Skip to main content

Privacy Policy

This page describes how KoNote protects your data. Each organisation should customise this policy for their specific practices and hosting configuration.

Administrators: See the full privacy policy template in the deployment documentation for a version you can tailor to your organisation.

Encryption

Data at Rest

All personally identifiable information (PII) is encrypted before being stored in the database using Fernet symmetric encryption:

  • Algorithm: AES-128 in CBC mode with HMAC-SHA256 authentication
  • Encryption keys are stored in environment variables, separate from the database and source code
  • Key rotation is supported without downtime

Encrypted fields include: names, dates of birth, contact information, email addresses, session notes, and any custom fields marked as sensitive by administrators.

Data in Transit

  • All connections are encrypted using TLS (HTTPS)
  • HTTP Strict Transport Security (HSTS) is enabled
  • Database connections use SSL/TLS

Passwords

  • Passwords are hashed using Argon2id (winner of the Password Hashing Competition)
  • Each password has a unique random salt
  • Passwords are never stored in readable form
  • Minimum password length: 10 characters

Access Control

Access to Participant information is controlled through role-based permissions:

Role Access Level
Administrator System settings and user management. No Participant data access unless also assigned a Program role.
Program Manager Full access to Participants in assigned Programs. Can edit Plans and export data.
Staff Access to Participants in assigned Programs. Can write notes and record events.
Front Desk Limited Participant information only. Cannot view full records or export data.
  • Staff can only see Participants in Programs they are assigned to
  • Administrative functions are restricted to administrators
  • All permission checks are enforced server-side

Sessions and Cookies

  • Sessions automatically expire after a period of inactivity (default: 30 minutes)
  • Session timeout resets with each action you take
  • Sessions are stored server-side — only a session identifier is kept in your browser
  • Cookies are HTTP-only (not accessible to JavaScript) and secure (HTTPS only)

KoNote uses only essential cookies required for the application to function. No advertising, tracking, or analytics cookies are used.

Audit Logging

All access to and changes of Participant data are recorded in a separate audit database:

  • Login attempts (successful and failed) with timestamps and IP addresses
  • Every time a Participant record is viewed
  • All data changes with before and after values
  • Data exports — who exported what and when
  • Permission changes and administrative actions

Audit logs are stored in a separate database and are append-only — they cannot be modified or deleted through the application.

Data Erasure

KoNote supports formal data erasure requests in compliance with PIPEDA:

  • Any staff member can initiate an erasure request for a Participant
  • All program managers for that Participant's Programs must approve the request
  • Once approved, all Participant data is permanently and irreversibly deleted
  • The audit trail records that an erasure occurred, but no personal information is retained

Data Exports

  • Program managers and administrators can export Metric data in CSV format
  • Individual Participant data can be exported for privacy access requests
  • Export download links expire after a limited time
  • All exports are recorded in the audit log
  • Exported files include protections against formula injection

AI-Assisted Analysis (Optional)

KoNote's Outcome Insights feature can optionally use AI to generate draft narrative summaries of program outcomes. This feature is off by default and must be enabled by your administrator.

What is sent to the AI

  • Aggregate statistics (counts, percentages) — no personal information
  • Anonymous quotes from progress notes — all Participant names, email addresses, phone numbers, postal codes, and other identifying information are removed before sending
  • Staff names are also removed

What is never sent

  • Participant names, dates of birth, or contact information
  • Unprocessed progress notes or full case records
  • Database credentials, encryption keys, or system configuration

AI provider

Your administrator configures which AI service is used. Options include cloud-based services (such as OpenRouter) or a locally hosted AI that keeps all data on your own servers. Check with your administrator for details about your organisation's configuration.

All AI-generated content is clearly labelled as a draft and must be reviewed by staff before use.

Sample Notice for Your Privacy Policy

The following is a suggested paragraph you can include in your organisation's privacy policy or consent forms. Edit it to match your specific practices:

"To help us understand patterns and improve our services, anonymised quotes from progress notes may be processed using AI. Before any text is sent, all names, contact information, and identifying details are removed. Quotes are only used when 15 or more Participants are included, so no individual can be identified. The AI can only repeat exact words — it cannot make up or change quotes. This feature is optional and can be disabled at any time."

Your Rights

Under PIPEDA and applicable privacy legislation, you have the right to:

  • Request access to your personal information
  • Request correction of inaccurate information
  • Request erasure of your personal information
  • Withdraw consent for specific uses
  • File a complaint with the Privacy Commissioner of Canada

Organisations must respond to access requests within 30 days as required by PIPEDA.

Contact

Please contact your system administrator for privacy questions.

For complaints not resolved to your satisfaction:

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376