Privacy Policy

Last updated: [INSERT DATE]

⚠ Draft pending legal & compliance review This Privacy Policy is a structured draft reflecting how NMPsychNote AI is designed to operate. Because the Service handles protected health information, this document — and especially the HIPAA, subprocessor, and breach-notification sections — must be verified by qualified legal/compliance counsel and reconciled with signed Business Associate Agreements before it is published or relied upon. Purple-marked items require your confirmation.

1. Overview

This Privacy Policy explains how Gnosis Concepts Inc ("Company," "we") collects, uses, and protects information through the NMPsychNote AI platform ("Service"). It covers two categories of information: (a) account and billing information about providers, and (b) protected health information ("PHI") that providers process using the Service on behalf of their patients.

2. Our Role Under HIPAA

With respect to PHI, the Company acts as a Business Associate to the provider (the Covered Entity). We process PHI only to provide the Service and as permitted by the applicable Business Associate Agreement (BAA). [ATTORNEY/COMPLIANCE REVIEW REQUIRED before processing real patient PHI. BAAs with all subprocessors must be executed.]

3. Information We Collect

Provider Account Information

Name, credentials, practice name, work email
Authentication data (passwords are stored only as secure hashes)
Billing information (processed by Stripe; we do not store full card numbers)
Usage and audit logs (access times, actions taken)

Patient Information (PHI) — entered by providers

Patient demographics, session transcripts, clinical notes
Outcome measure responses (e.g., PHQ-9, GAD-7, ASRS)
Patient email addresses used to deliver intake questionnaires

4. How We Use Information

To provide, maintain, and improve the Service
To generate AI-assisted documentation from provider-supplied inputs
To process payments and manage subscriptions
To maintain security and audit logs as required under HIPAA §164.312(b)
To communicate service-related notices

We do not sell personal information or PHI. [CONFIRM: AI subprocessors do not train models on your PHI — verify against each vendor's terms/BAA.]

5. Subprocessors

We use the following third-party subprocessors to operate the Service. [Verify each has a signed BAA before processing PHI; update this list as vendors change.]

Subprocessor	Purpose	Data involved
Supabase	Database & authentication hosting	Account data, PHI
Anthropic (Claude)	AI SOAP note generation	Session transcripts / note content
Deepgram	Medical speech transcription	Session audio / transcripts
Stripe	Payment processing	Billing data (no PHI)
Resend	Transactional email delivery	Provider & patient email addresses
Netlify	Application hosting	Application traffic

6. Data Security

Encryption in transit and at rest (AES-256)
Tenant isolation enforced via row-level security
Audit logging of PHI access
Session auto-lock after inactivity
Role-based access controls

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Retention and Deletion

Provider account data is retained for the life of the account. Upon cancellation, data is retained for [30] days to allow export, after which it is deleted in accordance with our obligations. Providers may request export of their data before cancellation by contacting support. [CONFIRM retention periods comply with applicable state record-retention laws, which may require longer retention of clinical records.]

8. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected providers in accordance with HIPAA Breach Notification Rule requirements and the terms of the applicable BAA. [ATTORNEY REVIEW REQUIRED — confirm timelines and procedures.]

9. Patient Rights

Because we act as a Business Associate, requests by patients to access, amend, or delete their PHI should be directed to their provider (the Covered Entity), who controls the record. We will support providers in fulfilling such requests as required by the BAA.

10. Your Choices

Providers may update account information, manage billing, or close their account at any time. To exercise data rights or ask privacy questions, contact us below.

11. Children's Privacy

The Service is used by providers who may document care for minor patients. The Service is not directed to children as users, and minors do not create accounts. PHI about minor patients is handled under the same HIPAA safeguards and the provider's authority.

12. Changes to This Policy

We may update this Policy. Material changes will be communicated by email or in-app notice. The "Last updated" date reflects the latest revision.

13. Contact

Privacy questions or requests: support@nmpsychnote.com · info@nmpsychnote.com