Back
LeafNote

Privacy Policy

Last updated: March 5, 2026

1. Introduction

LeafNote Inc. (“LeafNote,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our clinical documentation platform.

2. Information We Collect

Account Information

  • Email address (for authentication and communication)
  • Full name (for account personalization)
  • Practice name (optional)
  • Payment information (processed by Stripe; we never store card numbers)

Clinical Data

  • PII-Scrubbed Session Notes: Raw session notes are processed through our client-side PII scrubber before any data leaves your browser. Only scrubbed text is transmitted to our servers.
  • AI-Generated SOAP Notes: The structured clinical notes produced by our AI system.
  • Patient Pseudonyms: Non-identifying labels you assign to organize records.

Usage Data

  • Page views and conversion events (via privacy-focused analytics)
  • Note generation counts
  • Subscription and billing events

3. Zero-Trust Data Architecture

LeafNote employs a Zero-Trust security model for clinical data:

  • Client-Side PII Scrubbing: Names, phone numbers, SSNs, email addresses, dates of birth, and physical addresses are automatically redacted in your browser before transmission.
  • Server-Side Validation: A secondary PII scrubbing pass runs server-side as a safety net.
  • AES-256-GCM Encryption: All clinical text is encrypted at the application level before database storage.
  • Row-Level Security: Database access is isolated per user — therapists can only access their own records.
  • Zero-Retention Transit: Clinical text exists only in memory during AI processing. No logging, no caching.

4. AI Data Processing

When you generate a SOAP note, your PII-scrubbed text is sent to Anthropic's Claude API for processing. We explicitly opt out of any AI model training on your data. Your clinical data is processed ephemerally and is not retained by the AI provider.

5. How We Use Your Information

  • To provide and maintain the clinical documentation service
  • To process your subscription and billing
  • To send transactional emails (welcome, password reset, billing)
  • To improve the platform based on aggregated, non-identifying usage metrics
  • To comply with legal obligations

6. Data Sharing

We do not sell your data. We share data only with:

  • Supabase: Database hosting (encrypted at rest, US-based data center)
  • Anthropic: AI processing (ephemeral, opted out of training)
  • Stripe: Payment processing (PCI DSS Level 1 compliant)
  • Vercel: Application hosting (SOC 2 compliant)

7. Data Retention

Your clinical data is retained as long as your account is active. Upon account deletion, we perform a soft delete with a 30-day grace period, after which data is permanently purged. You may request immediate data export at any time.

8. Your Rights

  • Access: You can view and download all your data via the dashboard export feature.
  • Correction: You can edit your profile and notes at any time.
  • Deletion: You can request full account and data deletion.
  • Portability: You can export your data in CSV format.

9. HIPAA Considerations

LeafNote is designed with HIPAA-conscious security measures. We implement technical safeguards including encryption, access controls, audit logging, and automatic session timeouts. A Business Associate Agreement (BAA) is available for enterprise customers upon request.

10. Analytics & Tracking

We use privacy-focused analytics to understand conversion flows. We explicitly disable all analytics, session recording, and keystroke tracking on clinical workspace pages to maintain our security guarantees.

11. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising cookies or cross-site tracking.

12. Data Residency

All clinical data is stored in US-based data centers (AWS us-east-1). We do not transfer clinical data outside the United States.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 30 days in advance.

14. Contact

For privacy inquiries or data requests, contact us at privacy@leafnote.ai.