Public document · Version 1.2

Privacy Policy

Version: 1.2 Effective: May 14, 2026 Service: Due Your Notes (dueyournotes.com) Provider: Due Your Notes

1. PHI prohibited — this is a reminder app, not an EHR

Due Your Notes is a documentation-deadline tracker for clinicians. It is not an Electronic Health Record (EHR), and Due Your Notes is not a Business Associate of any clinician using it. By design, the data model has no fields for client names, demographics, clinical notes, diagnoses, addresses, or any other Protected Health Information (PHI). Clinicians agree, before they can use the Service, to a separate No-PHI Acknowledgement and Acceptable Use Memorandum (MOU). If you need to store PHI, the Service is the wrong tool — please use a HIPAA-compliant EHR.

This policy describes how the small amount of non-PHI data the Service does collect is handled.

2. Information collected

About the clinician's account:

  • Email address (used for login lookup and transactional email).
  • A bcrypt-hashed password (the plaintext is never stored or logged).
  • An encrypted TOTP second-factor secret and one-time-use backup codes.
  • Login timestamps, failed-login counters, and lockout state.
  • The clinician's professional profile: display name, license type, state, supervisor name and license (if applicable). These are encrypted at rest and are subject to the no-PHI guard at write time.

About what the clinician enters:

  • Opaque client identifiers (codes the clinician chooses, e.g. JS-04).
  • Dates of clinical events (intake, sessions, treatment plan, discharge).
  • Form-completion status (which forms exist, whether they are complete).

About session and audit context:

  • Browser session token (httpOnly, signed cookie).
  • IP address and user-agent for each authenticated request, recorded in an append-only audit log.
  • A SHA-256 hash of the MOU text the clinician e-signed, plus their typed name, the date they selected, and the IP/user-agent at signing.

Not collected: any free-text clinical content, client names, demographics, addresses, phone numbers, or any other PHI. The runtime detector rejects writes that look like PHI on every write surface.

3. How information is used

  • To provide the Service. Authentication, authorization, encryption-key release, deadline-tracking calculations, and the optional AI compliance assistant when the clinician supplies their own Anthropic API key.
  • To keep the Service secure. Audit logging, lockout on repeated failed logins, rate limiting, breach-detection alerting.
  • To communicate with the clinician. Email verification, password reset, security incident notification, and (if the clinician has opted in) a daily digest reminder summarizing how many of the clinician's deadlines are overdue, due soon, or warning-level. Digest emails contain counts only — no client identifiers, no client codes, no specific dates, no form names. The clinician can turn digest reminders off at any time from /settings, or one-click unsubscribe directly from any digest email. Due Your Notes does not send marketing email.
  • To meet legal record-keeping obligations related to the MOU and the audit trail.

Due Your Notes does not sell, rent, or trade clinician data. Due Your Notes does not train AI models on clinician data. If the clinician enables the AI assistant, Anthropic's API processing applies to the no-PHI prompt content the clinician sends through that feature.

4. Encryption and key handling

  • All clinician data is encrypted at rest with AES-256-GCM using a per-clinician Data Encryption Key (DEK). The DEK is wrapped under a Key Encryption Key (KEK) that lives on a different host from the application database.
  • The application fetches the DEK from a separate key service over mutual TLS, only after the clinician has authenticated with password and a valid second factor.
  • This is not a zero-knowledge architecture. Due Your Notes personnel with administrative access to the running production system could in principle observe data in process memory while it is being served. Due Your Notes policy is not to do so except as required to investigate a clinician-reported incident, and any such access is recorded in the audit log.
  • All communication with the Service is over TLS.

5. Vendors and sub-processors

Due Your Notes uses the following third-party services:

  • Resend (account email — verification, password reset, invite, and the opt-in counts-only daily digest reminder; Resend never receives client codes, dates, or form names).
  • Backblaze B2 (encrypted database backups; backup contents are encrypted under Due Your Notes keys before upload).
  • Anthropic (optional AI compliance assistant — only if the clinician supplies their own Anthropic API key; prompts are screened for likely PHI before transmission and must not contain PHI).

Due Your Notes does not configure these vendors to receive PHI in Phase 1. Resend receives clinician account email addresses for transactional mail only. Backblaze B2 receives encrypted backup objects only; backup contents are encrypted before upload and the tenant key wraps are not stored in the database backup. Anthropic receives only no-PHI AI assistant prompts from clinicians who opt in by saving their own API key. Due Your Notes maintains internal no-PHI vendor assessments and will publish a sub-processor list update notice before adding a new sub-processor that could touch clinician data.

6. Cookies

The Service sets one essential cookie:

  • __Secure-dyn-auth.session_token (or dyn-auth.session_token in non-HTTPS development): an httpOnly, signed session token.

No analytics, advertising, or tracking cookies are set.

7. Retention

  • While the account is active: clinician data is retained as long as needed to provide the Service.
  • Audit log: retained for the life of the account.
  • Backups: encrypted daily backups retained on a documented schedule (currently 30 daily / 12 monthly / yearly).
  • On account deletion: Due Your Notes destroys the clinician's tenant wrap (the file in the key service that holds the clinician's wrapped DEK), rendering the clinician's encrypted records cryptographically inaccessible from any retained database backup. The deletion runbook is documented internally and is auditable.

8. Clinician rights

A clinician may at any time:

  • Export their data via the in-app self-service export (encrypted, password-protected).
  • Delete their account and all associated data (subject to §7's deletion mechanics).
  • Request a copy of any audit-log entries pertaining to their account.

To exercise any right, email [email protected].

9. Children

The Service is intended for use by licensed clinicians. Due Your Notes does not knowingly collect information from anyone under 18. If a minor's information is inadvertently submitted, Due Your Notes will delete it on notice.

10. International users

The Service is operated from the United States. By using it, a clinician outside the U.S. consents to the transfer of their data to the U.S.

11. Changes to this policy

Due Your Notes may update this policy. Material changes will be announced to active clinicians by email at least 14 days before they take effect. The effective date at the top of this document reflects the most recent version.

12. Contact

Questions, complaints, or rights requests: [email protected]. Due Your Notes will respond as soon as practicable, and in any event within 30 days.

13. Governing law

This policy is governed by the laws of the Commonwealth of Virginia, without regard to its conflict-of-laws rules.