Privacy & Policy

Effective date: 20 April 2026 , Version 1.1.0

Healnote values your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, and safeguard information when you visit our website healnote.health (the 'Site'), use the HealNote mobile application, or interact with us online.

1. Information We Collect

1.1 Authentication Data

When you create an account or sign in using a third-party provider, we collect:

  • Your name and email address as provided by the authentication provider
  • A unique user identifier assigned by the provider (e.g., Google ID, Apple User ID)
  • Profile picture URL (Google Sign-In only — Apple does not share this)
  • An authentication token used to verify your identity

We do NOT receive or store your Google or Apple password.

1.2 Patient Health Data (Sensitive Personal Data)

Collected via the Form intake chatbot or entered by clinic staff, this includes:

  • Full name, national ID (optional), date of birth, gender
  • Chief complaint and current symptoms
  • Medical history, chronic conditions, previous diagnoses
  • Current medications and known allergies
  • Uploaded medical documents, scans, and lab results
  • Examination findings documented during the clinical visit
  • Diagnosis, treatment plan, and prescriptions
  • Bilingual patient handout and QR medication schedule

All patient health data is Sensitive Personal Data under Article 1 of PDPL No. 151/2020 and is subject to the highest level of protection.

1.3 Clinic User Data

  • Name, professional licence number, medical speciality
  • Clinic name, address, and contact details
  • Account credentials (passwords are hashed and never stored in plain text)
  • Subscription and billing information
  • Platform usage and audit logs

1.4 Technical Data

  • IP addresses, device type, operating system, and app version
  • Session logs, access timestamps, and error reports
  • Push notification tokens (if notifications are enabled)

These are collected solely for security, audit, and platform improvement purposes.

2. Why We Collect Your Information

We process personal data under the following lawful bases established by PDPL No. 151/2020:

  • Explicit written consent — obtained from each patient before their data is collected (Article 6 & 14, PDPL)
  • Contract performance — to provide clinic users with the platform services they have subscribed to
  • Medical care necessity — to enable doctors to provide appropriate clinical care to patients (Article 16, PDPL)
  • Legal obligation — to comply with Egyptian data protection, cybercrime, and healthcare laws

We do not rely on legitimate interests as a lawful basis for processing Sensitive Personal Data (health data).

3. How We Use Your Data

Authentication data is used to:

  • Create and maintain your HealNote account
  • Authenticate you securely each time you open the app
  • Personalise your experience (e.g., displaying your name)

Patient health data is used solely to:

  • Power the AI intake chatbot and generate the patient's Clinical Brief for the doctor
  • Facilitate drug interaction checking during prescription
  • Enable AI analysis of uploaded medical documents
  • Generate the bilingual Arabic/English patient handout
  • Create the QR-linked medication schedule and follow-up reminders
  • Maintain a PDPL-compliant digital audit trail of each clinical visit

We do NOT use patient data for:

  • Training AI models without separate, explicit patient consent
  • Advertising, marketing, or commercial profiling
  • Sale or transfer to third parties for any commercial purpose
  • Any purpose beyond direct clinical workflow support

4. Data Sharing and Third Parties

We do not sell patient data. We may share data with the following categories of parties, solely to operate the platform:

4.1 Authentication Providers

  • Google (Google Sign-In) — receives only the authentication request; Google does not receive your health data
  • Apple (Sign in with Apple) — receives only the authentication request; Apple does not receive your health data

These providers may collect information independently per their own privacy policies:

4.2 Infrastructure & Service Providers

  • Cloud infrastructure providers (AWS) — data hosted on servers in Egypt or approved PDPC jurisdictions only
  • Payment processors — billing data only, not health data
  • Security and audit tools — anonymized technical logs only

All third-party vendors are bound by Data Processing Agreements (DPAs) in accordance with Article 9 of PDPL No. 151/2020.

We will never transfer patient health data outside Egypt without: (a) PDPC approval; (b) explicit patient consent; and (c) confirmation the receiving jurisdiction provides equivalent data protection.

5. Data Security

Healnote implements the following security measures in accordance with PDPL No. 151/2020 and Executive Regulations No. 816/2025:

  • AES-256 encryption for all data at rest
  • TLS 1.2+ encryption for all data in transit
  • Role-based access controls — each clinic sees only their own patient data
  • Multi-factor authentication for clinic user accounts
  • Tamper-proof access logging and audit trails
  • Regular penetration testing and security audits
  • Incident detection and 72-hour breach notification protocol

Authentication tokens are stored in encrypted device storage (iOS Keychain / Android Keystore) and are never transmitted to third parties.

In the event of a data breach, Healnote will notify the Personal Data Protection Centre (PDPC) within 72 hours of becoming aware of the breach, and will notify affected patients within 3 working days thereafter, in compliance with Executive Regulations No. 816/2025, Article 5.

6. Your Rights

Under PDPL No. 151/2020, Article 11, patients and clinic users have the following rights:

  • Right of Access — you may request a copy of all personal data we hold about you
  • Right of Correction — you may request correction of inaccurate or incomplete data
  • Right of Erasure — you may request deletion of your data after the applicable retention period
  • Right to Restrict Processing — you may request that we limit how we use your data
  • Right to Withdraw Consent — you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to Object — you may object to certain uses of your data
  • Right to Disconnect Account — you may disconnect your Google or Apple account at any time via Settings; this will sign you out and we will no longer receive data from that provider

To exercise these rights, contact: support@healnote.health. We will respond within the timeframes required by PDPL No. 151/2020. Note that a fee may apply for certain requests as permitted by Article 11 of the PDPL.

7. Changes to this Policy

We may update this policy periodically. Continued use of our services indicates your acceptance of any changes.

8. Data Retention

Patient health data is retained for the period required by applicable Egyptian medical and data protection law. Clinic users may request data export at any time. Upon termination of a clinic's subscription, data is retained for the legally required period and then securely and permanently deleted.

Authentication data (your name, email, and provider identifiers) is retained for as long as your account exists. When you delete your account or request data erasure, all authentication data is permanently deleted within 30 days.

Technical and audit logs are retained for a minimum of 180 days as required by Egypt's Cybercrimes Law No. 175 of 2018, and then deleted.

9. Children's Data

Under PDPL No. 151/2020 and Executive Regulations No. 816/2025, Article 15, the data of any person under 15 years of age is classified as Sensitive Personal Data. Healnote requires clinics to obtain explicit written consent from the legal guardian of any patient under 15 before entering their data into the Platform.

10. AI and Automated Processing

Healnote uses AI to assist clinical workflows. In accordance with Egypt's emerging AI guidelines and PDPL principles:

  • No fully automated decisions with legal or clinical effect are made by Healnote's AI without human review
  • All AI outputs are presented as suggestions and decision-support information only
  • A licensed doctor must review and approve all AI-generated clinical content before acting on it
  • If patient data is used for AI model training, separate explicit consent will be obtained for that specific purpose

11. Account Deletion

You may request deletion of your account and all associated data at any time by contacting support@healnote.health or using the "Delete Account" feature in the app. Upon account deletion:

  • Your authentication credentials and profile data will be permanently removed within 30 days
  • Patient clinical records may be retained as required by Egyptian medical record-keeping law
  • You will receive confirmation once your data has been fully deleted

12. Contact Us

For any questions about this Privacy Policy or how we handle your information, please contact our team at: support@healnote.health

Back to Home