Legal

Privacy Policy & Terms

Last updated: April 15, 2026

Who we are

Niceley AI Consulting LLC (“we,” “us,” “our”) operates Clinic Notes AI and this website. Brian Niceley is the sole owner and operator. We are based in Northern Kentucky, USA.

Data we collect

For Clinic Notes AI users: Session audio, transcripts, clinical notes, EHR field extractions, consent records, and audit logs. All data is stored in encrypted databases with row-level security ensuring each provider sees only their own sessions.

For this website: Only the information you voluntarily provide via the contact form (name, email, organization, message).

How we use your data

  • To provide and improve Clinic Notes AI services
  • To respond to your inquiries
  • To comply with legal obligations

What we will not do

  • We do not sell, rent, or monetize customer clinical data — including de-identified or aggregated data derived from customer records
  • We do not use customer clinical data to train AI models. Our OpenAI integration operates under Zero Data Retention. Our vendor BAAs contractually prohibit training on customer data.
  • We do not provide your data to advertisers or third-party data brokers. There are no advertising SDKs, analytics trackers, or outbound data pipelines in this product.
  • We only disclose customer data to the subprocessors necessary to provide the service, or when required by law. Our subprocessor list is finite, documented, and available during diligence.

HIPAA compliance

Clinic Notes AI is designed to handle Protected Health Information (PHI) in compliance with HIPAA. We maintain or are actively pursuing Business Associate Agreements with all infrastructure vendors that may access PHI. Our OpenAI integration for transcription operates under an executed BAA with Zero Data Retention — your transcripts are never stored by OpenAI and never used to train their models. Additional vendor and infrastructure BAAs are tracked explicitly and disclosed during diligence.

Data retention and deletion

You may request deletion of your data at any time. Session data (audio, transcripts, notes, EHR fields) can be deleted within the application. Account deletion requests are processed within 30 days. All associated data — including audio files in storage, database records, and audit logs — are removed as part of the deletion process.

Security

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is controlled via role-based authentication with row-level database security policies. All access is logged in a comprehensive audit trail with 22 distinct event types covering the entire application lifecycle.

Third-party services

Clinic Notes AI uses the following third-party services to provide its functionality. Each operates under a signed Business Associate Agreement where applicable:

  • Supabase — Database, authentication, and file storage
  • OpenAI — Audio transcription (Whisper API, zero retention)
  • Anthropic — Clinical note generation and EHR field extraction (Claude API, zero retention)
  • Vercel — Application hosting and serverless compute
  • Upstash — Rate limiting and session management (no PHI stored)

Contact

For privacy inquiries, data requests, or questions about our security practices, contact: brian@niceley.ai

Terms of Service

Clinic Notes AI is a clinical documentation assistant. It generates draft notes and field extractions from session transcripts using artificial intelligence. All AI-generated content is clearly marked as a draft and must be reviewed, edited, and approved by a licensed clinician before use in any medical record.

We make no warranties regarding clinical accuracy. The clinician is solely responsible for verifying and approving all documentation before it enters the medical record. Niceley AI Consulting LLC is not a healthcare provider and does not provide medical advice.

We reserve the right to modify these terms and our privacy policy. Users will be notified of material changes via email at the address associated with their account.