Privacy Policy

Last updated: May 11, 2026

1. Introduction

SOAP Note Buddy ("we," "our," or "us"), operated by Keyes LLC, is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our products, including:

• SOAP Note Buddy iOS app (App Store)
• SOAP Note Buddy Android app (Google Play)
• SOAP Note Buddy Chrome extension (Chrome Web Store)
• SOAP Note Buddy Safari extension (Mac App Store)
• The soapnotebuddy.com web app and account dashboard

2. Information We Collect

2.1 Patient Information (Local-First Storage)

SOAP Note Buddy is a local-first product. Patient names, evaluation summaries, daily clinical notes, and treatment information that you enter are stored on your own device (browser IndexedDB for extensions, on-device SQLite for the iOS and Android apps). This data is not transmitted to our servers as part of normal operation.

2.2 Cloud-Cached Recent Notes

To support recovery and sync, the iOS and Android apps temporarily cache the user's most recent note artifacts in secure cloud storage (Google Cloud Firestore under our HIPAA BAA):

• The last AI-generated clinical note
• The last voice transcription
• The last note text submitted for AI generation

Voice recordings themselves are processed in real time for transcription and immediately deleted after processing — we do not retain raw audio. Older cached note artifacts are overwritten by the next note you produce.

2.3 Account Information

• Email address
• Name
• Billing information (processed securely by Stripe)

2.4 Usage Data

• Extension usage statistics
• Error logs (with PHI removed)
• Feature usage analytics

3. How We Use Your Information

We use your information to:

• Provide AI-powered clinical note generation
• Store patient data locally in your browser
• Process subscription payments
• Send service-related communications
• Improve our services
• Comply with legal obligations

4. HIPAA Compliance & PHI Protection

4.1 Data Storage by Product

Chrome and Safari Extensions: All patient data (names, evaluations, clinical notes) is stored locally in your browser using IndexedDB. We do not store this data on our servers.

iOS and Android Apps: Patient data is stored on-device using SQLite. Only the most recent AI-generated note, voice transcription, and submitted note text are cached in Google Cloud Firestore (under our HIPAA BAA) to support recovery and sync; each is overwritten by the next note you produce. Voice recordings are processed in real time and immediately deleted after transcription.

4.2 PHI Scrubbing

Before any text is sent to our AI service for note generation (in the Chrome Extension), all Protected Health Information (PHI) is automatically removed using our proprietary scrubbing technology, including:

• Patient names
• Dates of birth
• Phone numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Addresses

4.3 HIPAA Safeguards

• End-to-end encryption for all data transmission
• Secure authentication via Firebase
• Google Cloud infrastructure with HIPAA BAA coverage
• Voice recordings deleted immediately after transcription
• Regular security audits

5. Data Sharing & Disclosure

5.1 Third-Party Services

We use the following third-party services:

• Firebase (Google) - Authentication and user account data
• Google Cloud Firestore - Secure storage for Voice Scribe data (patient names and note summaries)
• Stripe - Payment processing (PCI-DSS compliant)
• Google Vertex AI with Assured Workloads — HIPAA-compliant AI content generation. Our Google Cloud project is enrolled in the Healthcare and Life Sciences Controls compliance regime. To ensure reliable service during periods of high demand, Vertex AI requests are routed through Google's global endpoint, which means AI processing may occur in Google Cloud data centers outside the United States. All such processing is covered by Google Cloud's Business Associate Agreement.
• Google Cloud Speech-to-Text - Voice transcription for Voice Scribe
• Google Cloud Platform - Infrastructure hosting with HIPAA BAA

5.2 No Sale of Data

We do not sell, rent, or trade your personal information or patient data to third parties.

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental request, or to protect our rights and safety.

6. Data Retention & Deletion

• On-Device Patient Data (extensions and apps): Stored locally on your device until you delete it
• Cloud-Cached Recent Notes: Only the most recent AI-generated note, voice transcription, and submitted note text are cached; each is overwritten by the next note you produce, and all are erased when you delete your account
• Voice Recordings: Deleted immediately after transcription (raw audio is never retained)
• Account Data: Retained while your account is active; permanently deleted on request (see below)
• Anonymized Audit Logs (no PHI): Retained for 6 years to comply with HIPAA Security Rule § 164.316(b)(2)(i), then permanently purged
• Billing Records: Retained for 7 years for US tax and accounting compliance

6.1 Deleting Your Account

You can permanently delete your account and all associated data at any time. See https://soapnotebuddy.com/delete-account/ for step-by-step instructions, including in-app deletion options for the iOS app, Android app, Chrome extension, and Safari extension, as well as an email request option. The page also lists exactly what data is deleted and what minimal data is retained for legal compliance.

6.2 Deleting Specific Data Without Closing Your Account

You can delete individual patients, individual notes, and individual voice transcriptions from within the app or extension at any time, without deleting your account.

7. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your account and data — see soapnotebuddy.com/delete-account
• Delete specific patients, notes, or transcriptions without closing your account
• Export your data
• Opt-out of marketing communications
• Withdraw consent at any time

8. Data Security

We implement industry-standard security measures:

• TLS/SSL encryption for all data in transit
• Encrypted storage for sensitive data
• Regular security updates and patches
• Access controls and authentication
• Regular security audits

9. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect information from children.

10. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. Specifically, AI content generation via Google Vertex AI uses a global endpoint for availability, and individual requests may be processed in Google Cloud regions outside the United States. All such processing remains under Google's HIPAA Business Associate Agreement and applicable data protection safeguards.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through the extension. Continued use after changes constitutes acceptance of the updated policy.

12. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to deletion
• Right to non-discrimination