Privacy Policy

Introduction

Cortexa Note (“we,” “us,” or “our”) values your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our smart recording pen and mobile applications (iOS and Android) (collectively, the “Services”), visit our website at https://cortexanote.com, or interact with us in any way.

Please read this Privacy Policy carefully before using our Services. By using our Services, you agree to the collection and use of information in accordance with this policy. We will not collect, use, or share your personal data until you have reviewed and explicitly consented to this Privacy Policy within the app.

Information We Collect

1. Personal Information

We collect the following types of personal information:

• Basic Information: Name, email address, contact information
• Account Information: User credentials, account settings
• Patient Information: Patient names and identifiers you create within the app to associate with visit records
• Device Information: Device ID, operating system, hardware model
• Usage Information: How you use our Services, including recording patterns and interaction with features
• Audio Recordings: Voice recordings of medical consultations you create using our smart recording pen, transmitted to the mobile app via Bluetooth or Wi-Fi
• Transcription Data: Text generated from your audio recordings through speech-to-text processing
• Medical Information: Medical conversation summaries (such as SOAP notes) and structured data derived from your recordings

2. How We Collect Your Data

• Audio recordings are captured by the Cortexa Note smart recording pen and transmitted to the mobile app via Bluetooth or Wi-Fi.
• Account and patient information is provided directly by you through the app interface.
• Device information and usage data are collected automatically when you use the app.
• Transcription data and medical summaries are generated by processing your audio recordings and transcription text through third-party AI services as described below.

3. Automatically Collected Information

When you use our Services, we automatically collect:

• Log data
• Device information
• Usage statistics
• Performance data
• Location information (if permitted)

How We Use Your Information

We use your information for the following purposes:

1. Provide Our Services:

   • Upload your audio recordings to our secure cloud infrastructure for processing
   • Convert your audio recordings to text using third-party speech-to-text services
   • Generate SOAP notes and medical summaries using third-party AI models
   • Associate transcriptions and summaries with patient visit records you create
   • Maintain and improve our Services

2. Service Improvement:

   • Enhance transcription accuracy
   • Improve user experience

3. Communication:

   • Respond to your inquiries
   • Send service updates
   • Provide customer support

Third-Party AI Services and Data Sharing

To provide our core Services, your data is processed by the following third-party AI services. We will obtain your explicit consent before any data is shared with these services.

1. Deepgram (Speech-to-Text Transcription)

• Data sent: Audio recordings of medical consultations
• Purpose: Transcribe audio recordings into text using Deepgram’s medical speech recognition models
• Data handling: Audio data is processed by Deepgram and transcribed text is returned to our servers. We have executed a HIPAA Business Associate Agreement (BAA) with Deepgram, ensuring they are contractually obligated to protect your data in compliance with HIPAA regulations.
• Compliance information: Deepgram Trust & Security

2. Google Cloud Vertex AI — Gemini (AI Summarization)

• Data sent: De-identified transcription text (with patient Protected Health Information filtered and de-identified)
• Purpose: Generate structured medical summaries such as SOAP notes from transcription text using Google’s Gemini model on Vertex AI
• Data handling: Transcription text is sent to Google Cloud’s Vertex AI platform for processing. Summaries are returned to our servers. We have executed a HIPAA Business Associate Agreement (BAA) with Google Cloud, ensuring they are contractually obligated to protect your data in compliance with HIPAA regulations.
• Compliance information: Google Cloud Trust Center

3. Google Cloud Platform (Cloud Infrastructure)

• Data sent: Audio recordings (temporary storage)
• Purpose: Temporary secure cloud storage for audio files and serverless processing (Cloud Run) to orchestrate transcription workflows
• Data handling: Audio files are temporarily stored in Google Cloud Storage and permanently deleted after successful transcription. Cloud Run functions coordinate the data flow between services. We have executed a HIPAA Business Associate Agreement (BAA) with Google Cloud.
• Compliance information: Google Cloud Trust Center

