Privacy & Compliance

Why yNote doesn't need a BAA — and why that's more secure

Your patient data never leaves your device. No cloud storage. No Business Associate Agreement required. Here's why local-first AI gives your patients stronger protection than any HIPAA-compliant cloud tool.

Download for macOS — FreeJoin the waitlist →

Where does your data live?

When you record a session in yNote, the audio is processed entirely on your Mac using a local Whisper model. The transcript and the generated SOAP note are written directly to your local storage. At no point does any patient data, audio, transcript, or note leave your device.

💻
Your Mac
Audio → Transcript → Notes
All processing happens here
≠ cloud
Any Cloud Server
No patient data ever sent here

Why local-first > HIPAA-compliant cloud

"HIPAA-compliant" means a vendor has implemented certain safeguards. It does not mean your data is safe — it means they've promised to protect it. Breaches still happen. With yNote, there's nothing to breach on a server, because your data was never there.

yNote — Local First
  • Data never transmitted
  • No BAA required
  • Works fully offline
  • Zero breach surface on server
  • No vendor lock-in
  • No cloud subscription risk
Cloud AI tools
  • Data sent to vendor servers
  • BAA required by HIPAA
  • Requires internet connection
  • Subject to server-side breaches
  • Vendor data policies can change
  • Subscription cancelation = data access lost

What yNote never does

These are explicit commitments — not marketing copy.

  • No uploads. Patient audio, transcripts, and notes never leave your device.
  • No cloud storage. There is no yNote server that holds your patient data.
  • No BAA required. Because no PHI is transmitted, the HIPAA BAA requirement does not apply.
  • No training on your data. We never use your recordings or notes to improve our models. We use synthetic datasets only.
  • No analytics or telemetry. We collect no usage data, crash reports, or behavioral analytics.
  • No third-party data sharing. Your data is not shared with any third party, ever.

What network connections yNote does make

We believe in complete transparency. Here are the only three network requests yNote ever makes — none of them involve patient data.

1
License validation
When activating your license, yNote sends your license key to our payment processor (Lemon Squeezy / Stripe). Only the license key is transmitted — no PHI, no patient data.
2
Auto-update check
yNote periodically checks GitHub Releases for a newer version. Only version metadata is exchanged — no PHI, no user data.
3
First-run model download
On first launch, yNote downloads the Whisper AI model from our public CDN (Cloudflare R2). This is a one-time download of a binary model file. No patient data is involved. After this, yNote works fully offline.

Technical architecture

yNote is a native macOS app built on Electron. All AI processing runs locally:

Speech-to-text
OpenAI Whisper model runs locally. Audio is transcribed on your CPU/GPU — never sent to OpenAI's servers.
Note generation
A local LLM processes the transcript and generates SOAP, DAP, or BIRP notes. No API calls to any cloud AI service.
Data storage
All transcripts and notes are stored in your local app data folder. You own them. You can export or delete them anytime.
Support diagnostics
If you contact support, our diagnostic bundle exports system info and app logs only — never patient audio, transcripts, or notes.

Frequently asked questions

Do I need a Business Associate Agreement (BAA) with yNote?
No. HIPAA's BAA requirement applies when a vendor creates, receives, maintains, or transmits PHI on your behalf. Because yNote never receives or transmits any patient data — all processing happens locally on your device — a BAA is not required.
Is yNote HIPAA compliant?
yNote is designed to be HIPAA-safe by architecture: no PHI ever leaves your device, so there's nothing to protect in transit or at rest on a third-party server. Many clinicians find this stronger than relying on a vendor's HIPAA compliance certification.
What happens if my Mac is stolen or lost?
Your notes are stored in your local app data, protected by macOS's built-in FileVault encryption. We recommend enabling FileVault on your Mac. If lost, no data is accessible from any server because there is none.
Do state privacy laws apply to yNote?
State privacy laws that govern PHI typically apply to the transmission and storage of data. Since yNote never transmits patient data and stores it only on your device, the additional state-level compliance burden is significantly reduced.
Can I verify that yNote doesn't send data anywhere?
Yes. You can run yNote in airplane mode and it will function identically (after the one-time model download on first launch). You can also use a network monitor like Little Snitch or Charles Proxy to verify the three documented network requests are the only ones made.
What about telehealth platforms — does yNote connect to them?
No. yNote does not connect to any telehealth platform or EHR. It listens to audio through your Mac's microphone (with your permission) and generates notes. You copy the note into your EHR manually. This separation is by design.

Ready to keep your patients' data truly private?

Download yNote free for macOS. No cloud. No BAA. No compromise.

Download for macOS — FreeJoin the waitlist →

Public release coming soon. Join the waitlist to be notified.& Intel supported. Windows coming soon.

Have any questions? We're here to answer!
admin@ynote.io
Subscribe to our newsletter for the latest app news:
Thank you! You've successfully subscribed to the newsletter.
Oops! Something went wrong, try again.
YNOTE INC
8 The Green, Ste A, Dover, Kent County, DE 19901, USA

© 2026 YNOTE. All Rights Reserved
HIPAA & Privacy·Privacy Policy·Terms of Service