TamlootBack to Home

Privacy Policy

Last updated: February 10, 2026

1. Introduction

Tamloot ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered session documentation service for therapists.

By using Tamloot, you agree to the collection and use of information in accordance with this policy.

Health Information & HIPAA (Compliance In Progress)

Tamloot is actively working toward full HIPAA compliance. We are in the process of establishing our role as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our therapist customers are Covered Entities, and we process Protected Health Information (PHI) on their behalf. This includes session recordings, transcripts, AI-generated notes, and client data entered into the platform.

We are working to establish Business Associate Agreements (BAAs) with our sub-processors who handle PHI, and we are implementing administrative, physical, and technical safeguards as required by HIPAA.

Patient rights under HIPAA: If you are a patient whose therapist uses Tamloot, your HIPAA rights (such as access, amendment, and accounting of disclosures) are exercised through your therapist — the Covered Entity — not directly through Tamloot. Please contact your therapist to exercise these rights.

2. Information We Collect

2.1 Information from Google Sign-In

When you sign in using Google, we receive and store the following information from your Google account:

  • Email address — Used to identify your account and send service-related communications
  • Full name — Used to personalize your experience
  • Profile picture — Used to display your avatar in the application

2.2 Google Calendar Data

If you choose to connect your Google Calendar, we request read and write access to your calendar. This connection is entirely optional — you can use Tamloot without it.

What we read:

  • Calendar events — Event titles, dates, times, and participant information for scheduled meetings
  • Meeting details — Video conferencing links (Zoom, Google Meet) associated with calendar events

What we write:

  • Session events — When you choose to sync, we create calendar events for your sessions directly in your Google Calendar

How we use Google Calendar data:

  • To display your upcoming sessions within the Tamloot dashboard
  • To automatically detect and connect to scheduled video meetings for recording
  • To help you prepare for upcoming sessions with relevant client information
  • To create session events in your calendar when you choose to sync

Important: We will never delete or modify Google Calendar events that were not created through the Tamloot app. We do not access your Google contacts or any other Google services beyond what is described above.

Revoking access: You can disconnect your Google Calendar at any time from the Settings > Integrations page in the Tamloot dashboard. You can also revoke access from your Google Account permissions page.

Google API Services User Data Policy: Tamloot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.3 Account Information

Information you provide when creating or updating your account, including your name, email address, and professional details.

2.4 Client Data

Information about your clients that you enter into the platform:

  • Client names
  • Contact information (email, phone)
  • Session notes and observations

2.5 Session Data

Information related to your sessions with clients:

  • Session recordings (audio/video via Zoom integration, Chrome extension, or audio file upload)
  • Transcripts generated from recordings
  • AI-generated session summaries and notes
  • AI-generated meeting preparation notes
  • AI copilot queries and responses
  • Session dates, times, and duration

2.6 Usage Data

We automatically collect certain information when you use our service, including your IP address, browser type, device information, pages visited, and actions taken within the application.

2.7 Payment Information

Payment processing is handled entirely by Lemon Squeezy, our Merchant of Record. We do not store your credit card numbers or payment details. Please refer to Lemon Squeezy's Privacy Policy for information about how they handle payment data.

2.8 Chrome Extension Data

If you use our Chrome browser extension to record Google Meet or Zoom web app sessions, we collect and process the following information:

Audio Recording

  • Tab audio capture — The extension captures audio from your Google Meet or Zoom web app browser tab during recording sessions
  • Microphone audio (optional) — With your permission, the extension may also capture audio from your microphone to include your voice in the recording

Browser Permissions

The extension requires the following browser permissions to function:

  • Tab Capture — Required to record audio from your Google Meet or Zoom web app tab
  • Microphone — Optional permission to include your voice in recordings
  • Storage — Used to store your authentication state and extension settings locally in your browser
  • Tabs — Used to detect when you are on a supported meeting page
  • Offscreen — Required for audio processing in compliance with Chrome's Manifest V3 requirements

Host Permissions

The extension only operates on Google Meet (meet.google.com) and Zoom web app (app.zoom.us) pages. It does not access or collect data from any other websites you visit.

