Privacy Policy for Mednotes

1. Introduction

Carenode AS ("we", "us" or "our"), which owns and operates Mednotes, is committed to protecting your privacy. This privacy policy explains how we collect, process and protect personal data when you use our service ("Mednotes" or the "Service").

We comply with the Norwegian Personal Data Act and the EU General Data Protection Regulation (GDPR). If you have any questions, please contact us at samuel@trale.ai.

2. What data we collect and why

We process personal data in order to deliver and improve Mednotes. This includes the following categories:

When you use the service

Carenode also processes content generated by the user (transcription and notes) as a data processor on behalf of you as the practitioner. This is regulated through the data processing agreement, which forms part of our terms of use.

When you visit mednotes.no

We do not collect IP addresses, browser information or other visitor data for analytical purposes. Mednotes does not use cookies, analytics tools or third-party tracking.

3. Data retention

We retain personal data for the following periods:

• Audio recordings: Deleted immediately after transcription is completed.
• Transcription and clinical notes: Stored for up to 24 hours after the recording ends. Both the transcription and clinical note are then automatically and permanently deleted.
• User profile and contact information: Stored as long as the account is active, or until the user requests deletion.
• Other technical and administrative data: Stored only where necessary to fulfil legal obligations or ensure stable operation of the service.

4. Data location and transfers

All processing and storage of transcriptions, clinical notes and associated data takes place exclusively within the EU/EEA. Mednotes never transfers data outside this area.

5. Sub-processors (data processors)

We use trusted sub-processors to deliver the service in a safe and reliable manner. All sub-processors operate within the EU/EEA and are subject to data processing agreements that ensure personal data is processed in accordance with applicable data protection legislation (GDPR).

A complete list of our sub-processors is available at the bottom of this page.

6. Security measures

We take security and privacy seriously and employ the following measures to protect your data:

• Encryption: All data is encrypted at rest with AES-256 and in transit via TLS. This is provided as part of our underlying infrastructure (Supabase and other EU-hosted services).
• Access control: Only authorised personnel with a legitimate need have access to personal data.
• Monitoring and security reviews: We conduct regular technical maintenance and security assessments to ensure the integrity of the service.
• Breach handling: In the event of a data breach, we will notify the relevant supervisory authorities and affected users within 72 hours, in accordance with GDPR.

7. Your rights

As a data subject, you have rights under the General Data Protection Regulation (GDPR). You may exercise the following rights at any time:

• Access: Request access to the personal data we process about you.
• Rectification: Request that we correct inaccurate or incomplete data.
• Erasure: Request deletion of your data (unless we are legally obliged to retain it, e.g. under accounting legislation).
• Data portability: Request that the data we hold about you be provided in a structured, machine-readable format.
• Withdraw consent: You may withdraw your consent at any time where consent is the legal basis for processing.

To exercise your rights, contact us at: samuel@trale.ai

You also have the right to lodge a complaint with the Norwegian Data Protection Authority if you believe our processing is in breach of the regulations. More information can be found at www.datatilsynet.no.

8. Cookies and tracking

Mednotes currently does not use cookies, analytics tools or any other form of tracking on our website or in the service.

Should this change in the future, we will:

• Inform all users in advance.
• Only use necessary and possibly analytical cookies in accordance with applicable regulations.
• Ensure consent-based use of non-essential cookies, as required by the ePrivacy Directive and GDPR.

9. Changes to the privacy policy

This privacy policy may be updated as needed, for example in the event of changes to the service, legislation or our internal procedures. In the event of material changes, we will notify users through the website or by email where appropriate.

The date of the last update will always appear at the top of the policy.

10. Contact information

If you have questions, concerns or wish to exercise your rights in connection with this privacy policy, you can contact us:

11. Sub-processors

To deliver our services, we use trusted sub-processors. These parties assist with infrastructure, functionality and data processing, and have entered into separate data processing agreements that ensure all processing is carried out in accordance with GDPR and other relevant legislation.