Supanote, Inc. (“Supanote,” “we,” “us”) operates an AI-powered operations platform built for behavioral health practices. This Privacy Policy describes how we collect, use, share, and protect information when you visit our marketing website at supanote.ai, sign up for our services, or use the Supanote platform.
We take privacy seriously because the practices we work with handle some of the most sensitive information in healthcare. This policy is written to be readable, but it is a legal document — if anything here is unclear, email us at hello@supanote.ai.
1. Our role in handling your information
When you visit our website or sign up directly, we act as the controller of the information you give us — meaning we decide why and how it gets used.
When our customer (a behavioral health practice) uses Supanote to manage patient operations, that practice acts as the covered entity under HIPAA and we act as their business associate. The practice controls what protected health information (“PHI”) enters the platform; we process that PHI strictly under the terms of a signed Business Associate Agreement (BAA).
2. Information we collect
2.1 Information you provide directly
- Account information — name, work email, role, practice name, and password when you create an account or request a demo.
- Billing information — billing contact, address, and payment details (handled by our payment processor; we do not store full card numbers).
- Communications — anything you send us by email, chat, or in support tickets.
2.2 Information we collect automatically
- Usage data — pages viewed, features used, actions taken inside the product, timestamps, approximate location derived from IP address.
- Device data — browser type, operating system, device identifiers, referring URL.
- Cookies and similar technologies — see Section 8.
2.3 Information we receive from your practice (PHI and customer data)
When a practice uses Supanote, the platform processes information their staff and patients provide — for example call recordings, scheduling data, insurance details, clinical notes, claims data, and similar records. This information frequently includes PHI. We process it only to deliver the services the practice has contracted us to provide, and only as permitted by the BAA between us and the practice.
3. How we use information
We use the information we collect to:
- Operate, maintain, and improve the Supanote platform and our website.
- Provide customer support and respond to inquiries.
- Authenticate users, prevent fraud, and secure our systems.
- Send service notifications, security alerts, and administrative messages.
- Send marketing communications about Supanote, where you have opted in or where we are otherwise permitted to do so. You can unsubscribe at any time.
- Train, evaluate, and improve our AI models only on data we are contractually permitted to use for that purpose. We do not use PHI to train models that benefit other customers without explicit, written permission from the practice that owns the data.
- Comply with legal obligations and enforce our agreements.
4. Protected Health Information (HIPAA)
We act as a HIPAA business associate to the practices that use Supanote. That means:
- We sign a Business Associate Agreement with every practice before processing PHI.
- We use PHI only as the BAA permits — to perform the services contracted by the practice, for our own management and administration, and to carry out our legal responsibilities.
- We apply administrative, physical, and technical safeguards required by the HIPAA Security Rule, and we report security incidents and breaches as required.
- We do not sell PHI. We do not use PHI for marketing without written authorization from the patient (when required by the practice).
Patients should direct privacy questions to the practice that provides their care — the practice is the covered entity and controls PHI handling decisions.
5. Sub-processors and how we share
We use a small set of vetted vendors to operate the platform. We share only the information each vendor needs to perform their function, under contracts that require them to protect the information at least as strictly as we do. Our current production sub-processors include:
- Amazon Web Services (AWS) — cloud hosting and storage. PHI is stored in AWS data centers in the United States (us-east region).
- Additional sub-processors for payment processing, transactional email, customer support, and observability. The current list is available on request to hello@supanote.ai.
Beyond sub-processors, we may also share information:
- With your practice, when you are using Supanote as an end user of a practice account.
- To comply with law, valid legal process, or government requests — and we will push back on overbroad requests where appropriate.
- To protect the rights, property, or safety of Supanote, our customers, or others.
- In connection with a corporate transaction (merger, acquisition, financing) — in which case we will notify the practices whose data is affected.
6. Data security
Our security program is designed around HIPAA-level requirements: encryption of data in transit (TLS) and at rest, role-based access controls, audit logging of every access to PHI, mandatory security training for staff, vulnerability management, and incident response procedures. We undergo annual independent audits; our latest SOC 2 Type II report is available under NDA.
No system is impenetrable. If you believe your account or your practice’s data has been compromised, contact us immediately at hello@supanote.ai.
7. Data retention
We retain account and customer data for as long as the practice maintains an active Supanote subscription, plus a defined post-termination window agreed in the customer’s order form (typically 30 to 60 days) to allow data export. PHI retention follows the practice’s BAA and applicable law.
Marketing and website analytics data is retained for the period needed for the relevant purpose — typically not longer than 24 months.
8. Cookies and analytics
Our website uses cookies and similar technologies to keep you signed in, remember your preferences, measure performance, and understand how visitors use the site. Most browsers let you control cookies through their settings; disabling them may break parts of the site.
We may use first- and third-party analytics tools to understand site traffic. Where required by law, we will ask for your consent before setting non-essential cookies.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict how we process your personal information, and to object to certain processing. To exercise any of these rights, email hello@supanote.ai and we will respond within the timelines required by law.
If you are a patient of a practice that uses Supanote and want to exercise rights over your PHI, contact your practice directly — they are the covered entity and own those decisions. We will assist them as required by our BAA.
10. Children
Our website and the Supanote platform are not directed to children under 13, and we do not knowingly collect personal information from children through the marketing site. Practices that treat minor patients may process PHI about those patients under their own privacy practices; we handle that PHI under the BAA.
11. International data
Supanote operates in the United States and currently stores customer and PHI data in the US. If you access the platform from outside the US, you understand that your information will be transferred to and processed in the US, where data protection laws differ from those in your country.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify customers by email or through the product. Continuing to use Supanote after the new policy takes effect means you accept the updated terms.
13. Contact
Supanote, Inc.
Delaware, USA
Email: hello@supanote.ai