Privacy Policy

Modi Labs LLC ("Company," "we," "our," or "us") operates the SOAPNoteAPI platform, including the REST API, developer dashboard at app.soapnoteapi.com, and the soapnoteapi.com website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Service.

This Privacy Policy applies to:

• Developers, healthcare software companies, and other customers who access the Service through our API ("API Customers")
• Visitors to soapnoteapi.com and the developer dashboard

This Privacy Policy does not govern the end-user practices of our API Customers. If you are a patient or end user whose data was processed by a product built on SOAPNoteAPI, your data is governed by the privacy policy of the healthcare application or provider you are interacting with, not by this Policy.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy was last updated on March 19, 2026.

We collect the following categories of information in connection with the Service:

2.1 Account Information

When you create an account, we collect information you provide directly, including:

• Name and email address
• Organization or company name (optional)
• Account credentials (email and password, stored in hashed form)
• Billing information, including payment method details (processed and stored by our payment processor, Stripe — we do not store raw card numbers)
• Any information you provide when contacting us for support

2.2 API Usage & Technical Data

When you use the Service via our API, we collect technical usage data, including:

• API key identifiers used to authenticate requests (not the key value itself)
• API request metadata: timestamps, endpoint paths, HTTP status codes, response times, and request sizes
• Specialty type and template identifiers selected for each request
• Audio file duration (for audio processing requests)
• Error codes and diagnostic information when requests fail
• IP addresses and user agent strings from API requests and dashboard sessions

2.3 Transcript and Note Content

When you submit text transcripts to the API, that transcript content passes through our processing pipeline. Transcripts and the resulting generated notes are associated with your account in our systems for operational and audit purposes.

We do not collect, read, or use the content of your transcripts or generated notes for any purpose beyond providing the Service to you. The content of transcripts and notes is not used for AI training, is not analyzed for marketing purposes, and is not disclosed to third parties except as described in Section 6 (Third-Party Services) and Section 5 (HIPAA).

2.4 Audio Files

When you submit audio files to the Audio-to-SOAP endpoint, the audio is uploaded temporarily for transcription and note generation processing. Audio files are deleted from our systems upon completion of processing. We do not retain audio recordings.

2.5 Website & Dashboard Analytics

When you visit soapnoteapi.com or use the developer dashboard, we may collect standard web analytics data, including pages visited, time on page, referring URLs, and device/ browser information. This data is aggregated and used to improve the Service.

We use the information we collect for the following purposes:

Providing and Operating the Service

• Authenticating your API requests and enforcing usage limits
• Processing your transcripts and audio files to generate clinical documentation
• Managing your account, subscription, and billing
• Providing usage dashboards and analytics within your account

Communications

• Sending transactional emails related to your account, such as billing receipts, API key notifications, and security alerts
• Responding to support requests
• Notifying you of material changes to the Service or these policies
• Sending product updates and announcements (you may opt out of non-transactional communications at any time)

Security and Compliance

• Detecting and preventing fraud, abuse, or unauthorized access
• Maintaining audit logs for HIPAA compliance and security incident investigation
• Complying with legal obligations, including responding to lawful requests from government authorities

Improving the Service

• Analyzing aggregate, anonymized usage patterns to improve API performance, reliability, and feature development
• Diagnosing technical errors and improving system stability

We will not use transcript or note content for AI model training, advertising, or any purpose other than delivering the Service, except with your explicit consent.

We will not sell your personal information to third parties for advertising or marketing purposes, now or in the future.

Audio Recordings

Audio files submitted to the Audio-to-SOAP endpoint are deleted from our systems immediately upon completion of transcription and note generation processing. Audio is not retained in any form after processing is complete.

Transcripts and Generated Notes

Text transcripts and generated notes are associated with your account and retained for the duration of your account or for a shorter configured period based on your plan settings. This retention is necessary for audit logging, support, and compliance purposes. On the Custom tier, data retention settings can be configured per your requirements.

Account Information

Account information, including your registration details and billing records, is retained for the duration of your account and for a reasonable period thereafter as required by applicable law (for example, financial records may be retained for up to seven years for tax compliance purposes).

API Request Metadata

Technical API request metadata (timestamps, endpoint, status codes) is retained in our audit logs and usage systems for a minimum of 90 days and up to two years depending on your plan tier.

Requesting Deletion

You may request deletion of your account and associated data at any time by contacting support@soapnoteapi.com. We will fulfill verified deletion requests within 30 days, subject to any legal or regulatory retention obligations. Note that deletion of your account will permanently deactivate all associated API keys.

SOAPNoteAPI is designed to be used in HIPAA-regulated environments. We recognize that the transcripts you submit may contain Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

Business Associate Agreement Requirement

If you are a Covered Entity or Business Associate under HIPAA and you intend to submit PHI through the Service, you are required to execute a Business Associate Agreement (BAA) with Modi Labs LLC before doing so. A standard BAA is available to all paying subscribers at no additional cost. To request a BAA, contact support@soapnoteapi.com.

When a signed BAA is in place, Modi Labs LLC acts as your Business Associate with respect to PHI you submit to the Service, and we handle such PHI in accordance with the obligations set forth in the BAA and HIPAA regulations.

