BlueNote

Privacy

Privacy Policy

Last updated: June 2026

1. Who we are

BlueNote is operated by Hoist Studio, a sole proprietorship doing business as Hoist Studio. Hoist Studio provides BlueNote as a software tool used by independent licensed therapists to schedule appointments and (with explicit consent) record, transcribe, and summarise therapy sessions. For account, billing and marketing data, Hoist Studio is the data controller. For clinical content uploaded by therapists (client profiles, audio recordings, transcripts, notes), the therapist is the data controller and Hoist Studio acts as a data processor on the therapist's behalf.

2. What we collect

  • Account & billing data: therapist name, email, login credentials, country, subscription status, and billing identifiers from our payment provider (we never see full card numbers).
  • Booking data: client name, email, phone (optional), session type, date, and any notes provided at booking.
  • Session recordings & transcripts: only when the client has ticked the consent checkbox at booking. Audio is uploaded by the therapist after the session and processed by AI to produce a transcript and summary. These qualify as special-category (health) data under GDPR Art. 9.
  • Video sessions: if a video appointment is chosen, the meeting runs over Jitsi. The video stream is not recorded automatically — only the therapist's local microphone capture, if consent has been given.
  • Technical data: standard server logs (IP, timestamp, user agent) for security and abuse prevention. No analytics or advertising trackers.

3. Legal basis

Under GDPR and Serbia's Law on Personal Data Protection (ZZPL):
  • Explicit consent (Art. 9(2)(a)) for recording, transcription, and summarisation of sessions.
  • Performance of a contract (Art. 6(1)(b)) for booking, account, and billing data.
  • Legitimate interests (Art. 6(1)(f)) for security logs and abuse prevention.
  • Legal obligation (Art. 6(1)(c)) for tax and accounting records related to paid subscriptions.

4. How long we keep your data

  • Account data: while your account is active, plus up to 12 months after closure for dispute resolution.
  • Billing records: retained for the period required by applicable tax law (typically up to 10 years).
  • Bookings: retained while the therapist–patient relationship is active.
  • Recordings & transcripts: retained by your therapist for as long as professional rules require, then deleted.
  • Server logs: 90 days.
  • You can request deletion at any time (see Section 8).

5. Where your data is stored and who we share it with

Data is stored on Lovable Cloud (Supabase) infrastructure inside the EU. Recordings are held in a private storage bucket — only your therapist can access them. We share personal data only with the following categories of recipients, acting as processors or sub-processors:
  • Lovable Cloud / Supabase — database, authentication, and file storage (EU region).
  • Stripe Payments Europe Ltd — our payment processor for handling subscriptions, invoicing, and card payments. Card details are sent directly to Stripe and are never stored by us.
  • Google (Gemini) via the Lovable AI Gateway — used to transcribe and summarise audio. Audio is sent only for the time needed to produce the transcript and is not used to train models.
  • Jitsi — hosts the video meeting layer; the stream is peer-to-peer where possible.
  • Professional advisers and authorities — only where required by law.

Some sub-processors may process data outside the EU/EEA (for example, AI inference may occur on US-based infrastructure). Where this happens, transfers are protected by Standard Contractual Clauses or equivalent safeguards.

6. Security

We use industry-standard technical and organisational measures: encryption in transit (TLS) and at rest, row-level access controls so each therapist can only access their own data, signed and time-limited URLs for audio downloads, and least-privilege access for our own staff.

7. Cookies

BlueNote uses only essential cookies required for login and session management. We do not use analytics, advertising, or third-party tracking cookies, so no cookie banner is shown.

8. Your rights

You have the right to: access your data, correct it, delete it, restrict or object to processing, withdraw consent at any time, request a copy in portable format, and lodge a complaint with your local supervisory authority (in Serbia, the Commissioner for Information of Public Importance and Personal Data Protection — poverenik.rs). We respond to requests within one month. The fastest way to exercise any of these is the Delete my data page, or by emailing your therapist directly.

9. HIPAA status

BlueNote is built for therapists practicing in Serbia and the EU, and complies with GDPR and Serbia's Law on Personal Data Protection (ZZPL). BlueNote is not HIPAA-certified and is not intended for the storage or processing of Protected Health Information (PHI) of clients located in the United States. We have not signed Business Associate Agreements (BAAs) with our infrastructure or AI providers. If you are a US-based clinician or client, please do not use BlueNote for PHI until HIPAA support is formally announced.

10. Contact

For privacy questions about clinical content, contact your therapist directly — they are the data controller for that content. For questions about BlueNote itself (account, billing, security), contact Hoist Studio at the email address shown in your dashboard.

Right to erasure

You can request deletion of your data at any time.

Delete my data