Privacy Policy

Privacy Policy

Effective Date: 05/08/2025

Note360 (“we,” “our,” or “us”) is committed to protecting the privacy and security of the personal information entrusted to us by licensed healthcare providers and their patients. This Privacy Policy explains how we collect, use, disclose, and protect your information, including Protected Health Information (PHI), under applicable U.S. privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the California Consumer Privacy Act (“CCPA”), and the California Privacy Rights Act (“CPRA”).

This policy applies to all users of the Note360 platform, including healthcare providers who use our AI-powered documentation and telemedicine services via our web-based SaaS platform.

WHAT IS PERSONAL DATA OR PERSONAL INFORMATION?

When we refer to ‘personal data or personal information’ in this statement, we mean any information that you have given us that could be identified by. It also refers to any information about an identified physical person directly.  We take this very seriously as we know this is valuable to you. 

WHAT IS PROTECTED HEALTH INFORMATION?

PHI stands for Protected Health Information. It refers to any individually identifiable health information that is created, maintained, or transmitted by a “covered entity” under the Health Insurance Portability and Accountability Act (HIPAA). 

PHI includes:

Medical history

Treatment information

Payment data

Demographic information (e.g., name, address, phone number)

Genetic information

Biometric identifiers (e.g., fingerprints, facial recognition data)

 

What personal data do we collect, and when do we collect it?

We extract information about you in diverse ways depending on how you communicate with us and our services via our website, application, social media channels,  advertisements, and physical office, where applicable. 

 

CONTEXT INFORMATION WE COLLECT PRIMARY PURPOSE FOR COLLECTION OF INFORMATION
USER INTERACTIONS If you create a user account on our website or application, we collect your full name, email address, Phone number, Professional Credentials, and Company name(where applicable).  We also collect information relating to your actions while you are logged into your account. To identify and communicate with users on the platform, process service requests, and manage billing through secure third-party payment processors.
PROVIDING OUR SERVICES PERSONAL HEALTH INFORMATION

In order to render our services to our users, we collect and process Personal Health Information(PHI) under HIPAA regulations, including:

  • Clinical notes and transcriptions
  • Telemedicine session data
  • Voice recordings and AI-generated summaries
 We collect this information to provide our services as outlined in the terms and conditions and Business Associate Agreement.
Processing Payments We collect name, payment method details, contact information, and bank account details via Stripe.

  

 We collect this information to manage billing through secure third-party payment processors like Stripe.

 

WHAT IS THE PURPOSE OF COLLECTING YOUR PERSONAL DATA, AND HOW IS IT USED?

In addition to the purposes and uses described above, we use data in the following ways:

  1. To identify you when you visit our website or application.
  2. To provide our services to you without interruption.
  3. To safeguard online transactions and avoid fraud and payment incidents.
  4. To supervise and maximize our clients’ experience by enhancing our knowledge of our clients.
  5. To suggest appropriate, tailored services, particularly when we add new features or improve our products and services.
  6. To disseminate marketing and promotional materials, including information relating to our services, sales, or promotions.
  7.  To provide real-time scribing and AI-enhanced documentation.
  8. To facilitate telemedicine communications.
  9. To ensure platform security and integrity.
  10. To comply with legal and regulatory requirements.
  11. For troubleshooting, analytics, and product improvement.

Note that, depending on the provisions of applicable privacy laws, our collection and processing of your personal data is based on different contexts upon your consent, our need to perform a contract, our legal or regulatory obligations, and/or our legitimate interest in conducting our business.

HOW WE COLLECT PERSONAL DATA OR PERSONAL INFORMATION 

We collect personal information in the following ways:

  1.  Subscription and service sign-ups
  2.  Cookies and tracking tools

 

THIRD-PARTY DATA SHARING WITH DATA PROCESSORS

We may share limited personal data with trusted third parties to facilitate service delivery.

We use trusted third-party service providers, including:

  1. ChatGPT (OpenAI) or Claude for Natural language processing and summarization.
  2. Deepgram or Whisper for Speech-to-text transcription.
  3. Amazon Web Services (AWS) for HIPAA-compliant cloud hosting.
  4. LiveKit for processing Telemedicine Sessions
  5. Twilio for text-based communication 
  6. Google Workspace for email communications

These providers are contractually obligated to comply with applicable privacy laws and security protocols. We cannot and will not sell your personal data under any circumstances.

