Compliance
HIPAA. GDPR. PIPEDA. Built into the product.
Behavioral-health practices serve clients across borders, and the rules that apply don't agree with each other in the obvious way. The workflows for keeping records, honoring an erasure request, recording consent, and choosing where data sits all live in the product — not in a policy document.
HIPAA · United States
Six-year retention through redacting rather than deleting. BAA included.
- All client information is encrypted while it sits in our records
- All traffic between your browser and Praxnote is encrypted in transit
- Each practice's records are kept separate from every other practice's — no record from another practice is reachable from yours, ever
- Every time a record is read or changed, the action is logged with who did it and when
- The session times out after 30 minutes of inactivity (the practice can adjust this)
- The six-year retention rule is handled by redacting the identifying information, not deleting the record — so the retention rule and an erasure request can both be honored at the same time
- A BAA is included on every paid plan — request one here
GDPR · clients in the European Union
Right-to-be-forgotten requests, honored cleanly.
For practices that serve clients with European data rights, the right to be forgotten is something Praxnote does, not something the practice has to figure out. The workflow lets you choose what to erase — session notes, transcripts, documents, messages, assessments, billing narratives — sends the request through approval, removes the client's information, and keeps only the minimal record-keeping that retention rules still require.
- A clear request screen where you choose what to erase
- Praxnote staff review and approve every request before it runs
- The client's information is removed; the minimal record the U.S. rules require stays as an empty shell
- A summary of what was erased is recorded with the request
- Consent is tracked in its own log — what was agreed to, when, and whether it was later revoked
- The activity record captures every step
PIPEDA · Canada
The Canadian rules work today. Canadian-region hosting is on the way.
Praxnote is built to support Canadian practices. The consent log and erasure workflow match what Canadian privacy law expects — they share the same structure as the European workflow above, which covers most right-of-access and right-of-erasure scenarios. Where we're not yet, we'd rather say so honestly.
- Consent is tracked granularly — treatment, communication, billing, research are recorded separately
- The right-of-access and right-of-erasure workflows are the same as above
Where we're not yet:
- Per-practice Canadian data residency is a setting today, not yet enforced at the infrastructure level. Canadian-region hosting is on the roadmap — and Praxnote Dedicated already solves this today by running inside your own Canadian cloud account
- Province-specific retention rules (CRPO, BCACC, OPQ) aren't yet built in
- Canadian-dollar billing for the platform fee is on the roadmap
If you're a Canadian practice evaluating Praxnote, talk to us — we'll be straight about what fits today and what's coming.
Day-to-day commitments
Choices that are easier to verify than to claim.
- The AI is reached directly — no other vendor sits between Praxnote and the AI provider
- The site does not load fonts, scripts, or images from any other server
- No third-party analytics or trackers, on by default or off
- Sign-in uses a modern session-based approach — no passwords for anyone to leak, lose, or reuse
- Updates roll out without forcing your clinicians to refresh in the middle of a session
- Long-running work (transcription, scoring) runs in a separate, isolated place — it never blocks your interface
- Anything that can't be undone — deleting, voiding, redacting — asks for confirmation, every time
Talk through your situation
Bring your specific scenario to a 30-minute conversation.
If you serve clients across borders, operate in both the U.S. and Canada, or need specific written attestations for an audit or insurance carrier, we'll walk through what Praxnote does today and where we'd customize.