4. Render (Backend Application Hosting)

• Data sent: Account information, patient records, transcription text, medical summaries, and all application data
• Purpose: Hosting our backend web services (FastAPI), PostgreSQL database, and Redis cache that power the Cortexa Note platform
• Data handling: All persistent application data — including user accounts, patient records, transcription text, and generated medical summaries — is stored and processed on Render’s HIPAA-compliant infrastructure. We have executed a HIPAA Business Associate Agreement (BAA) with Render, ensuring they are contractually obligated to protect your data in compliance with HIPAA regulations.
• Compliance information: Render Trust Center

Data Protection by Third Parties

All third-party service providers listed above:

• Have signed HIPAA Business Associate Agreements (BAAs) with us
• Are contractually required to provide the same or greater level of data protection as described in this Privacy Policy
• Are prohibited from using your data for any purpose other than providing services to us
• Implement industry-standard encryption, access controls, and security measures

User Consent for Data Sharing

Before any of your data is shared with third-party AI services, we will:

1. Clearly disclose what data will be sent (audio recordings, transcription text)
2. Identify which third-party service will receive the data (Deepgram, Google Cloud Vertex AI)
3. Request your explicit permission through an in-app consent prompt before any data transmission occurs

You may withdraw your consent at any time through the app settings. Withdrawing consent will prevent further data sharing with third-party AI services, but may limit the functionality of the Services.

Data Storage, Retention, and Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: All data is encrypted in transit (TLS) and at rest
• PHI De-identification: Patient Protected Health Information (PHI) is filtered and de-identified before being sent to AI summarization services
• Audio file deletion: Original audio files are permanently deleted from both the mobile app and cloud storage immediately after successful transcription
• Secure cloud infrastructure: All data is hosted on HIPAA-compliant infrastructure provided by Google Cloud Platform and Render
• Access controls: Role-based access controls and multi-factor authentication
• Regular security audits: Periodic security assessments and penetration testing
• Regular backup procedures: Encrypted backups with controlled access

Data Sharing and Disclosure

Beyond the third-party AI services described above, we may share your information with:

1. Legal Requirements: When required by law, regulation, or legal process, or to protect our rights
2. Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to you

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

Your Rights and Choices

You have the right to:

• Access your personal information
• Correct inaccurate data
• Request deletion of your data
• Export your data
• Opt-out of certain data processing activities
• Withdraw consent for third-party data sharing at any time
• Be informed about what data is shared and with whom before it is shared

To exercise these rights, contact us at contact@cortexanote.com.

Children’s Privacy

Our Services are not intended for children under 13. We do not knowingly collect information from children under 13.

Data Location and International Data Transfers

All data is stored and processed on servers located within the United States. Our infrastructure providers — Google Cloud Platform, Render, and Deepgram — all host our services in U.S.-based data centers.

For Users Outside the United States

If you access or use our Services from outside the United States, please be aware that:

1. Cross-border transfer: Your data will be transferred to and processed in the United States. By using our Services, you explicitly consent to this transfer.
2. U.S. data protection laws: Your data will be subject to U.S. federal and state data protection laws, which may differ from the laws of your country or region.
3. European Economic Area (EEA) / United Kingdom (UK) users: If you are located in the EEA or UK, the transfer of your data to the United States is conducted on the basis of your explicit consent under Article 49(1)(a) of the GDPR. You have the right to withdraw this consent at any time by discontinuing use of the Services and contacting us to request data deletion.
4. Other regions: If you are located in a jurisdiction with data localization or cross-border transfer requirements (e.g., Canada’s PIPEDA, Australia’s Privacy Act, Japan’s APPI, China’s PIPL), you acknowledge and consent to your data being transferred to and stored in the United States. We encourage you to review your local data protection laws before using our Services.
5. Safeguards: Regardless of your location, all data is protected by the same technical and organizational security measures described in this policy, including encryption in transit and at rest, HIPAA-compliant infrastructure, and Business Associate Agreements with all service providers.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the “Last Updated” date, and notifying you through the app. Continued use of the Services after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: contact@cortexanote.com Website: https://cortexanote.com

Governing Law

This Privacy Policy is governed by the laws of the United States.