Privacy Policy
Last updated: 24 March 2026. This policy explains how Clinote collects, uses, stores, and protects your information.
Short version: We store the minimum data needed to run the service. All consultation audio, transcriptions, and generated notes are automatically and permanently deleted after 24 hours. We do not sell your data. Ever.
Contents
1. Who We Are
Clinote ("we", "us", "our") is an AI-assisted clinical documentation service operating from New Zealand at clinote.net. We are subject to the Privacy Act 2020 (NZ) and the Health Information Privacy Code 2020.
For privacy enquiries, contact us at [email protected].
2. What Information We Collect
Information you provide directly
| Data type | Purpose | Retention |
|---|---|---|
| Name and email address | Account creation, login, communications | Until account deletion |
| Password (hashed) | Authentication. We use bcrypt hashing and never store your plain-text password. | Until account deletion |
| Consultation audio | Transcription via OpenAI. Stored temporarily on our servers during processing. | Deleted within 24 hours |
| Transcription text | Generation of clinical notes | Deleted within 24 hours |
| Generated clinical notes | Display and download by you | Deleted within 24 hours |
| Custom note templates | Saved to your account for reuse | Until you delete them or close your account |
| Payment method token | Recurring billing. Stored as a Stripe token only. We never see or store your full card number. | Until subscription cancellation |
Information collected automatically
| Data type | Purpose | Retention |
|---|---|---|
| IP address and user agent | Security, fraud prevention, session management | 30 days in server logs |
| Usage data | Consultation counts for billing plan enforcement | Reset monthly, retained for billing records |
| Billing events | Audit trail of charges, upgrades, cancellations | 7 years (financial records obligation) |
3. How We Use Your Information
We use your information only for the following purposes:
- To provide the Clinote service, including processing audio, generating notes, and displaying them to you.
- To manage your account, authenticate you, and communicate with you about your account.
- To process payments and manage your subscription.
- To send transactional emails including receipts, payment failure notifications, and password resets.
- To enforce our Terms and Conditions and detect or prevent fraudulent or abusive use.
- To improve the Service based on aggregate, anonymised usage patterns.
We do not use your consultation content, transcriptions, or clinical notes to train AI models. We do not use your data for targeted advertising. We do not sell your data to any third party.
4. Data Retention
All consultation audio, transcriptions, and generated notes are automatically and permanently deleted from our servers 24 hours after they are created. You can also delete them manually at any time from your dashboard.
We have designed this 24-hour automatic deletion specifically to minimise the period during which consultation data containing potential patient information is held on our systems. This is a deliberate privacy-first design decision.
If you wish to retain a copy of your notes, you should download, copy, email, or print them before the 24-hour window expires. Once deleted, we cannot recover them.
Account data (your name and email) is retained for as long as you maintain an account. On account deletion, your personal data will be removed within 30 days. Billing records are retained for 7 years in accordance with financial record-keeping obligations.
5. Third-Party Services
We use the following third-party services to operate Clinote. Each is bound by their own privacy policy:
| Provider | Purpose | Data shared |
|---|---|---|
| OpenAI openai.com |
Audio transcription and clinical note generation via their API | Consultation audio and transcription text. OpenAI's API data usage policy applies. |
| Stripe stripe.com |
Payment processing and card storage | Name, email, payment card details. Stripe is PCI-DSS compliant. |
| Your SMTP provider | Transactional email delivery | Your name and email address for transactional messages only |
We do not share your data with any other third parties, advertising networks, data brokers, or analytics platforms.
International transfers
OpenAI and Stripe operate servers outside New Zealand. By using Clinote you acknowledge that your audio, transcription data, and payment information is processed in overseas jurisdictions. Both providers are signatories to appropriate data protection frameworks. We have taken reasonable steps to ensure they provide an adequate level of protection for your information.
6. Patient Data and Health Information
Clinote processes recordings that may contain health information about third parties (your patients). As the user of the Service you are the data controller for any patient information included in your recordings. We act as a data processor on your behalf.
You are responsible for:
- Obtaining any consent required from patients before recording a consultation.
- Ensuring your use of Clinote complies with the Health Information Privacy Code 2020 and the Privacy Act 2020.
- Complying with any obligations under your professional registration, employer policies, or the Code of Health and Disability Services Consumers' Rights.
- Ensuring patient information is handled appropriately after it is retrieved from Clinote, including storage in secure clinical systems.
We recommend minimising the amount of patient-identifiable information in recordings where possible. Consider using patient reference numbers or initials rather than full names.
Given the sensitive nature of health information, we have implemented the 24-hour automatic deletion policy specifically to limit the window during which this data is retained on our systems.
7. Security
We take reasonable steps to protect your information from unauthorised access, use, or disclosure. Our security measures include:
- HTTPS encryption for all data in transit.
- Passwords stored using bcrypt hashing with a per-user salt.
- CSRF token protection on all state-changing requests.
- Audio upload directories protected from direct web access.
- Payment card data handled entirely by Stripe and never stored on our servers.
- Automatic deletion of consultation data after 24 hours.
No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you as required by the Privacy Act 2020.
8. Your Rights
Under the Privacy Act 2020 you have the right to:
- Access the personal information we hold about you.
- Correct any personal information that is inaccurate or outdated.
- Delete your account and personal information (subject to retention obligations).
- Object to or restrict certain processing of your information.
- Portability of your account data in a commonly used format on request.
To exercise any of these rights, contact us at [email protected]. We will respond within 20 working days as required by the Privacy Act.
If you believe we have breached your privacy rights, you may also complain to the Office of the Privacy Commissioner at privacy.org.nz.
9. Cookies and Tracking
Clinote uses a session cookie to keep you logged in during your visit. This cookie is essential for the Service to function and is deleted when you log out or close your browser session.
We do not use advertising cookies, third-party tracking cookies, or behavioural analytics cookies. If you use the optional Meta Pixel integration (available to users who choose to enable it for their own advertising purposes) that is governed by Meta's own privacy policy.
10. Children
Clinote is intended for use by healthcare professionals and is not directed at or designed for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us at [email protected] and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our practices, or the Service. We will notify registered users of material changes by email at least 14 days before they take effect.
The current version is always available at clinote.net/privacy.php. The date at the top of this page indicates when it was last updated.
12. Contact and Complaints
For any privacy-related questions, requests, or complaints:
Clinote Privacy
Email: [email protected]
Website: clinote.net
If you are not satisfied with our response to a complaint, you have the right to refer the matter to the Office of the Privacy Commissioner of New Zealand:
www.privacy.org.nz
Phone: 0800 803 909 (NZ only)