Privacy Policy

Last updated: February 3, 2026

1. Introduction

Wug Note (“we”, “us”, “our”) assists Clinicians, Speech Therapists, and private clinics with clinical documentation. This Privacy Policy explains how we collect, use, disclose, store, and protect information in connection with our services.

We take privacy and the protection of personal health information (PHI) seriously. This policy explains the responsibilities of Healthcare Providers (Clinicians/Clinics) and of Wug Note, and describes the safeguards we apply to the processing we perform on behalf of our customers.

2. Roles & Responsibilities

• Healthcare Provider / Clinic (Data Controller / Health Information Custodian): The Clinic/Clinician is responsible for collecting PHI, obtaining any required client consents (including explicit consent for cross-border processing and AI analysis), and for complying with applicable healthcare privacy laws.
• Wug Note (Data Processor / Electronic Service Provider): We process data only on the documented instructions of the Healthcare Provider to deliver our documentation services. We do not use client data for our own independent purposes (e.g., advertising, profiling, or training our own AI models). Wug Note has independent statutory obligations in some provinces as an Electronic Service Provider and will comply with those obligations.

Processing we perform for you is governed by our contractual terms and a Data Processing Agreement (DPA) available to customers on request.

3. Information We Collect and Process

A. From Customers (Clinicians & Clinics)

• Account data: Clinician/account owner name, email address, and billing details.
• Authentication & security: Encrypted passwords, login activity, device metadata, and audit logs.
• Support data: Support requests and related diagnostic logs (only as needed to troubleshoot).

B. Client Health Information (PHI) — Provided by Healthcare Providers

We process PHI strictly at the direction of the Healthcare Provider and only to provide the Services. This includes:

• Audio recordings: Therapy session recordings uploaded by the Clinician.
• Client identifiers: First name, last name, or client ID used for record-matching in the dashboard.
• Transcripts and Clinical Notes: AI-generated transcriptions and summaries derived from the audio or text provided.

Important: We do not request or collect client contact details (email/phone) for PHI processing.

C. Usage & Analytics

We collect product usage information to maintain and improve the platform (e.g., “Upload Button Clicked,” “Summary Generated,” account actions). Analytics information refers to User account behavior and does not include Client Names, Audio, Transcripts, or other PHI. We use third-party analytics providers (such as PostHog) for product analytics; we do not provide PHI to those providers.

4. Purpose and Lawful Basis for Processing

We process personal health information strictly to:

1. Transcribe audio and generate clinical documentation and summaries requested by the Healthcare Provider;
2. Operate and maintain the security of the service; and
3. Provide technical and support services at the direction of the Healthcare Provider.

Lawful basis: Processing is performed on the basis of the Healthcare Provider’s lawful authority and the client’s informed consent for the use of the service, including cross-border processing where required by law.

5. Data Residency & Cross-Border Processing

We are committed to data sovereignty where possible, but we utilize advanced AI models that require processing infrastructure located outside of Canada.

• Audio & Document Storage (Data at Rest): Encrypted audio recordings, client metadata, transcripts, and generated notes are stored in Canada (e.g., Google Cloud northamerica-northeast1 and Supabase Canada).
• AI Processing (Data in Transit): To generate transcripts, encrypted audio is transferred securely to our third-party AI processor, AssemblyAI, located in the United States.
• Processing Retention (TTL): While our long-term storage is Canadian, data sent to AssemblyAI for processing is retained on their US servers for a maximum of 72 hours (3 days) before being permanently deleted, in accordance with our Business Associate Agreement (BAA).
• Compelled Disclosure & Lawful Requests: If we or our sub-processors receive a lawful request for access to Customer data (under applicable US laws), we will notify the Healthcare Provider unless legally prohibited, and we will seek to limit disclosure to what is strictly legally required.

Healthcare Provider Responsibility: Because data is processed in the United States, it may be subject to US laws. Healthcare Providers must obtain explicit, informed consent from clients for this cross-border processing prior to uploading any session audio or PHI.

6. Sub-processors and Safeguards

We engage trusted sub-processors and maintain Data Processing Agreements (DPAs) and/or Business Associate Agreements (BAAs) with them.

