Genos

Privacy Policy

Effective date: February 6, 2026 | Version: 2026-02-06-v1

1. Information We Collect

We collect the following categories of information:

  • Account information: Your name, email address, professional credentials, and organization details provided during registration.
  • Clinical data: Client records, session notes, genogram data, and other clinical information you enter into the Service. This may include protected health information (PHI) as defined under HIPAA.
  • Session recordings: Audio recordings uploaded for AI-powered transcription. Recordings are encrypted at rest and processed ephemerally.
  • Usage data: Information about how you interact with the Service, including pages visited, features used, and timestamps. This data is used to improve the Service and is not linked to clinical data.

2. How We Use Your Information

We use the information we collect to:

  • Provide the core Service functionality, including client management, session recording, AI-powered transcription, clinical analysis, and genogram creation.
  • Generate AI-assisted clinical insights using the Anthropic Claude API and OpenAI Whisper API under data processing agreements.
  • Communicate with you about your account, billing, and Service updates.
  • Monitor and improve the security, performance, and reliability of the Service.

We do not sell, rent, or share your personal information or clinical data with third parties for marketing or advertising purposes. We do not use your clinical data to train AI models.

3. Data Storage and Security

All protected health information is encrypted at rest using AES-256 via the managed disk-level encryption provided by our database provider (Supabase), which operates under a HIPAA Business Associate Agreement. Backups and snapshots inherit the same at-rest encryption.

All data in transit is encrypted using TLS 1.3 with forward secrecy. Our infrastructure is hosted on Supabase and Vercel, both SOC 2 Type II certified providers. PostgreSQL Row-Level Security (RLS) policies enforce strict multi-tenant data isolation at the database level on every PHI-bearing table.

For full details on our security architecture, visit our Security & Trust page.

4. Third-Party Services

Genos integrates with the following third-party services to provide AI features:

  • Anthropic Claude API: Used for AI-powered clinical analysis, session consultation feedback, and case analysis. Data is processed ephemerally and not retained by Anthropic.
  • OpenAI Whisper API: Used for audio transcription of session recordings. Audio data is processed in real-time and not retained by OpenAI.
  • Supabase: Provides database hosting, authentication, and file storage. Operates under a HIPAA Business Associate Agreement.
  • Stripe: Processes subscription payments. Stripe does not have access to your clinical data.

All third-party integrations operate under data processing agreements that restrict how your data may be used.

5. HIPAA Compliance

Genos implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule. We offer a Business Associate Agreement (BAA) for covered entities, available at genos.app/trust/baa.

Our HIPAA compliance measures include: role-based access controls, comprehensive audit logging of all PHI access, encryption of all 18 HIPAA identifiers, breach notification procedures, and workforce security training.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account termination, you may request a data export within thirty (30) days. After this period, all rows associated with your account are permanently deleted from our primary database and removed from backups in accordance with our retention schedule.

We may retain anonymized, aggregated data that cannot be linked to any individual for the purpose of improving the Service.

7. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Export: Export your data in a standard, machine-readable format at any time through the Service settings.
  • Restriction: Request that we restrict processing of your personal data under certain circumstances.

To exercise any of these rights, contact us at privacy@genos.app.

8. Cookies and Tracking

Genos uses only essential cookies required for authentication and session management. We do not use third-party tracking cookies, advertising cookies, or analytics services that track individual users across websites.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through an in-app notification at least thirty (30) days before the changes take effect. The version number and effective date at the top of this page will be updated accordingly.

10. Contact

For questions or concerns about this Privacy Policy or our data practices, contact us at privacy@genos.app.