DATA RETENTION

Personal Health Information and user data are retained only as long as required for operational, legal, and compliance purposes, including those mandated under HIPAA. Upon account closure or at your request, data will be securely deleted or de-identified, unless otherwise required by law.

DATA PROTECTION AND STORAGE

We maintain administrative, technical, and physical safeguards to protect your information, especially PHI, including but not limited to:

  1. End-to-end encryption during transmission and storage. 
  2. Role-based access controls to ensure that only authorized personnel can access sensitive data.
  3. Multi-factor authentication for user accounts.
  4. Regular security audits and vulnerability assessments.
  5. Secure Hosting: Data hosted on AWS HIPAA-compliant servers for secure, scalable storage.

 

COOKIES AND TRACKING TECHNOLOGIES 

Note360 uses cookies and similar tracking technologies to improve your experience, provide essential functionality, and meet legal and security requirements.

What are Cookies? Cookies are small text files stored on your device when you visit a website. They help us remember your preferences, how you use our site, and improve our services.

We use cookies and similar technologies to:

  • Improve user experience
  • Monitor usage analytics
  • Provide secure login and session continuity

You may control cookie settings through your browser preferences.

Types of Cookies

  1.  Essential Cookies: These cookies are required for the platform to work and cannot be turned off. They enable secure login and session management.
  2. Performance Cookies: We use performance cookies to collect usage data to understand how users use our platform. 
  3. Functional Cookies: This is used to enable enhanced functionality and personalization (e.g., remember user settings). These may be set by us or 3rd party providers.

Consent and Control Under the General Data Protection Regulation (GDPR).

Kindly note that users from the European Economic Area (EEA) will be shown a cookie banner on their first visit. This banner allows:

  1. Clear notification that cookies are being used.
  2. Ability to accept all, reject non-essential, or customize cookie settings.
  3. Option to withdraw or update consent at any time

Note360 does not set non-essential cookies without your explicit consent.

Managing Cookies You can manage or disable cookies through your browser settings. Please note that disabling some cookies may affect site functionality.

Future Changes: We may add cookie preference management tools or tracking for service optimization. If so, we will let you know and update this section.

YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the right to:

  1. Access or receive a copy of your personal data.
  2. Request correction or deletion of your data.
  3. Restrict or object to certain uses of your data.
  4. Withdraw consent where applicable

HIPAA Compliance

Note360 is committed to ensuring the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and associated regulations. We operate as a Business Associate to Covered Entities such as healthcare providers and are bound by Business Associate Agreements (BAAs) to uphold HIPAA standards.

 

Information We Collect and Process

As part of delivering clinical documentation and telemedicine services, Note360 may receive, collect, and process PHI, including but not limited to:

  1. Clinical notes and transcriptions.
  2. Voice recordings and AI-generated summaries.
  3. Telemedicine session data.
  4. Patient-related metadata shared during service use.

This information is processed solely to deliver services as outlined in our Terms of Service and applicable BAA agreements.

Safeguards to Protect PHI

We implement administrative, technical, and physical safeguards designed to:

  1. Prevent unauthorized access to PHI.
  2. Maintain data integrity and confidentiality.
  3. Ensure secure transmission and storage of PHI.
  4. Monitor and audit access and activities involving PHI

These safeguards are regularly reviewed and updated to remain aligned with HIPAA’s Security Rule.

Use and Disclosure of PHI

Note360 only uses and discloses PHI:

  1. As permitted or required by law.
  2. As outlined in our Business Associate Agreements.
  3. To provide services on behalf of Covered Entities.
  4. To comply with legal obligations, law enforcement requests, or regulatory requirements.

PHI is not used for marketing or any other unrelated purposes without explicit authorization from the Covered Entity.

Covered Entity Rights Under HIPAA

As a HIPAA-covered entity, you are entitled to the following rights, which Note360 supports fully through our platform and contractual agreements:

1. Right to Access PHI

You may access, inspect, and obtain copies of PHI maintained or processed by Note360 under HIPAA and any applicable BAA.

2. Right to Amend PHI

You have the right to request amendments to PHI if you believe that the data is incorrect or incomplete. We will support and facilitate such amendments when required.

