Last updated: April 2026
Noted is operated by Omar Matar, a data controller registered with the UK Information Commissioner's Office (ICO). We provide a clinical note-drafting tool for therapists and mental health practitioners.
Contact: omarmatar21@gmail.com
ICO registration number: [ICO-REG-NUMBER]. Verify at ico.org.uk.
Account data
Your name, email address, hashed password, subscription status, and a monthly note usage counter. Lawful basis: contract (Article 6(1)(b) UK GDPR).
Voice memos (transient)
Audio you record or upload is sent to our speech-to-text provider for transcription and deleted immediately afterwards. It is never written to our database. Lawful basis: contract (Article 6(1)(b)); Article 9(2)(h) for health data processed at the direction of the therapist as Data Controller.
Transcripts (transient)
The transcript is passed to our AI note-generation provider to produce a draft, then discarded. It is never stored by Noted.
Generated notes (browser only)
Notes are not stored on Noted's servers. They are held in your browser's session memory only and cleared when you close the tab.
Consent record
When you create an account we record the date and time you confirmed your professional status and accepted the Data Processing Agreement. Lawful basis: legal obligation (Article 6(1)(c)).
Audio and transcripts may contain health information about your clients — special category data under Article 9 UK GDPR. This data is processed transiently and solely to generate the note draft. It is not retained or used for any other purpose, including AI model training.
The lawful condition for processing is Article 9(2)(h): processing necessary for the provision of health or social care by a health professional. This condition is satisfied by you, the therapist, as Data Controller. Noted processes data as your Data Processor.
By using Noted you confirm you have a lawful basis under Article 9(2) to process your clients' data in this way and that you have provided appropriate transparency to your clients.
We engage the following third-party processors. All are bound by Data Processing Agreements and Standard Contractual Clauses for international transfers.
Neither OpenAI nor Anthropic uses API data to train AI models — this is contractually prohibited.
For each transfer of personal data to a third country, Noted has conducted a Transfer Risk Assessment (TRA) in accordance with ICO guidance to assess the risks to data subjects and confirm that the transfer mechanism provides an essentially equivalent level of protection. Transfer mechanisms used are the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the UK Secretary of State under section 119A of the Data Protection Act 2018.
Account data is retained while your account is active and deleted immediately on account deletion. Audio, transcripts, and generated notes are never retained by Noted — audio and transcripts are discarded immediately after processing; notes exist in your browser only.
Under UK GDPR you have the right to access, rectify, or erase your personal data; to restrict or object to processing; and to data portability. Email omarmatar21@gmail.com to exercise any right. We will respond within one calendar month.
You may also complain to the ICO at ico.org.uk · 0303 123 1113.
In the event of a personal data breach we will notify affected users without undue delay and report to the ICO within 72 hours where required. Because no clinical content is stored on our servers, any breach of our account database would expose account metadata only (name, email, subscription status).
Noted uses a single session cookie to keep you logged in. No analytics, advertising, or tracking cookies are used.
Material changes will be communicated by email and in-app notice at least 14 days before they take effect.