Privacy Policy

GDPR, CCPA, and HIPAA compliant — governing how we collect, use, and protect your data.

1. Who We Are
2. Information We Collect
3. How We Use Your Information
4. Data Sharing & Disclosure
5. Protected Health Information (PHI)
6. Data Retention
7. Your Rights
8. Cookies & Tracking
9. Data Security
10. International Transfers
11. Children's Privacy
12. Changes to This Policy
13. Contact Us

1. Who We Are

MentraNote Inc. ("MentraNote", "we", "us", or "our") is the operator of the MentraNote EHR platform — an AI-powered electronic health record and practice management system for mental health professionals. Our registered address is in the State of Delaware, United States.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform. By using MentraNote, you consent to the practices described in this Policy.

2. Information We Collect

2.1 Information You Provide

• Account data: Name, email address, professional license number, specialty, phone number, profile photo.
• Practice data: Organization name, role, registration mode (independent or organization).
• Clinical data: Session notes, client records, appointments, treatment plans, and other documentation you create on the platform.
• Payment data: Billing information processed through Stripe (MentraNote does not store card numbers).
• Communications: Support tickets and messages you send to us.

2.2 Automatically Collected Information

• IP address, browser type and version, operating system.
• Usage data: pages visited, features used, session duration.
• Error and performance logs for platform stability and debugging.

3. How We Use Your Information

4. Data Sharing & Disclosure

We do not sell your personal information or PHI. We may share data only in the following limited circumstances:

• Service Providers: Stripe (payments), cloud infrastructure providers (hosting), AI providers (transcription and note generation) — all bound by data processing agreements.
• Legal Requirements: When required by law, subpoena, or court order.
• Business Transfers: In the event of a merger or acquisition, data may be transferred subject to equivalent privacy protections.
• With Your Consent: For any other purpose with your explicit written consent.

5. Protected Health Information (PHI)

MentraNote uses PHI solely to provide the services you have contracted for, for treatment, payment, or healthcare operations as permitted under HIPAA, and as required by law.

AI model training on PHI is strictly prohibited. Any AI improvement uses only aggregated, anonymized, de-identified data meeting the requirements of 45 C.F.R. §164.514.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account termination:

• Clinical records: Retained for a minimum of 7 years (or longer if required by applicable state law) from the date of last service.
• Account data: Deleted within 90 days of termination request.
• Audit logs: Retained for 6 years as required by HIPAA.
• Billing records: Retained for 7 years for tax and accounting purposes.

You can request a full data export at any time from your account settings before termination.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Receive your data in a machine-readable format.
• Objection/Restriction: Object to or restrict certain processing activities.
• Opt-Out of Sale (CCPA): California residents may opt out of the sale of personal information. MentraNote does not sell personal information.

To exercise your rights, contact us at privacy@mentranote.com. We will respond within 30 days.

8. Cookies & Tracking

MentraNote uses essential session cookies required for secure authentication (JWT tokens stored in HttpOnly cookies). We do not use advertising cookies, third-party tracking pixels, or behavioral analytics tools that would share your data with advertisers.

You may configure your browser to block cookies, but this may affect platform functionality.

9. Data Security

MentraNote implements HIPAA-required administrative, physical, and technical safeguards, including:

• AES-256 encryption at rest and TLS 1.3 in transit for all data.
• Role-based access controls (RBAC) restricting data access to authorized personnel only.
• Multi-factor authentication (2FA) support for all accounts.
• Comprehensive audit logging of all PHI access events.
• Regular vulnerability assessments and penetration testing.
• Incident response plan meeting HIPAA Breach Notification Rule requirements.

10. International Data Transfers

MentraNote stores data on servers located in the United States. If you access the platform from outside the United States, your data will be transferred to and processed in the US. We ensure such transfers comply with applicable privacy laws, including the GDPR Standard Contractual Clauses where applicable.

11. Children's Privacy

MentraNote is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@mentranote.com.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to the address associated with your account and/or a prominent notice in the platform at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

For privacy inquiries, data subject requests, or to report a potential breach:

• Privacy Officer: privacy@mentranote.com
• Compliance: compliance@mentranote.com
• General Legal: legal@mentranote.com

EU residents may also lodge a complaint with their local supervisory authority.