Overview
CoChart.ai ("CoChart", "we", "us") is an AI-powered SOAP note generation service built for clinicians. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
Effective date: March 2026 ยท Last updated: July 2026
By using CoChart.ai you agree to the practices described in this policy. If you have questions, contact us at privacy@cochart.ai.
Information We Collect
- ยทAccount information โ name, email address, practice name, specialty, and billing details when you create an account or subscribe.
- ยทUsage data โ pages visited, features used, and session duration to improve the product.
- ยทProtected Health Information (PHI) โ audio recordings and AI-generated SOAP notes containing patient visit details, processed only when you use the transcription and note-generation features. See the HIPAA section below.
How We Use Your Information
- โProvide and improve the CoChart.ai service.
- โGenerate SOAP notes from your recordings and transcripts.
- โProcess billing and manage your subscription.
- โSend transactional emails (account setup, billing receipts, support responses).
- โWe do not sell your data or PHI to third parties.
- โWe do not use patient data to train AI models.
HIPAA Compliance & PHI Handling
CoChart.ai is HIPAA compliant. We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164) for the protection of electronic Protected Health Information (ePHI).
What constitutes PHI in our system:
- ยทAudio recordings of patient visits uploaded for transcription.
- ยทAI-generated SOAP notes and transcripts derived from those recordings.
- ยทPatient identifiers (name, date of birth, etc.) entered alongside notes.
How we protect PHI:
- โEncryption at rest โ all PHI fields (transcripts, SOAP note content) are encrypted with AES-256 before being stored in the database.
- โEncryption in transit โ all data is transmitted over TLS 1.2+.
- โRow-level security โ each clinician can only access their own patients' records; administrative access is separately controlled and audited.
- โZero AI training on patient data โ AI requests are routed through a HIPAA-aware proxy with
data_collection: denyand Zero Data Retention (ZDR) enforced. No patient audio or note content is used to train or fine-tune any AI model. - โAudit logging โ every access to PHI is logged with user identity, timestamp, and action. Logs are retained for 7 years as required by HIPAA.
- โRight to erasure โ clinicians can permanently delete any note; upon deletion, all PHI fields are immediately scrubbed and the deletion is itself logged.
For complete technical safeguard documentation, see our HIPAA Compliance page.
Need a Business Associate Agreement (BAA)?
If your practice is a HIPAA Covered Entity, we can execute a BAA with you. Contact us and we'll have it to you within 1 business day.
Request a BAA โ General privacy questionsData Retention & Deletion
Account data is retained for the life of your subscription plus 90 days, after which it is deleted. PHI (SOAP notes and transcripts) is retained only as long as you maintain it in your account; you can delete individual notes or your entire account at any time. Audit logs are retained for 7 years per HIPAA requirements.
To request deletion of your account and all associated data, email privacy@cochart.ai.
Contact & Privacy Inquiries
For privacy questions, BAA requests, or data deletion requests, contact:
CoChart.ai Privacy Team
privacy@cochart.ai
This policy describes CoChart.ai's current practices and does not constitute legal advice. For compliance questions specific to your practice, consult a HIPAA compliance attorney.