Undertone

    Legal · Mosaic Health Analytics Inc.

    Privacy Policy

    Last Updated

    May 24, 2026

    Version

    v1.0

    Applies to the Undertone mobile application (the "App") and related website at undertone.co (the "Website", and together with the App, our "Services").

    §1About this Privacy Policy and About Us

    Mosaic Health Analytics Inc. ("Mosaic", "we", "us", "our") provides an artificial intelligence tool that helps you generate written summaries from audio recordings. You can use it to record and summarize sessions with your health provider (with that provider's knowledge), or to record your own self-reflection, journal entries, or symptom tracking, and have the App turn those recordings into structured notes.

    This Privacy Policy explains what personal information we collect from you, how we use it, who we share it with, how we protect it, and the rights you have. It applies to your use of the Services as an individual consumer. If you are a healthcare practitioner accessing Mosaic through your clinic, hospital, or other organization, a separate privacy notice and the agreements between us and your organization govern that use.

    We are a corporation incorporated in the Province of British Columbia, Canada, with our head office at 55 Water Street – Suite 408, Vancouver BC Canada V6B 1A1. You can contact our Privacy Officer at the address set out in Section 14.

    A few things to know up front

    You control your account, your recordings, and your notes. You can review, edit, export, or delete them through the App at any time.

    Mosaic is not a healthcare provider. The Services are a documentation tool. They do not provide medical, diagnostic, or therapeutic advice. Anything generated by the Services should be reviewed by you, and where applicable by your health provider, before being relied on for any care decision.

    Mosaic is not a HIPAA-covered entity, a HIPAA business associate, or a health information custodian when you use the Services as a consumer. HIPAA and the provincial health-custodian statutes (PHIPA, HIA, and similar laws) do not apply to the information we hold about you in this context. The privacy laws that do apply are described in Sections 11 and 12.

    You are responsible for recording lawfully and for informing your health provider. If you record a conversation with another person, including your health provider, you must comply with the recording-consent laws of the jurisdiction you are in. You must also tell any health provider whose sessions you record, or whose treatment you discuss in the App, that you are using Mosaic. Recording without lawful authority is a violation of our Terms of Use and may also be a violation of law.

    §2Information We Collect

    We collect the following categories of personal information.

    Information you give us directly

    • Account information. Your name, email address, and password (stored as a salted hash).
    • Profile and content information. Audio recordings you create or upload, transcripts generated from those recordings, written notes and summaries generated from those transcripts, and any edits, tags, or notes you add.
    • Payment information. If you subscribe to a paid tier, payment is processed by Apple under Apple's In-App Purchase terms. Apple manages your payment method; Mosaic does not receive, store, or have access to your payment card or banking details. Apple shares with us a transaction record (purchase identifier, product purchased, date, amount, currency, and the country of the App Store account) for the purposes of fulfilling your subscription and meeting our tax and financial recordkeeping obligations.
    • Communications and inquiries. Any information you send to us when you contact support, respond to surveys, or interact with us.

    Information collected automatically

    • Device and technical information. Device type, operating system and version, mobile network carrier, unique device identifier, language and region settings, IP address, and timestamps of when the App accesses our servers.
    • Usage information. Pages viewed, features used, frequency and duration of use, in-App actions taken, and error logs.
    • Cookies and similar technologies (Website only). See Section 6.

    Sensitive information (special categories)

    Because the Services are designed to handle clinical and health-related content, the information you provide will often include sensitive personal information. This includes:

    • Information about your physical or mental health, treatments, medications, symptoms, and diagnoses.
    • Audio recordings containing your voice and the voices of anyone else captured in the recording, which include biometric characteristics (pitch, cadence, accent, speech patterns).
    • Any information you choose to share about your health practitioner, the contents of clinical encounters, or your interactions with the healthcare system.

    We treat all of this information as sensitive personal information for the purposes of this Privacy Policy and applicable law, including Canada's Personal Information Protection and Electronic Documents Act, the California Consumer Privacy Act (as amended by the CPRA), the Washington My Health My Data Act, and Quebec's Act respecting the protection of personal information in the private sector (Law 25). We do not use this information for any purpose beyond what is described in Section 3 without your separate express consent.

    Biometric data

    Audio recordings contain voice characteristics that are biometric in nature. Mosaic does not perform voiceprint matching, speaker identification, voice-based authentication, or any other biometric identification or inference. Audio is used only to generate the transcript and is deleted promptly after transcription is complete.

