see my notes? No. We cannot see what we never receive.

What if I lose my phone? The vault is encrypted with your device passcode / Face ID / Touch ID. Without unlocking the device, the vault is unreadable.

Can I export my notes to my EHR? Yes — copy-to-clipboard today; structured export to common EHRs (SimplePractice, TherapyNotes) is on the roadmap.

Do you offer a Business Associate Agreement? If you want one for the non-PHI portions (licensing, anonymous telemetry, the public psychology knowledge base), yes. For the PHI portions it is not applicable because we never hold PHI.

Contact

Privacy questions: privacy@spw1.com

Risk analysis document and BAA request: compliance@spw1.com