Local Data Storage

During recording, audio data is temporarily stored in your browser's local storage (IndexedDB) before being securely uploaded to our servers for transcription. This temporary data is automatically cleared after successful upload.

Data Transmission

Audio recordings are transmitted securely over HTTPS to our servers, where they are processed for transcription and AI-generated summaries as described in Section 2.5 (Session Data). We do not sell, share, or use your recordings for advertising purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process session recordings and generate AI-powered notes and summaries
  • Authenticate your identity and manage your account
  • Send you service-related communications (account notifications, updates, security alerts)
  • Respond to your inquiries and provide customer support
  • Analyze usage patterns to improve our platform
  • Comply with legal obligations

4. How We Do NOT Use Your Information

We are committed to protecting your data. We do NOT:

  • Sell your data — We will never sell your personal information or your clients' data to third parties
  • Use your data for advertising — We do not use your information for targeted advertising, retargeting, or interest-based advertising
  • Share data with data brokers — We do not transfer your information to data brokers or advertising platforms
  • Use Google data beyond stated purposes — Information received from Google (Sign-In and Calendar) is only used as described in Section 2 of this policy. We do not share your Google Calendar data with third parties or use it for advertising. We will never delete or modify calendar events that were not created through Tamloot

5. Data Sharing and Third Parties

We share your information only with the following third parties, solely to provide our services:

5.1 Service Providers

  • Google — Authentication (Google Sign-In) and calendar integration (read and write access to calendar events). Privacy Policy
  • Supabase — Database hosting and authentication infrastructure. Privacy Policy
  • Lemon Squeezy — Payment processing (Merchant of Record). Privacy Policy
  • Zoom — Video conferencing and recording integration. Privacy Policy
  • ElevenLabs — Speech-to-text transcription services. Privacy Policy
  • Anthropic (Claude AI) — Third-party AI provider used to generate session notes, meeting preparation summaries, and power the in-app AI chat assistant. Data shared: session transcripts (text generated from recordings) and messages typed in the AI chat assistant are sent to Anthropic for processing. Your data is used solely to provide these features and is never used to train AI models. Anthropic maintains industry-standard security practices and provides data protection equivalent to our own standards. Privacy Policy
  • Amazon Web Services (AWS) — Cloud infrastructure, audio file storage, and compute. Privacy Policy
  • Recall.ai — Desktop meeting recording technology. Privacy Policy
  • Hookdeck — Webhook routing and delivery infrastructure. Privacy Policy

5.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption in transit — All data transmitted to and from our servers is encrypted using TLS/SSL
  • Encryption at rest — Data stored in our databases is encrypted
  • Access controls — We use role-based access controls and Row Level Security to ensure you can only access your own data
  • Secure infrastructure — Our services are hosted on industry-leading cloud infrastructure with robust security practices
  • Business Associate Agreements — BAAs maintained with all sub-processors that handle health information
  • Audit logging — Access to health information is logged and monitored
  • Multi-factor authentication — We are committed to implementing multi-factor authentication for access to systems containing health information

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information as follows:

  • Account data — Retained while your account is active and for 30 days after account deletion to allow for recovery
  • Client and session data — Retained until you delete it or close your account
  • Session recordings — Retained according to your account settings or until you delete them
  • Usage logs — Retained for up to 12 months for security and analytics purposes
  • Audit logs — Retained for a minimum of 6 years in line with HIPAA requirements (compliance in progress)

After the retention period, your data will be securely deleted from our systems.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate or incomplete information
  • Deletion — Request deletion of your personal information
  • Data portability — Request an export of your data in a machine-readable format
  • Withdraw consent — Withdraw your consent for data processing at any time
  • Object to processing — Object to certain types of data processing

To exercise any of these rights, please contact us at contact@tamloot.cc.

9. Children's Privacy

Our service is intended for professional wellness providers and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Specifically, our services and sub-processors operate in the United States and the European Union (Germany). Data may be processed across these regions for cloud infrastructure, AI processing, transcription, and payment services. These countries may have different data protection laws than your country. By using our service, you consent to such transfers. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of our service after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: contact@tamloot.cc

Governing Law: This Privacy Policy is governed by the laws of the State of Israel.