Noeta
Launch app
Legal

Privacy Policy

Effective May 31, 2026

Noeta ("we", "us", "our") provides ambient clinical documentation software for healthcare practices. This Privacy Policy explains how we collect and process personal data when you visit our website or use the Noeta application. It is written to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and U.S. HIPAA obligations as a Business Associate to covered healthcare providers.

1. Who we are (Data Controller)

For the website and account data, Noeta is the Data Controller. For Protected Health Information (PHI) processed in connection with a clinical visit, the healthcare practice is the Controller and Noeta acts as a Processor / Business Associate under a signed Business Associate Agreement (BAA) and Data Processing Agreement (DPA).

Contact our Data Protection Officer: privacy@noetascribe.com

2. What we collect

  • Account data: name, email, phone number, role, practice affiliation, password hash, MFA enrollment.
  • Practice data: practice name, NPI, EIN, address, billing information.
  • Clinical data (PHI): visit audio, transcripts, generated notes, patient identifiers — processed strictly under the practice's instructions per the BAA.
  • Usage data: IP address, browser, pages viewed, interactions — collected only with your analytics consent.
  • Cookies: see our Cookie Policy.

3. Legal bases (GDPR Art. 6)

  • Contract: to provide the service you signed up for.
  • Consent: for non-essential cookies and marketing communications.
  • Legal obligation: tax, accounting, fraud prevention, HIPAA security rule.
  • Legitimate interests: securing our platform, preventing abuse.

4. How we use data

  • To deliver and improve the Noeta service.
  • To process clinical recordings into structured notes, only on the practice's instructions.
  • To bill, support, and communicate with you.
  • To comply with legal and regulatory obligations.

We never sell personal data, never train third-party AI models on PHI, and never use clinical data for advertising.

5. Sub-processors

We use carefully vetted sub-processors (cloud hosting, transcription, payments, telephony). All sub-processors are bound by contracts with equivalent data protection terms and HIPAA BAAs where they handle PHI. The current list is available in our Data Processing Agreement.

6. Data retention

Clinical data is retained per the practice's configured retention policy (default: 7 years to align with U.S. medical record requirements). Account data is retained while your account is active and for 90 days after deletion for audit purposes. Marketing data is retained for 24 months from last interaction.

7. International transfers

Data is processed in the United States. For EU/UK transfers we rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, supplemented by technical measures including encryption at rest and in transit.

8. Your rights

Under GDPR and CCPA you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

Exercise these rights from your Data Rights page or by emailing privacy@noetascribe.com. We respond within 30 days as required by GDPR Art. 12(3).

9. Security

We encrypt data at rest (AES-256) and in transit (TLS 1.2+), enforce MFA for all clinical accounts, log access to PHI, and undergo annual SOC 2 Type II and HIPAA audits.

10. Children

Noeta is not directed at children under 16. Pediatric clinical data is processed only under the supervision of a licensed clinician at a partner practice.

11. Changes

We will notify you of material changes via in-app banner and email at least 30 days before they take effect.

12. Contact

Noeta, Inc. — privacy@noetascribe.com
EU Representative: available on request.