Privacy Policy

JAWIZ AS provides AI-based documentation solutions for the healthcare sector through Notat AI.

We act as:

Data controller for user account information (healthcare professionals).

Data processor for patient data processed through our solutions. We process such data solely on documented instructions from the healthcare provider.

• Company: JAWIZ AS (Org. no. 937 393 385)
• Email: [email protected]

Depending on how the solution is used, the following may be processed:

This may include health information.

• Name and contact details of users
• Role and organizational affiliation
• Login credentials (managed by Clerk)
• Audio chunks from consultations
• Transcribed text, extracted clinical facts, visit summaries, and generated notes
• Uploaded professional documentation
• Technical data (IP address, browser type, device info)

The purpose is to transcribe speech to text, structure consultation information, generate summaries and draft clinical documentation, and streamline medical record keeping.

Consultation audio, transcripts, extracted clinical facts, summaries, notes, and the minimum account or workspace details needed to provide the service may be sent to Notat AI processing infrastructure hosted on Google Cloud under a Business Associate Agreement.

The solutions do not provide medical decision support and do not make automated decisions with legal or equivalent effects.

The legal basis for patient data is determined by the healthcare provider (the controller). Typically, the basis is GDPR Article 6 and Article 9(2)(h) (healthcare provision), supplemented by provisions in the Norwegian Health Personnel Act.

For user account data, we process based on contractual necessity (GDPR Article 6(1)(b)).

Technical data for security and service improvement is processed based on legitimate interest (GDPR Article 6(1)(f)), limited to what is strictly necessary.

• Audio chunks: Processed in real time and deleted immediately after extraction. No complete or partial audio recording is retained.
• Transcribed text and generated notes: Stored encrypted for review and automatically deleted no later than 24 hours after generation.
• User account data: Retained as long as the user account is active. Deleted upon account closure, unless otherwise required by law (e.g., accounting obligations).
• Billing data: Retained in accordance with Stripe's terms and applicable accounting laws.

Notat uses secure cloud infrastructure to provide the service. For customers who require HIPAA safeguards, Notat hosts processing on Google Cloud under a Business Associate Agreement.

Customer data is not sold, used for advertising, or used to train general AI models.

• Core infrastructure and AI processing — Google Cloud
• Authentication — Clerk (EEA)
• Billing — Stripe (EEA / per Stripe)

Data is secured through encryption in transit (TLS 1.3) and at rest (AES-256), access control, and organizational security measures. Access is limited to personnel who require it to perform their duties.

Subcontractors that create, receive, maintain, or transmit protected health information on Notat's behalf must agree to substantially similar restrictions and safeguards.

For patient data: Registered individuals have the right to access, rectification, erasure, restriction, data portability, and objection. Requests regarding patient data must be directed to the healthcare provider (the data controller).

For user account data: Users may contact us at [email protected] to exercise their rights. We respond within 30 days.

In the event of a personal data breach, we will notify affected healthcare providers without undue delay and, where required by law, the relevant supervisory authority within 72 hours.

This policy may be updated. Material changes will be posted on our website with an updated effective date.