Security & Privacy at Klarify

Your Data, Protected

Klarify is built for therapists who handle some of the most sensitive information in healthcare. We take that responsibility seriously. This page explains how we protect your data and your clients' data.

Where Your Data Is Stored

All of your data is stored in Canada on Amazon Web Services (AWS) servers in Montreal. AWS is the same cloud provider used by Canadian banks and government agencies. Your notes, transcripts, session information, mindmaps, and client data all stay on Canadian soil.

Compliance

Klarify is compliant with the following privacy and security frameworks:

PIPEDA (Personal Information Protection and Electronic Documents Act), the federal Canadian privacy law governing personal information.

PHIPA (Personal Health Information Protection Act), Ontario's health privacy law.

Quebec Law 25 (Act Respecting the Protection of Personal Information in the Private Sector), Quebec's updated privacy legislation.

Alberta HIA (Health Information Act), Alberta's health information privacy law.

BC PIPA (Personal Information Protection Act), British Columbia's private sector privacy law.

Saskatchewan HIPA (Health Information Protection Act), Saskatchewan's health information privacy law.

Manitoba PHIA (Personal Health Information Act), Manitoba's health information privacy law.

Klarify also complies with applicable provincial health privacy legislation across all other Canadian provinces and territories.

HIPAA (Health Insurance Portability and Accountability Act), the US health information privacy standard. We operate under Business Associate Agreements (BAAs) with our sub-processors.

UK GDPR (United Kingdom General Data Protection Regulation), the UK's data protection law governing the processing of personal data. Klarify processes health data in accordance with UK GDPR requirements, including lawful basis for processing, data subject rights, and cross-border transfer safeguards.

For users who select European processing, AI and transcription requests are handled within the EU, reducing cross-border data transfers.

We use a compliance platform for continuous security monitoring and evidence collection, and we conduct regular security audits and penetration testing by independent teams.

Data Retention & Deletion

Here is how long different types of data are kept:

Audio recordings: Automatically deleted 14 days after the recording date. Audio is not included in database backups.

Notes, transcripts, session data, mindmaps, and reflection questions: Kept until you delete them or close your account.

Database backups: We maintain 7-day encrypted backups for disaster recovery. These are stored in Canada and follow the same security protocols as our main storage. Deleted data may persist in backups for up to 7 days before being permanently purged.

System logs: Retained for a short period for security and troubleshooting. These do not contain health information.

When you delete data through the app, it is removed from our database immediately. If you delete your entire account, all associated data is deleted following the above timelines.

Cross-Border Processing

By default, your data is processed in North America. You can change your processing region to Europe in your account settings.

Audio transcription: When you record a session, the audio is temporarily sent to our transcription provider, AssemblyAI, for processing. By default, this happens on servers in Oregon, USA. If you choose European processing in your settings, it happens on servers in the EU instead. Processing takes 1 to 15 minutes, and the audio is immediately deleted from their servers after transcription is complete. AssemblyAI does not store or retain any of your data, and this is enforced through our Business Associate Agreement.

AI processing: Klarify uses AI to generate clinical notes, mindmaps, reflection questions, session summaries, and to power the AI assistant. These features run via AWS Bedrock. By default, processing may happen in Canada or the United States. If you choose European processing in your settings, it happens in the EU instead. This is temporary processing only, meaning no data is stored or kept outside of Canada. AWS has no right to access, retain, or use your data for any purpose beyond running the AI request.

AI Models & Training

We do not use your data to train any AI models. This applies to Klarify and to every service provider we work with. They are all contractually prohibited from using your data for training, model improvement, product development, analytics, or any secondary purpose.

When you use Klarify's AI features, your data is sent to the AI model, a response is generated, and then the data is not retained by the model provider. The AI does not learn from or remember your sessions.

Our Service Providers

We work with a small number of trusted service providers. Each one has a specific role and is bound by strict data protection agreements.

Amazon Web Services (AWS), Canada: Cloud infrastructure and data storage. All data is stored in Montreal.

Amazon Web Services (AWS), Bedrock: Powers AI features. Processing may occur in Canada, the US, or the EU depending on your settings. No data is stored outside Canada.

AssemblyAI, USA/EU: Audio transcription only. Processing happens in the US or EU depending on your settings. Audio is processed temporarily and immediately deleted. No data is retained.

Clerk: User authentication. Handles login credentials only, with no access to health data.

Stripe: Payment processing. Handles billing information only, with no access to health data.

Vercel: Application hosting and delivery. Functions as an encrypted delivery layer. No health data is stored. HIPAA BAA in place.

Datadog: Security monitoring. Receives sanitized logs only, with no access to health data.

Security & Encryption

We use multiple layers of security to keep your information safe:

Encryption in transit: All data moving between your device and our servers is encrypted using TLS 1.3, the latest standard for secure communication.

Encryption at rest: All stored data is encrypted using AES-256, the same standard used by banks and government agencies.

Access controls: We use multi-factor authentication, role-based access, and least-privilege principles. Only you can access your session data through the platform.

Key management: Encryption keys are managed through AWS KMS with automatic rotation.

Security monitoring: We use real-time monitoring and alerting to detect and respond to any unusual activity.

Employee controls: All employees with access to systems undergo background checks, sign confidentiality agreements, and complete regular security and privacy training.

Data Access & Control

As the therapist, you have full control over your data:

What goes into notes: You can create fully anonymous notes or include basic identifying information where it is clinically needed.

What clients see: You choose whether to share notes, summaries, or mindmaps with clients through the client portal.

When data is deleted: You can delete individual sessions, individual clients, or your entire account at any time. Deletions from the app are processed immediately.

Data export: You can export your data in standard formats (JSON, CSV) at any time. We also support downloading individual notes and transcripts as PDF, Word (.docx), or plain text files.

Data correction: You can edit your notes and session information directly in the platform at any time.

Withdraw consent: You or your clients can withdraw consent for Klarify's use at any time without affecting the therapeutic relationship.

Consent & Client-Facing Materials

We provide a customizable consent form template that you can use with your clients. The template is available in English and French and covers:

• What Klarify does and how it works
• What data is collected and how it is used
• Where data is stored and processed, including cross-border disclosures
• Data retention and deletion policies
• Three consent options for clients: full consent (recordings and dictation), partial consent (dictation only), or no consent (traditional note-taking)

The template is designed to be comprehensive so you can pick the parts that work for your practice. Many therapists use a shorter version, and that is completely fine.

You can see the template here.

Questions?

If you have questions about our security or privacy practices, reach us at privacy@klarify.ca.

For our full legal policies, visit www.klarify.ca.

Updated on: 02/03/2026