Compliance with Australian Privacy Principles

This document outlines how NoteMate (ABN 33 659 424 629) ("NoteMate", "we", "us", or "our") complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

1. Data Architecture Foundation

1.1 Zero-Knowledge Architecture

Our compliance is built on a zero-knowledge architecture where:

1. The application cannot access or decrypt your sensitive clinical content

2. Clinical documentation is stored locally on your device

3. Content is temporarily transmitted for processing (transcription and generation)

4. We maintain only essential operational data and templates

1.2 Data Categories

We handle three distinct categories of data:

1. Authentication Data (via Clerk):

   • User authentication data

   • Security settings

   • Account management

   • Multi-factor authentication settings

2. Operational Data (via Redis in Australia):

   • Usage limits and quotas

   • Rate limiting data

   • Application metrics

   • Template storage and management

3. Processing Data (Temporary):

   • Audio recordings for transcription

   • Text for document generation

   • Transmitted securely and immediately discarded after processing

2. APP Compliance Details

2.1 APP 1: Open and Transparent Management

We demonstrate transparency through:

1. Comprehensive documentation:

   • Clear privacy policies

   • Detailed data handling information

   • Regular policy updates

   • Accessible privacy information

2. Management practices:

   • Documented procedures

   • Regular staff training

   • Clear accountability

   • Incident response planning

2.2 APP 2: Anonymity and Pseudonymity

We support privacy by:

1. Minimising data collection:

   • Essential operational data only

   • No unnecessary personal information

   • No stored clinical content

2. User control:

   • Local data storage

   • User-managed profiles

   • Optional feature usage

2.3 APP 3: Collection of Solicited Information

We maintain minimal collection through:

1. Authentication data:

   • Managed by Clerk

   • Essential credentials only

   • Security settings

   • Account management

2. Operational data:

   • Usage metrics

   • System performance

   • Security monitoring

   • Template storage

   • No clinical content

3. Billing data:

   • Managed by Stripe

   • Payment information

   • Subscription details

   • Transaction history

2.4 APP 4: Dealing with Unsolicited Information

Our architecture prevents unsolicited information by:

1. Technical measures:

   • Zero-knowledge design

   • Immediate processing deletion

   • No content storage

   • Local-only clinical data

2. Operational procedures:

   • Clear data boundaries

   • Processing limitations

   • Staff training

   • Regular audits

2.5 APP 5: Notification of Collection

We provide clear notification about:

1. Data handling:

   • Types of information processed

   • Processing methods

   • Third-party services

   • Processing duration

2. Purpose information:

   • Intended use

   • Processing necessity

   • Service functionality

   • User benefits

2.6 APP 6: Use or Disclosure

Our data handling ensures:

1. Limited use:

   • Specified purposes only

   • No secondary use

   • No marketing use

   • No data sharing

2. Controlled disclosure:

   • Processing partners only

   • Strict agreements

   • Limited duration

   • Immediate deletion

2.7 APP 7: Direct Marketing

We maintain privacy by:

1. No marketing use:

   • No personal information use

   • No behavior tracking

   • No profile building

2. Communication limits:

   • Service updates only

   • Security notifications

   • Essential information

   • User-controlled preferences

2.8 APP 8: Cross-border Disclosure

We manage international processing through:

1. Partner Services:

   • Authentication (Clerk - US based)

   • Audio processing (OpenAI - US based)

   • Payment processing (Stripe - US based)

2. Technical Controls:

   • Encrypted transmission

   • Immediate processing deletion

   • No persistent storage of clinical data

   • Template storage in Australian data centers

2.9 APP 9: Government Identifiers

We ensure compliance by:

1. Data limitations:

   • No government identifiers

   • No Medicare numbers

   • No tax identifiers

   • No health identifiers

2. Authentication approach:

   • Email-based identification

   • Secure credentials

   • Professional verification

   • No government ID requirements

2.10 APP 10: Quality of Personal Information

We maintain data quality through:

1. Real-time processing:

   • No historical storage

   • Immediate updates

   • Regular verification

   • User control

2. Quality controls:

   • Accuracy checks

   • Validation procedures

   • Update mechanisms

   • Error correction

2.11 APP 11: Security of Personal Information

Our security measures include:

1. Technical controls:

   • Encryption for all data in-transit

   • Zero-knowledge architecture

   • Multi-factor authentication

   • Access controls

2. Operational security:

   • Regular assessments

   • Staff training

   • Incident response

   • Security monitoring

2.12 APP 12: Access to Personal Information

We provide access through:

1. Account Management:

   • Profile settings via Clerk

   • Subscription management

   • Usage statistics

   • Template management

2. Access Methods:

   • Self-service account dashboard

   • Support assistance when needed

2.13 APP 13: Correction of Personal Information

We enable corrections through:

1. Account Updates:

   • Email address changes

   • Profile information updates

   • Subscription modifications

2. Data Accuracy:

   • Immediate profile updates

   • Template management

   • Usage tracking verification

3. Healthcare Requirements

3.1 Clinical Use

When using NoteMate in healthcare settings:

1. Consent requirements:

   • Explicit patient consent

   • Documented approval

   • Clear information

   • Withdrawal options

2. Professional obligations:

   • Clinical standards

   • Privacy compliance

   • Record keeping

   • Security measures

4. Changes

4.1 Updates

We may update this page by:

1. Posting changes on our website

2. Notifying you via email

3. Providing in-app notifications

4. Requiring acknowledgment if necessary

4.2 Effect

Changes will be effective upon posting, with continued use constituting acceptance.

Contact

For privacy-related inquiries, please email contact@notemate.io.

Privacy complaints may also be directed to:

Office of the Victorian Information Commissioner
PO Box 24274
Melbourne VIC 3001