Technical Safeguards

We implement technical safeguards appropriate to PHI processing, including:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of stored data at rest using AES-256 encryption on AWS infrastructure
• Access controls limiting data access to authorized personnel and systems only
• Audit logging of access to systems that process PHI
• Deletion of audio recordings immediately after processing

No Sale or Disclosure of PHI

We do not sell, license, or disclose PHI to third parties for any purpose other than providing the Service, as required by law, or as permitted under an executed BAA. PHI is not used for advertising, AI model training, or any secondary purpose.

Your Compliance Responsibility

Executing a BAA with us does not fulfill all of your HIPAA compliance obligations. You remain responsible for compliance with HIPAA on your end, including obtaining patient authorizations where required, implementing appropriate policies and procedures within your organization, and ensuring your application handles PHI appropriately before and after it is processed by the Service.

We use the following categories of third-party service providers to operate the Service. Each provider receives only the data necessary to perform their specific function.

Payment Processing — Stripe

Payment processing is handled by Stripe, Inc. When you add a payment method or complete a purchase, your payment card information is collected and processed directly by Stripe. We do not store raw card numbers or full payment credentials. Stripe is PCI DSS compliant. Stripe's privacy policy is available at stripe.com/privacy.

Cloud Infrastructure — Amazon Web Services (AWS)

The Service runs entirely on Amazon Web Services (AWS) infrastructure in the United States. All data at rest is encrypted using AWS-managed or customer-managed keys. AWS is SOC 2 Type II, ISO 27001, and HIPAA-eligible certified. AWS's privacy notice is available at aws.amazon.com/privacy.

AI Processing — OpenAI

Note generation is performed using large language models provided by OpenAI. When you submit a transcript to the Service, that transcript content is transmitted to OpenAI's API as part of the inference request. We have a Data Processing Agreement with OpenAI that governs the handling of this data. OpenAI does not use API input data to train its models (as of the date of this Policy). If you are submitting PHI, OpenAI's API is covered under our BAA arrangement. OpenAI's privacy policy is available at openai.com/privacy.

Email Communications

Transactional and operational emails are sent using a third-party email service provider. Your email address is shared with this provider solely for the purpose of delivering emails to you on our behalf.

No Data Sales

We do not sell, rent, or trade your data with third parties for advertising, marketing, or commercial enrichment purposes. We do not use your data for behavioral advertising.

We take data security seriously and implement industry-standard safeguards appropriate to the sensitivity of the information processed by the Service. Our security measures include:

• All data transmitted between your systems and ours is encrypted using TLS 1.2 or higher
• All data stored on AWS infrastructure is encrypted at rest using AES-256
• API access is authenticated via secret API keys, which must be included in all requests
• Access to production systems and data is restricted to authorized personnel on a least-privilege basis
• Audio recordings are automatically deleted after processing, eliminating a significant category of stored sensitive data
• Security monitoring and alerting is in place to detect anomalous access patterns
• We perform regular reviews of our security posture and update our practices as appropriate

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. If you believe your account has been compromised, please contact us immediately at support@soapnoteapi.com and rotate your API keys from the dashboard.

In the event of a data breach that affects your data, we will notify you as required by applicable law, including HIPAA breach notification obligations where a signed BAA is in place.

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor these rights for all customers regardless of location.

Access

You have the right to request a copy of the personal information we hold about you. You can access most of your account data directly through the dashboard. For additional data requests, contact support@soapnoteapi.com.

Correction

You have the right to request correction of inaccurate personal information. You can update most account information directly in the dashboard. For corrections we need to make on our end, contact support@soapnoteapi.com.

Deletion

You have the right to request deletion of your personal information and account data. To delete your account, contact support@soapnoteapi.com. We will complete verified deletion requests within 30 days, subject to any legal retention obligations.

Data Portability

You may request an export of your account data in a machine-readable format before closing your account. Contact support@soapnoteapi.com to request a data export.

Opt-Out of Non-Transactional Communications

You may opt out of product announcement and marketing emails at any time by clicking the unsubscribe link in any such email or by contacting support@soapnoteapi.com. Transactional emails (billing receipts, security alerts, account notifications) cannot be opted out of while your account is active.

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete, and the right to non-discrimination for exercising your rights. We do not sell personal information. To exercise your California privacy rights, contact support@soapnoteapi.com.

To exercise any of these rights, please contact us at support@soapnoteapi.com with "Privacy Request" in the subject line. We will respond within 30 days and may request additional verification of your identity before fulfilling the request.

The Service is intended solely for use by businesses and developers building healthcare software applications. The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18.

If you are under 18 years of age, you are not permitted to create an account or use the Service. If we become aware that we have inadvertently collected personal information from a person under 18 years of age, we will take steps to delete that information promptly.

Note that transcripts submitted to the Service may reference minors as patients. This does not constitute collection of personal information from minors by us — the data is submitted by you as a healthcare developer, and your obligations under COPPA and other applicable laws regarding minors' data remain your responsibility.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email at the address associated with your account and by posting the updated Policy at soapnoteapi.com/privacy, with the effective date updated accordingly.

For non-material changes (such as clarifications or corrections that do not affect your rights), we may update the Policy without advance notice.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Policy, you must stop using the Service and close your account.

We encourage you to review this Policy periodically. The "Last updated" date at the top of this page indicates when changes were most recently made.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

Modi Labs LLC
Email: support@soapnoteapi.com

For privacy-related requests, please include "Privacy Request" in your subject line. We will acknowledge your request within 5 business days and respond in full within 30 days.

For HIPAA-specific concerns, including breach notifications or BAA inquiries, please mark your email "HIPAA — Confidential" and send to support@soapnoteapi.com.