Notive

Privacy Policy

Last updated: March 2026

1. Introduction

Notive Health ("Company", "we", "us") is committed to protecting the privacy of our users and their patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Notive platform ("Service"). This policy applies to our website, application, and all related services.

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, practice name, phone number, and professional credentials provided during registration.
  • Usage data: Log data, device information, browser type, and interaction patterns with the Service for operational and improvement purposes.
  • Protected Health Information (PHI): Patient data entered into the Service by authorized users is processed and stored in accordance with HIPAA requirements. PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+), with strict organization-level tenant isolation.
  • Communication data: Messages sent through the contact form, support requests, and demo booking information.

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To process transactions and manage your subscription
  • To communicate with you about the Service, including support and updates
  • To improve the Service and develop new features
  • To comply with legal obligations and enforce our Terms of Service
  • To provide AI-powered clinical decision support features (scribe, assistant, document processing)

4. HIPAA and Protected Health Information

Notive is designed for HIPAA-compliant healthcare workflows. We implement the following safeguards:

  • Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access controls: Role-based access control (RBAC) with multi-factor authentication (MFA).
  • Audit trails: Comprehensive logging of all access to PHI with organization-scoped audit trails.
  • PHI hygiene: PHI is redacted from application logs. Sensitive identifiers are masked. Audio recordings follow configurable retention policies with automated cleanup.
  • Business Associate Agreement: A BAA is available for all covered entities on paid plans.
  • Tenant isolation: Organization-level row-level security ensures your data is never visible to other tenants. Multi-AZ deployment with offsite WAL archiving provides durability and disaster recovery.

5. AI and Data Processing

The Service uses AI models for clinical documentation (scribe), clinical decision support (assistant), and document processing. AI processing is performed via API calls to BAA-covered third-party providers (Anthropic, Deepgram). We do not use patient data to train AI models. AI-generated content is ephemeral and only persisted when a clinician explicitly saves or signs the output.

6. Data Sharing and Third Parties

We do not sell your data. We may share information with:

  • Service providers: Third-party services necessary for platform operation (e.g., DoseSpot for e-prescribing, Twilio for SMS/telehealth, Deepgram for transcription, Anthropic for AI). All third parties handling PHI operate under BAAs.
  • Legal requirements: When required by law, subpoena, or government request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice.

7. Data Retention

Account data is retained for the duration of your active subscription and for 90 days following termination. Clinical data retention follows your organization's configured policies. Audio recordings from the AI scribe are subject to configurable retention periods with automated cleanup. You may request data export or deletion at any time.

8. Your Rights

You have the right to:

  • Access and export your data at any time
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Opt out of non-essential communications
  • Receive a copy of any BAA in effect for your organization

9. Security

We implement industry-standard security measures including encryption at rest and in transit, multi-factor authentication, malware scanning of uploaded documents (ClamAV), network isolation, and regular security reviews. Our platform operates on multi-AZ infrastructure with strict tenant isolation and offsite WAL archiving.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at hello@notivehealth.com.