Loading
MentraNote is committed to protecting your privacy and the privacy of your clients. This policy explains how we collect, use, and protect your data under GDPR, CCPA, and HIPAA.
MentraNote Inc. ("MentraNote," "we," "us," or "our") is a Delaware corporation that operates an AI-powered mental health electronic health record (EHR) platform. Our registered address and principal place of business is in the United States. MentraNote acts as a data controller with respect to account and usage data of clinicians and organization administrators, and as a data processor (or Business Associate under HIPAA) with respect to Protected Health Information (PHI) uploaded by Subscribers.
For questions or concerns about this Privacy Policy or our data practices, please contact our Privacy Team at privacy@mentranote.com or our general support at support@mentranote.com.
This Privacy Policy applies to:
This Policy does not apply to the clinical data of patients/clients whose information is processed by MentraNote on behalf of Subscribers. Such data is governed by the applicable BAA and relevant state and federal health privacy laws, including HIPAA. Patients seeking information about how their therapist or healthcare provider handles their records should contact their provider directly.
When you register for a MentraNote account, we collect: full legal name, email address, professional license number and issuing state, professional title/role, organization affiliation (if applicable), phone number (optional for SMS notifications), and password (stored as a bcrypt hash — never in plaintext).
We collect information necessary to process your subscription, including billing address, subscription plan, and billing cycle. Payment card processing is handled exclusively by Stripe, Inc. MentraNote does not receive, store, or process raw payment card numbers, CVVs, or full card data. We receive only tokenized references and last-four-digit summaries from Stripe for account management purposes.
Subscribers may upload, create, or generate clinical data on the Platform, which may constitute Protected Health Information (PHI) under HIPAA, including: client demographic information, session notes, treatment plans, diagnoses, session recordings, transcripts, AI-generated notes, assessments, and other clinical documentation. This data is processed solely as directed by the Subscriber under our BAA and applicable law.
We automatically collect technical information when you use the Platform, including: IP address, browser type and version, operating system, device identifiers, pages visited and features used, timestamps of access, referring URLs, session duration, and error logs. This information is used for security, troubleshooting, and improving Platform performance.
If you contact our support team, submit a bug report, or communicate with MentraNote by email or through in-app channels, we collect and retain those communications to resolve your inquiry, improve our services, and for legal compliance purposes.
We use cookies and similar tracking technologies as described in Section 9 of this Policy.
| Data Category | Examples | Retention Period | Is it PHI? |
|---|---|---|---|
| Account Data | Name, email, license number | Duration of account + 5 years | No |
| Payment Data | Billing address, Stripe token | 7 years (tax compliance) | No |
| Clinical Data | Session notes, transcripts, assessments | Per BAA; deleted 30 days after account closure | Yes |
| Session Recordings | Video/audio recordings | 365 days from recording date | Yes |
| Usage & Technical Data | IP address, access logs | 90 days rolling | No |
| Support Communications | Emails, chat transcripts | 3 years from last interaction | No |
| Cookie Data | Session tokens, preferences | Session or up to 12 months | No |
MentraNote uses collected data for the following purposes:
We will not use your data for any purpose that is incompatible with the purposes described above without your prior notice and, where required, consent.
For users located in the European Economic Area (EEA), the United Kingdom, or Switzerland, MentraNote processes personal data on the following legal bases:
MentraNote retains data for the minimum period necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:
After the applicable retention period expires, data is securely deleted or anonymized using industry-standard methods.
We do not sell, rent, or trade your personal data or PHI to any third party for any purpose.
MentraNote may share your data with third parties only in the following limited circumstances:
We never share PHI with advertisers, data brokers, analytics companies (other than de-identified aggregated data), or any entity that would use it for commercial profiling purposes.