3. Right to an Accounting of Disclosures

You may request a record of certain disclosures of PHI made by Note360, excluding disclosures for treatment, payment, healthcare operations, or those made with prior authorization.

4. Right to Require Safeguards

You may require reasonable and appropriate safeguards for handling PHI, which Note360 will implement and maintain as part of our HIPAA Security Rule compliance.

5. Right to Restrict Disclosures

You may impose limitations or conditions on PHI use and disclosure that Note360 will comply with, where feasible and permitted under HIPAA.

6. Right to a Business Associate Agreement

You are entitled to enter into a Business Associate Agreement (BAA) with Note360, which outlines our legal responsibilities as a processor of PHI.

7. Right to Breach Notification

You have the right to receive prompt notification of any unauthorized access, use, or disclosure of PHI that constitutes a reportable breach under HIPAA.

 CALIFORNIA RESIDENTS: Your California Privacy Rights (CCPA)

 YOUR RIGHTS UNDER THE CCPA(CALIFORNIA CONSUMER PRIVACY ACT) 

Under this Privacy Policy, and by law if applicable, you have the right to say no to the sale of Personal Data:   WE DO NOT SELL YOUR PERSONAL DATA TO THIRD PARTIES. Therefore, your right under the CCPA is adequately catered for.

If you are a resident of California, you have the following rights: 

  1. The right to notice: you must be properly and adequately informed on which categories of Personal Data are being collected and the purposes for which the Personal Data is being used. 
  2.  The right to access / the right to request: The CCPA allows you to request and retrieve from us information regarding the disclosure of your personal data that has been collated in the past 12 months by us. 
  3.  The right to know about your personal data: You have the right to request and obtain from the Company information regarding the disclosure of the following:
  • The categories of Personal Data collected 
  • The sources from which the Personal Data has been collected
  • The business or commercial purpose for collecting or selling the Personal Data 
  • Categories of third parties with whom we share Personal Data 
  • The specific pieces of Personal Data we collected about you
  • The right to delete Personal Data. You also have the right to request the deletion of Your Personal Data that has been collected in the past 12 months. 
  • The right not to be discriminated against. You have the right not to be discriminated against for exercising any of your Consumer rights, including by either denying good services to you or charging different prices or rates for services.    

 

EXERCISING YOUR CCPA DATA PROTECTION RIGHTS 

In order to exercise any of your rights under the CCPA, and if you are a California resident, you can email us at fmohamed@note360.ai.
Note360 will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice. 

 

DO NOT SELL MY PERSONAL INFORMATION

WE DO NOT SELL PERSONAL INFORMATION; however, if you wish to opt out of the usage of your personal data for interest-based advertising purposes and these potential sales as defined under CCPA law, you may do so by deactivating them from your browser.  Please note that any opt-out is specific to the browser you use. You may need to opt out on every browser that you use. 

SELLING PERSONAL INFORMATION

OUR SITE DOES NOT SELL INFORMATION, AS DEFINED BY THE CALIFORNIA CONSUMER PRIVACY ACT OF 2018(‘’CCPA)

Our Site DOES NOT sell Personal Information, as defined by the California Consumer Privacy Act of 2018 (“CCPA”).

You have additional rights, including:

  • The right to know what personal data is collected, shared, or sold
  • The right to opt out of the sale or sharing of your data (Note360 does not sell your data)
  • The right to limit the use of sensitive personal information

To exercise these rights, please email:fmohamed@note360.ai.

 INTERNATIONAL DATA TRANSFERS

Although Note360 is U.S.-based, if you are accessing the platform from outside the United States, you consent to the transfer and processing of your information in the U.S. under this policy.

 CHILDREN’S PRIVACY

Note360 is intended for use by licensed healthcare professionals only and is not directed to children under the age of 13. We do not knowingly collect personal information from minors.

MISCELLANEOUS

The following information relates to our privacy practices:

  • Changes to This Privacy Policy: We may change our privacy policy and practices. We will notify users of material changes via email or through our website.
  • To the extent that our Privacy Policy changes in a material way, the policy that was in place when you submitted personal data to us will generally govern that data unless we receive your consent to the new privacy policy. 

CONTACT INFORMATION

If you have any questions, concerns, or requests related to this Privacy Policy or our data handling practices, please contact us:

Email: fmohamed@note360.ai.
Address:  Plano, Texas, 75074