    §3How We Use Your Information

    We use your personal information for the following purposes:

    • Providing the Services. To create your account, authenticate you, accept and process your audio uploads, generate transcripts and notes, store the outputs in your account, and let you review, edit, export, and delete them.
    • Account administration and customer support. To respond to your inquiries, deliver service messages, troubleshoot, and process payments through Apple In-App Purchase.
    • Maintaining and improving the Services. To monitor performance, fix bugs, develop new features, and improve the accuracy of our AI models. When we use your information for this purpose, we use de-identified data wherever possible, as described in Section 10.
    • Safety, security, and abuse prevention. To detect, prevent, and respond to fraud, security incidents, abuse of the Services, and violations of our Terms of Use.
    • Legal and regulatory compliance. To meet our obligations under applicable law, respond to lawful requests, and enforce our rights.
    • Communications. To send you operational messages (account changes, security alerts, terms updates) and, if you have opted in, promotional messages. You can opt out of promotional messages at any time through the unsubscribe link in the message or by contacting us.

    We do not use your information for any other purpose without obtaining your consent, except where permitted by applicable law.

    We do not sell your personal information. We do not "share" your personal information for cross-context behavioural advertising (as that term is defined under California law). We do not engage in targeted advertising based on the Services. We do not use your sensitive personal information for purposes other than those described above, and you have the right to limit our use of sensitive personal information as described in Section 11.

    §4Legal Basis for Processing

    Different privacy laws require different legal bases for processing personal information. For users in Canada and the US, we rely on the following:

    • Your consent, given when you create your account and accept this Privacy Policy, and at the points within the App where we ask for express consent (for example, before each recording is uploaded). Consent to record and process sensitive health information is express consent.
    • Performance of our contract with you for the Services.
    • Compliance with legal obligations that apply to us.
    • Our legitimate business interests in operating, securing, and improving the Services, where those interests are not overridden by your privacy interests.

    You may withdraw your consent at any time, subject to legal and contractual restrictions and reasonable notice. Withdrawing consent may mean we can no longer provide some or all of the Services.

    §5How We Share Your Information

    We share personal information only as described below. We never sell it.

    Service providers (subprocessors)

    We use third parties to host the Services, process data, deliver communications, and provide AI processing capabilities. These providers receive only the information they need to perform their function, are contractually required to protect your information consistent with this Privacy Policy and applicable law, and are not authorized to use your information for their own purposes. Our current subprocessor list includes the same categories of subprocessor used in our enterprise services:

    • Cloud infrastructure and storage. Amazon Web Services (AWS), in self-managed data centres in the United States. AWS provides compute, storage, virtual private cloud, and database services.
    • Operational logging, queueing, and email. AWS CloudWatch, AWS SQS, and AWS SES, in the United States. These services process application logs, audit trails, internal messaging, and transactional emails.
    • De-identification of transcripts. Microsoft Azure De-Identification Service, applied within the United States. No transcript content is stored by this service; processing is ephemeral.
    • AI generation of clinical notes. Microsoft Azure OpenAI Service. Only de-identified text is sent for AI processing; identifiable audio and identifiable text are not transmitted to Azure OpenAI. Microsoft does not store the data we send, does not use it to train its foundation models, and cannot use it for its own purposes.
    • Payment processing. Apple Inc., through the App Store In-App Purchase system. Apple is the merchant of record for App Store transactions.

    Legal and regulatory disclosures

    We may disclose your information when required to comply with applicable law, a valid court order, subpoena, or other legally enforceable demand; to investigate, prevent, or respond to suspected fraud, security incidents, or violations of our Terms; or to protect the rights, property, or safety of Mosaic, our users, or others. Where legally permitted, we will notify you before disclosing your information in response to a government request.

    Business transfers

    If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and, to the extent required by law, give you the opportunity to delete your information before the transfer takes effect.

    With your direction

    If you choose to export your notes or transcripts and share them with your health provider, an insurer, or anyone else, that disclosure is at your direction. Once your information leaves the Services, this Privacy Policy no longer applies to it.

    §6Cookies and Similar Technologies

    Cookies

    Our Website uses a technology called "cookies". A cookie is a tiny element of data that our Website sends to a user's browser, which may then be stored on the user's hard drive so that we can recognize the user when they return. We use cookies to remember your preferences and to authenticate you. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, you may not be able to take advantage of all of the Website features.

    The App does not use browser cookies but does use device identifiers and similar technologies for authentication and functionality, as described in Section 2.

    §7Cross-Border Transfers and Data Location

    • For Canadian users, your personal information is stored and processed in self-managed AWS data centres located in the United States.
    • For US users, your personal information is stored and processed in self-managed AWS data centres located in the United States. Identifiable audio and identifiable transcripts do not leave the United States.
    • Cross-border processing. Identifiable audio and identifiable transcripts are processed by Microsoft Azure OpenAI Service, which may operate across global infrastructure. Microsoft does not store this data or use it for any purpose other than returning the AI-generated output to us.

