Privacy Policy — InstantNote

1. Who we are

InstantNote is operated by Reversed Engineered (ACN to be published) (“we”, “us”, “our”), an Australian company. InstantNote is an AI-assisted clinical documentation tool for dental practitioners in Australia.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Health information collected through this service is “sensitive information” under the Act and is handled with the highest level of care.

Contact: hello@instantnote.co

2. What we collect

Account information: name, email address, professional details collected at sign-up via Clerk.
Clinical transcripts: audio recordings processed in real time; the resulting text transcript is stored in your encrypted database. Raw audio is discarded immediately after transcription — we do not store audio files.
AI-generated clinical notes: structured note content generated from your transcript, stored in your account database.
Patient identifiers: display names and PMS reference IDs you enter. We do not require or store patient date of birth, Medicare numbers, or other government identifiers.
Scanner images: dental photographs uploaded via the scanner feature, stored encrypted in Australian-region cloud storage.
Usage data: page views, feature usage, and error logs to operate and improve the service. This data does not include patient content.

3. How we use your information

To generate structured clinical notes from your recordings.
To store and display those notes within your account.
To provide customer support and respond to your enquiries.
To send product updates and billing communications (you may unsubscribe at any time).

We never use your patient data or clinical content to train AI models. This prohibition is contractually binding on all our AI subprocessors.

4. AI processing and subprocessors

InstantNote uses third-party services to deliver its features. The table below lists each subprocessor, what data they receive, and where it is processed.

Provider	Purpose	Data	Country
Clerk	Authentication & sessions	Email address, name	United States
Groq	Audio transcription	Clinical audio recording	United States
Google (Gemini)	Note generation	Transcript text (no patient name)	United States
Stripe	Payment processing	Billing details only	United States
Neon	Database	All stored clinical data	Australia (Sydney)
AWS S3	File storage	Scanner images	Australia (Sydney)
Vercel	Application hosting	Request processing (in transit)	Australia (Sydney)
Sentry	Error monitoring	Anonymised error traces	Configurable

Patient names are never sent to AI providers. Names are stored in your database only. Transcripts sent to Groq and Gemini contain clinical dictation but not patient identifying details.

All AI subprocessors are contractually prohibited from using your data for model training or any purpose beyond delivering the service.

5. Cross-border disclosures (APP 8)

As described in section 4, several subprocessors are located in the United States. Sending personal information or health information to these providers constitutes a cross-border disclosure under Australian Privacy Principle 8 (Privacy Act 1988).

What this means for you: The United States does not have an adequacy arrangement with Australia. Overseas recipients are not directly bound by the Australian Privacy Act. However, we address this risk through the following measures:

Contractual safeguards: Each overseas provider is bound by a data processing agreement (DPA) or terms that require them to handle your data with protections comparable to the APPs, including no data sale, no model training on your content, and breach notification obligations.
Data minimisation: Patient names and government identifiers are never sent overseas. Only the minimum data needed to perform the service is transmitted.
Encryption in transit: All transmissions to overseas providers use TLS 1.3.
No persistent storage: AI providers process your data in real time and do not retain it after the request completes.

By using InstantNote, clinicians acknowledge that AI transcription and note generation requires transmission of clinical audio and transcript text to overseas processors, and confirm that they have obtained or will obtain appropriate patient consent for this processing as part of their practice’s consent and privacy procedures.

If you require that no clinical data leave Australia, contact us at hello@instantnote.co to discuss local processing options.

6. Data storage and security

Core clinical data is stored in Australia. Your notes, transcripts, patient records, and scanner images are stored in Sydney-region infrastructure (Neon PostgreSQL and AWS S3, both ap-southeast-2). Data at rest is AES-256 encrypted. Data in transit is TLS 1.2+ encrypted. Access is scoped per clinician — you can only access notes and patients associated with your account.

We maintain audit logs of significant actions (note creation, export, approval) for security and compliance purposes. Scanner file access uses short-lived signed URLs (5-minute expiry) to prevent unauthorised access.

7. Data retention and deletion

Your data is retained for as long as your account is active. You may export all your data at any time from Settings → Export my data. You may request account deletion by contacting us at hello@instantnote.co — we will delete all personal data and clinical content within 30 days, except where retention is required by law.

Note: as a clinician you may have independent legal obligations under state health records legislation (e.g. Health Records Act 2001 Vic, Health Records and Information Privacy Act 2002 NSW) to retain clinical records for defined periods. InstantNote is a drafting tool — you are responsible for maintaining compliant records in your practice management system.

8. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. In the event of an eligible data breach involving your personal or health information, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law, and as soon as practicable after becoming aware of the breach.

9. Disclosure of information

We do not sell, rent, or share your personal or clinical data with third parties except:

Subprocessors listed in section 4 above, under strict data processing agreements.
Where required by Australian law or a valid court order.
In the event of a business transfer, where your data would transfer to the acquiring entity under the same privacy protections.

10. Your rights

Under the Australian Privacy Principles you have the right to:

Access the personal information we hold about you.
Correct inaccurate or out-of-date information.
Request deletion of your data.
Opt out of direct marketing communications at any time.
Complain about a breach of the APPs to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact us at hello@instantnote.co. We will respond within 30 days.

11. Cookies

We use strictly necessary cookies for authentication (Clerk session tokens) and do not use tracking or advertising cookies.

12. Changes to this policy

We will notify you by email and in-app notice before making material changes to this policy. Continued use after the effective date constitutes acceptance.

13. Contact and complaints

Privacy enquiries: hello@instantnote.co

If you are not satisfied with our response to a privacy complaint, you may refer the matter to the Office of the Australian Information Commissioner: oaic.gov.au or 1300 363 992.