Lumen Notes
Privacy Policy
Effective date: June 12, 2026
Lumen Notes ("Lumen", "we", "us") provides AI-assisted clinical documentation software for licensed mental-health clinicians. This policy explains what we collect, why, and what control you have over it. Because our customers are clinicians who bring client information into the product, this policy distinguishes between your data (account and usage information about you, the customer) and client data (the session audio, transcripts, and notes you create about your clients, which may constitute protected health information under HIPAA).
1. Client data — PHI you bring into Lumen
When you record a session, upload audio, or write a note, that content may contain protected health information (PHI). For PHI, we act as a business associate to you or your practice (the covered entity), and our handling is governed by the Business Associate Agreement (BAA) between us — not by ordinary consumer-privacy terms. See our HIPAA Notice.
- We process client data solely to provide the service: transcribing audio, drafting notes, and storing the records you keep.
- Session audio is deleted when you sign the note. Audio exists only to produce the draft; permanent deletion on signing is the product default.
- Client data is never used to train AI models — ours or anyone else's. Our AI subprocessors are contractually bound to the same restriction.
- You control retention. Signed notes are retained so you can meet your records-retention obligations; you can export or delete client records at any time.
- We never sell client data, and we never use it for advertising. There is no version of Lumen where that changes.
2. Your data — account and usage information
We collect the minimum we need to run your account:
- Account details: name, email, credential type, practice name, password (hashed).
- Billing details: processed by Polar, our merchant of record. We never see or store full card numbers.
- Product usage: which features you use and basic diagnostics (errors, performance), used to operate and improve the product. This data is about you, not your clients.
- Support correspondence: emails you send us.
3. What we don't do
- No advertising trackers, no third-party ad networks, no sale of personal information of any kind.
- No optional analytics without your consent — and as of the effective date above, we run none at all. See the Cookie Policy.
- No training of models on customer content.
4. Who we share data with
Only the subprocessors required to run the service — hosting, database, transcription, AI drafting, billing, and email. Each is listed with its purpose and region on the Subprocessors page, and each that touches PHI is bound by a BAA or equivalent data-protection terms. We disclose data to authorities only when legally compelled, and we will notify you unless prohibited by law.
5. Security
Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and clinician-controlled signing. Full details on the Security page.
6. Your rights
You can access, correct, export, or delete your account data at any time from your account settings or by emailing support@lumen.1labs.app. Depending on where you live (e.g., California, the EEA, the UK), you may have additional statutory rights — we honor access, deletion, and portability requests regardless of jurisdiction. Note that requests concerning client records must come through the clinician or practice that controls them; if a therapy client contacts us directly, we will refer them to their clinician, as HIPAA requires.
7. Data retention
- Session audio: deleted permanently on note signing (or session discard).
- Notes and client records: retained while your account is active and under your control.
- After account closure: client records are available for export for 30 days, then deleted from production systems, with backups expiring on a rolling 35-day cycle.
8. Children
Lumen accounts are for licensed clinicians and practice staff aged 18+. Client records may concern minors receiving care; those records are PHI controlled by the treating clinician and governed by the BAA.
9. Changes to this policy
We'll notify account holders by email at least 14 days before material changes take effect. Continued use after the effective date constitutes acceptance.
10. Contact
Privacy questions or requests: support@lumen.1labs.app.