    When information is processed in or transferred to another country, it may be accessible to courts, law enforcement, and regulatory authorities in that country under that country's laws. We require contractual protections from our service providers comparable to those applicable in your region.

    §8Security

    We use administrative, physical, and technical safeguards to protect your information against unauthorized access, use, modification, and disclosure. These include:

    • Encryption of audio, transcripts, and notes in transit (HTTPS / TLS) and at rest (AES-256 via AWS Key Management Service, with annual key rotation).
    • Network isolation: services are deployed within a Virtual Private Cloud with private subnets for databases and internal services, and strict access controls on the few externally exposed services.
    • Multi-factor authentication for account access, available through email-based verification and, on Apple devices, through your Apple ID authentication.
    • Access controls limiting employee access to your information to those who need it to perform their job.
    • Logging and monitoring of access and activity, retained for security and audit purposes.

    While we hold ourselves to safeguards comparable to those required of HIPAA business associates and provincial health information custodians, we do not represent that we are a HIPAA-covered entity, a business associate, or a health information custodian under provincial health-information statutes when you use the Services as a consumer. No security measure is perfect, and we cannot guarantee absolute security.

    If we become aware of a breach of security that compromises your personal information, we will notify you and applicable regulators as required by law.

    §9Retention and Deletion

    We retain your information only as long as needed to provide the Services and meet our legal obligations.

    Type of informationDefault retentionYour control
    Audio recordingsDeleted promptly after transcription is complete (typically within minutes)Audio is never retained beyond transcription
    TranscriptsUp to 30 days after creation, then deletedYou can delete a transcript at any time
    Notes and summariesRetained until you delete them or delete your accountYou can delete any note at any time; on deletion, the note is removed from your account immediately, deleted from our active systems within 90 days, and overwritten in our backups in the ordinary course of our backup retention schedule
    Account informationUntil you delete your account, plus up to 90 days for wind-down and to meet legal hold requirementsYou can delete your account at any time through the App
    Payment and transaction records7 years, as required by tax and financial recordkeeping lawsRetained for legal compliance
    System and security logs7 years for audit, security, and compliance purposesRetained for security and legal compliance
    Customer support records3 years after the support interaction is closedRetained for service improvement

    Account deletion. When you delete your account, we delete or de-identify your personal information from our active systems within 90 days, except for information we are required to retain for legal or security purposes (such as transaction records and security logs).

    Backup retention. Information in our backups is overwritten in the ordinary course of our backup retention schedule. Until overwritten, backup copies remain subject to this Privacy Policy.

    §10Use of Artificial Intelligence

    The Services use AI to transcribe audio and generate written notes. The following applies to that use:

    • Inputs. Your audio, transcripts, and any edits or instructions you give the AI.
    • Outputs. Draft transcripts and draft notes, returned to your account in the App.
    • Models used. Microsoft Azure OpenAI Service for note generation. Speech-to-text and de-identification components are processed in the United States.
    • Training restriction. We do not allow our AI providers (including Microsoft Azure and Azure OpenAI) to use your personal information, or any client data processed through the Services, to train or fine-tune their foundation models. We may use de-identified data, from which you cannot reasonably be re-identified, to evaluate and improve the accuracy and performance of our own AI configuration.
    • Human review by you. AI outputs may contain errors, omissions, or fabrications ("hallucinations"). You are responsible for reviewing and correcting any output before relying on it for any administrative, or personal purpose.
    • Automated decision-making. The Services do not make decisions about you that produce legal or similarly significant effects on you. The AI generates a draft document; it does not approve or deny anything, assess your eligibility for anything, or make any other binding decision. Quebec users, see Section 12 for additional information.

    §11Your Rights (United States)

    Your rights depend on the state you reside in. The list below covers the most common rights. If you live in a state with a comprehensive privacy law not listed, similar rights may apply; contact us to confirm.

    California (CCPA/CPRA)

    You have the right to:

    • Know what personal information we collect about you, including the categories, sources, purposes, and third parties we share it with.
    • Access a portable copy of your personal information.
    • Correct inaccurate personal information.
    • Delete your personal information, subject to legal exceptions.
    • Limit our use and disclosure of your sensitive personal information to specified purposes. We use sensitive personal information only for purposes permitted under CPRA Section 1798.121(a), which means you do not need to take separate action to limit our use; we do not engage in any of the prohibited uses.
    • Opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share personal information for this purpose.
    • Non-discrimination for exercising any of these rights.

