Chrome Extension Privacy Policy

Short version: The EasyTheraNotes Chrome Extension lets you view your own clinical notes (already generated in our main app) and copy them into your EHR. It only talks to your EasyTheraNotes account. It does not sell, share, or transmit your data to anyone else. It does not read other websites or auto-fill any EHR fields.

1. Who this policy covers

This policy applies to the EasyTheraNotes Chrome Extension distributed via the Chrome Web Store. For the main application at easytheranotes.com, see our general Privacy Policy.

The extension is a companion tool for licensed mental health providers who already have an active EasyTheraNotes account. You cannot use the extension without an account.

2. What the extension accesses

2.1 Authentication credentials

When you sign in through the extension popup, your email and password are sent directly to Amazon Cognito (our authentication provider, covered under the AWS Business Associate Agreement). The extension never stores your password.

In return, Cognito issues short-lived authentication tokens (JWT idToken, accessToken, refreshToken). These tokens are stored locally on your device using Chrome's chrome.storage.local API. They never leave your browser.

2.2 Clinical note content (PHI)

Once authenticated, the extension fetches your own clinical notes from our API at api.easytheranotes.com. This includes:

H2014 Skills Training notes you have generated
SOAP / TCM / Psychology session notes you have generated
Internal labels you assigned to those notes (e.g., "Client A")
Date and time the notes were created

You only see notes that belong to your own account. The extension cannot retrieve another provider's notes even if you wanted it to — the API enforces this on the server side.

2.3 What the extension does NOT access

It does NOT read or modify any other website's content. The extension does not request the tabs, activeTab, scripting, cookies, or webRequest permissions.
It does NOT access your browsing history, bookmarks, or downloads.
It does NOT auto-fill any EHR fields (Valant, TheraNest, SimplePractice, etc.). You explicitly click "Copy" and paste manually.
It does NOT include any third-party analytics, advertising trackers, or fingerprinting code.

3. Permissions requested

Permission	Why we need it
`storage`	Cache your Cognito authentication tokens locally so you do not have to log in every time you open the extension popup.
`clipboardWrite`	Used by the "Copy Note" and "Copy section" buttons. The extension writes note content to your clipboard so you can paste it into your EHR. It does NOT read your clipboard.
`host_permissions: api.easytheranotes.com`	Allows the extension to call our HIPAA-compliant API to fetch your notes.
`host_permissions: cognito-idp.us-east-1.amazonaws.com`	Allows the extension to authenticate against Amazon Cognito (sign in, refresh token).

4. Where your data is stored

Authentication tokens: only on your device, in Chrome's local storage. Tokens expire automatically (idToken every hour). Signing out wipes them immediately.
Note content: displayed in memory only while the popup is open. It is not persisted by the extension. Closing the popup removes it from extension memory.
The authoritative copy of your notes remains in our backend (Amazon DynamoDB, encrypted at rest with AES-256, covered by AWS BAA). The extension is read-only — it never creates, edits, or deletes notes.

5. HIPAA compliance

EasyTheraNotes operates under a Business Associate Agreement (BAA) with Amazon Web Services. All Protected Health Information (PHI) flowing through the extension is:

Encrypted in transit using TLS 1.2+
Encrypted at rest on our servers using AES-256
Subject to AWS-level audit logging (CloudTrail) and our application-level audit log (7-year retention)
Only accessible by the authenticated user who owns it

Google Chrome and the Chrome Web Store are not business associates under HIPAA — but they do not need to be, because the extension does not store, transmit, or process PHI through any Google service. Authentication tokens go directly to AWS Cognito; note content goes directly to our AWS backend. Google's role is limited to distributing the extension binary.

6. What we do NOT do

We do not sell, rent, share, or trade your data with any third party.
We do not use your clinical notes to train AI models. Note generation happens in the main EasyTheraNotes app via OpenAI under a separate BAA — the extension only displays notes that already exist.
We do not run advertising, marketing trackers, or behavioral profiling through the extension.
We do not store any data about which notes you viewed or copied.

7. Subscription and access

The extension only works for users with an active EasyTheraNotes subscription (paid plan or active trial). If your subscription expires, the extension shows a message asking you to renew. It does not retain access to notes for non-paying users.

8. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date at the top and announce the change inside the extension popup and via email to your registered account. Continuing to use the extension after a change constitutes acceptance.

9. Your rights

Access: You already have full access to all your data via the main app at easytheranotes.com.
Deletion: Uninstalling the extension immediately removes all locally cached tokens. To delete your notes from our backend, request account deletion via the main app or by emailing us.
Export: Both the main app and the extension allow downloading any note as a Word document.
Sign out: Click "Sign out" in the extension popup to remove tokens from your device.

10. Contact

If you have questions about this policy, the extension's data practices, or want to request data deletion:

Email: admin@easytheranotes.com
Web: easytheranotes.com

For HIPAA-specific concerns or to request our BAA, write to the same email with the subject "HIPAA / BAA Request".