Core Sub-processors include:

• Cloud Infrastructure: Stores encrypted audio/database in Canada.
• AssemblyAI: Provides audio transcription and intelligence. Processing occurs in the USA with a maximum 72-hour retention period.
• Email & Analytics: Used for User account management (No PHI shared).

Protections we apply:

• No Model Training: We utilize enterprise configurations and BAAs to ensure third-party AI providers do not use your client data to train their general public models.
• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Legal: DPAs/BAAs are in place regarding confidentiality and security.

Updates to Sub-processors: We may engage new sub-processors from time to time. Healthcare Providers will be notified of material changes to our sub-processor list and may object as provided in our Data Processing Agreement.

7. Retention & Deletion

We follow strict data minimization principles:

• Audio recordings: Automatically deleted from our active storage 14 days after upload.
• Transcripts and Notes: Retained 14 days after creation to allow review and export; after 14 days these records are permanently deleted from active storage.
• Backups: To ensure service resilience, encrypted backup snapshots of our database may be retained for up to 30 days. These backups are protected with the same high security as active data and are overwritten cyclically. Data in backups cannot be accessed by users and is only used for disaster recovery.
• Manual Deletion: Healthcare Providers may manually delete recordings and notes at any time prior to the automatic expiration.
• Account Termination: Upon account termination, we will delete Customer PHI from our active systems within a defined period (e.g., 30 days), subject to limited backup retention. Deletion confirmation is available upon request.

Clinic Responsibility: It is the Healthcare Provider’s responsibility to download generated notes to their permanent Electronic Medical Record (EMR) system (e.g., Jane App, OWL) before the retention period expires.

8. Security

We maintain administrative, technical, and physical safeguards aligned with the requirements of PHIPA (Ontario), PIPEDA (Federal), PIPA (BC & Alberta), HIA (Alberta), PHIA (Manitoba, Nova Scotia, Newfoundland & Labrador), and HIPA (Saskatchewan) for the protection of personal health information.

Our security program includes:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
• Access Control: Row-Level Security (RLS) ensures Users can only access their own organization’s records.
• Personnel: All personnel with potential access to PHI are subject to strict confidentiality obligations and receive privacy and security training appropriate to their role.
• Staff Access: Support staff do not access client audio or notes unless a User explicitly authorizes temporary access for troubleshooting. All such access is logged.
• Audit Logs: Immutable logs of data access and administrative actions.

9. Breach Notification & Incident Response

If Wug Note becomes aware of a security incident that compromises PHI, we will:

1. Notify the affected Healthcare Provider (Account Holder) without unreasonable delay; and
2. Provide specific details necessary for the Healthcare Provider to meet their legal notification obligations.

Healthcare Providers remain responsible for notifying clients and regulatory authorities as required by applicable healthcare privacy laws.

10. Access, Correction, and Data Subject Rights

Because we act as a Data Processor, individuals (clients) should direct requests for access, correction, or deletion to their Healthcare Provider (the Data Controller). If we receive a direct request from a client, we will forward it to the relevant Healthcare Provider and will not respond directly unless required by law.

11. Geographic Scope & Quebec

The Service is not intended for use in relation to personal information of residents of Quebec. By using the Service, you represent and warrant that you will not upload, process, or store the personal information of Quebec residents. If you choose to do so contrary to this warranty, you acknowledge that you are solely responsible for ensuring compliance with Quebec Law 25 and any obligations or regulatory consequences that may arise. Nothing in these Terms/DPA/Privacy Policy limits or waives obligations imposed by applicable law.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered Healthcare Providers via email at least 30 days before the change takes effect. Continued use of the Services after changes constitutes acceptance of the updated Policy.

13. Documentation Requests

Healthcare Providers may request:

• A copy of our Data Processing Agreement (DPA).
• A detailed list of sub-processors.
• Reasonable information regarding our security practices and compliance posture.

14. Contact & Privacy Officer

If you have questions about this policy, wish to request compliance documentation, or need to report a privacy concern, contact:

Michael Simoes
Director & Privacy Officer
Wug Note
Email: michael.simoes@wugnote.com

15. Disclaimer

This Privacy Policy describes our current practices and contractual approach. It is provided for informational purposes and is not legal advice. Healthcare Providers should confirm with their legal counsel or regulatory college that use of our Services is permitted under their local laws and that their client consent forms adequately disclose cross-border processing and the use of AI.