MentraNote uses the following vetted sub-processors to deliver the Platform. Each sub-processor has executed appropriate data protection agreements and, where applicable, HIPAA Business Associate Agreements:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, databases, object storage | All data (encrypted at rest) | US-East (Virginia) |
| Stripe, Inc. | Payment processing | Billing info, payment tokens | USA / Global |
| OpenAI / Groq | AI note generation | De-identified/sanitized transcripts | USA |
| Jitsi / 8x8 | Video session infrastructure | Video/audio streams (E2E encrypted) | USA / EU |
| Resend / SendGrid | Transactional email delivery | Email address, notification content | USA |
| Redis Labs / Upstash | Session management, token revocation | Session tokens (no PHI) | USA |
We review sub-processor security practices annually. We will notify Subscribers of any material changes to our sub-processor list with 30 days' prior notice. An up-to-date list of sub-processors is available on request at privacy@mentranote.com.
MentraNote does not use advertising cookies, retargeting cookies, or any cookies that track your activity across third-party websites for commercial purposes. We do not allow third-party advertisers to place cookies on the Platform.
You can manage or delete non-essential cookies through your browser settings. Disabling strictly necessary cookies will impair the functionality of the Platform. For cookie-specific preferences, you may also use the cookie preference center available at the bottom of our public website pages.
When you use AI Features on the Platform (such as AI note generation, session transcript analysis, or clinical insights), the following data handling practices apply:
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights with respect to your personal data under the General Data Protection Regulation (GDPR) and applicable national implementing legislation:
To exercise any of these rights, submit a written request to privacy@mentranote.com. We will respond within 30 days of receipt. We may require identity verification before processing your request.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
To exercise your CCPA/CPRA rights, submit a verifiable consumer request to privacy@mentranote.com. We will respond within 45 days, with an extension of up to 45 additional days where reasonably necessary.
Note regarding medical information: PHI and medical information collected in the context of clinical care may be exempt from certain CCPA/CPRA provisions where covered by HIPAA or CMIA (California Confidentiality of Medical Information Act).
If you are a patient or client whose records are stored on the MentraNote Platform by your therapist or healthcare provider, your HIPAA privacy rights are primarily governed by your provider's Notice of Privacy Practices, not this Policy. MentraNote processes your information as a Business Associate acting on behalf of your provider (the Covered Entity). To exercise HIPAA rights (such as access, amendment, or restriction of your health records), please contact your therapist or healthcare provider directly.
For more information about how MentraNote handles PHI, see our HIPAA Notice of Privacy Practices.
MentraNote implements industry-leading security measures to protect your data, including:
Despite these measures, no method of transmission or storage is 100% secure. In the event of a security incident, we will follow our Breach Notification Protocol as described in Section 15.
In the event of a data breach involving unsecured PHI or personal data, MentraNote will:
MentraNote's servers are located in the United States (AWS US-East region). If you access the Platform from outside the United States, your data will be transferred to, stored in, and processed in the United States. The U.S. may have different data protection standards than your country of residence.
For EEA/UK users, where personal data is transferred to the U.S., MentraNote relies on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; and/or (b) adequacy decisions where applicable. A copy of the applicable transfer mechanisms is available upon request at privacy@mentranote.com.
The MentraNote Platform is not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal data from children under these ages. The Platform is designed for use by adult licensed mental health professionals. If you believe that we have inadvertently collected information from a minor, please contact us immediately at privacy@mentranote.com.
Note: Therapists may lawfully store session notes relating to minor clients in the Platform as part of their clinical practice. Such data is subject to HIPAA, applicable state minor privacy laws, and the BAA, and is processed on behalf of the clinician Subscriber (the Covered Entity).
MentraNote reserves the right to update this Privacy Policy at any time. We will provide notice of material changes by: (a) posting an updated version of the Policy on the Platform with a revised "Effective Date"; (b) sending an email notification to the address on your account at least 30 days before material changes take effect; and (c) displaying a prominent in-app notification.
Your continued use of the Platform after the effective date of any change constitutes your acceptance of the updated Policy. If you object to any changes, your sole remedy is to discontinue use of the Platform and close your account before the effective date of the change.
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
MentraNote Inc. — Privacy Team
Privacy Email: privacy@mentranote.com
Compliance: compliance@mentranote.com
General Support: support@mentranote.com
Legal: legal@mentranote.com
EEA users may also contact the supervisory authority in their EU member state. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk. We aim to respond to all privacy requests within 30 days.