    To exercise these rights, contact our Privacy Officer (Section 14). We will respond within 45 days, or notify you of a 45-day extension if needed.

    Washington (My Health My Data Act)

    Some or all of the information you provide is consumer health data under the Washington My Health My Data Act. You have the right to:

    • Confirm whether we are collecting, sharing, or selling your consumer health data, and access that data.
    • Withdraw your consent to our collection or sharing of your consumer health data.
    • Have your consumer health data deleted, including from the records of our affiliates and processors.

    We do not sell consumer health data. We do not collect consumer health data without your express opt-in consent, and we do not share consumer health data without your separate consent. To exercise these rights, contact our Privacy Officer. We will respond within 45 days.

    Other US states

    Connecticut, Colorado, Virginia, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Kentucky, and other states have comprehensive privacy laws that grant similar rights (access, correction, deletion, portability, opt-out of targeted advertising and sale, and protection of sensitive data). If you are a resident of one of these states, you may exercise these rights by contacting us.

    California Confidentiality of Medical Information Act (CMIA)

    Where the CMIA applies to Mosaic as a business that offers software to consumers designed to maintain medical information for the purpose of allowing the individual to manage their information, we comply with its restrictions on the use and disclosure of medical information.

    §12Your Rights (Canada)

    All Canadian users (PIPEDA and applicable provincial private-sector privacy laws)

    You have the right to:

    • Access the personal information we hold about you and be told how it is used and disclosed.
    • Correct inaccurate personal information.
    • Withdraw your consent to our collection, use, or disclosure of your personal information (subject to legal and contractual restrictions and reasonable notice).
    • Receive a copy of the personal information you have provided to us in a structured, commonly used format.
    • File a complaint with us, and with the Office of the Privacy Commissioner of Canada or your provincial privacy regulator.

    Quebec users (Law 25)

    In addition to the rights above, you have the right to:

    • Be informed of, and object to, the use of your personal information for purposes other than those for which it was collected.
    • Receive your personal information in a structured, commonly used technological format, and have it transmitted to a third party, where technically feasible (data portability).
    • Be informed if a decision affecting you is based exclusively on automated processing of your personal information, and have that decision reviewed by a human. The Services do not currently make any such decisions about you; if this changes, we will notify you separately.
    • Be informed of the use of any technology that allows your identification, location, or profiling. The Services do not use such technology.

    Our Privacy Officer is responsible for compliance with Quebec Law 25 and is the principal contact for any privacy inquiry or complaint from Quebec residents.

    Alberta and British Columbia users

    Provincial Personal Information Protection Acts apply. The rights described under PIPEDA above apply, and complaints may be filed with the Office of the Information and Privacy Commissioner of your province.

    To exercise any of these rights, contact our Privacy Officer (Section 14) or use the in-App rights centre. We will respond within 30 days (PIPEDA) or as otherwise required by applicable provincial law.

    §13Children and Minors

    The Services are intended for users who are at least 16 years old. The Services are not directed to children under the age of 16, and we do not knowingly permit anyone under 16 to create an account or use the Services.

    By creating an account, you confirm that you are at least 16 years of age. If you are between 16 and the age of majority in your jurisdiction, you confirm that you are permitted to use the Services under applicable law and, where required, have obtained consent from a parent or legal guardian.

    If we learn that we have collected personal information from a person under 16, or from a minor who is not permitted to use the Services under applicable law, we will close the account and delete the associated information promptly, unless we are legally required to retain it.

    If you believe that a person under 16 has provided us with personal information, please contact us at privacy@mosaicanalytics.health.

    §14How to Contact Us; Complaints

    Our Privacy Officer is responsible for compliance with this Privacy Policy and applicable privacy laws.

    Privacy Officer Email

    privacy@mosaicanalytics.health

    If you are not satisfied with our response to a privacy inquiry or complaint, you have the right to file a complaint with the privacy regulator in your jurisdiction:

    • Canada (federal): Office of the Privacy Commissioner of Canada (priv.gc.ca)
    • Quebec: Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
    • Alberta: Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca)
    • British Columbia: Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca)
    • California: California Privacy Protection Agency (cppa.ca.gov) or Office of the Attorney General (oag.ca.gov/privacy)
    • Washington: Washington Attorney General (atg.wa.gov)
    • Other US states: the state Attorney General

    §15Changes to this Privacy Policy

    We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top, post the revised Privacy Policy in the App and on the Website, and, for material changes, notify you in the App, by email, or both before the changes take effect. Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of it. If you do not agree to the revised Privacy Policy, you may stop using the Services and delete your account.

    Back to Undertone