Why brtlb works this way

brtlb is built around three choices that most AI scribes go the other way on: no backend, bring your own keys, no patient data in the cloud (except where your own BAA already lives). Here's why.

Bring your own keys

Most AI scribes sell you a subscription that includes the AI cost, the transcription cost, and a margin. They hold the keys; you hold a contract. brtlb skips the middleman: you create the AssemblyAI and Google Cloud accounts in your own org, brtlb just orchestrates the calls.

Three concrete benefits:

Your BAA, not ours. Your existing Google Workspace HIPAA agreement and AssemblyAI BAA cover the data flow. No new vendor relationship, no new contract to vet, no third party between you and the LLM provider.
Your bill, your control. Heavy month? You see it in your AAI invoice. Want to swap models or providers? Change a key. No "wait for v2."
Your audit trail. Every API call shows up in your provider's dashboard. brtlb doesn't sit between you and the audit log.

The BAA chain

For an ambient pediatric visit, the data flow looks like this:

You
browser

→

AssemblyAI
transcription

→

You
browser

→

Google Gemini
note generation

→

You
browser

Each external hop sits inside a HIPAA BAA you already have:

AssemblyAI — 5-minute DocuSign, your account, your key. brtlb defaults to auto-delete on completion (transcripts purged seconds after they're returned).
Google Gemini — runs in your billing-enabled Cloud project, which inherits the GCP HIPAA BAA your Workspace admin already accepted.

brtlb is never in the data path. No proxy, no server, no copy of your audio sitting on someone else's disk.

Need step-by-step BAA setup? See docs/BAAs.md for the full walkthrough including Google Workspace admin paths, alternative routes (Azure OpenAI, OpenAI Enterprise, Vertex), and what to do if your practice doesn't have Workspace.

Everything stays on your device (locally)

Audio blobs, transcripts, notes, your API keys, your custom templates — all of it lives in your browser's IndexedDB. Not "no database" — a local database, which is the strongest possible no-server story without giving up the ability to look up last week's visit.

What this means in practice:

Closing your browser doesn't delete anything. Open brtlb tomorrow on the same browser profile and your recordings are still there.
Different browser = different brtlb. Logging in on Safari at home doesn't show your Chrome-at-work recordings. There's no sync because there's no server.
Auto-purge available. Set audio retention to 7/30/90 days or "never" in Privacy & Security.
Nothing is encrypted at rest by brtlb, but your OS + browser profile usually provide that layer. Treat your device as the security boundary.

No backend, no account

No sign-up, no password, no "forgot password," no account dashboard. brtlb is a single static page that talks to your two API providers directly. If our static page disappears tomorrow, your last note is still on your laptop, and you can run brtlb from a local copy of the source.

What this costs you

brtlb skipping a backend means a few things are harder than the SaaS alternatives:

No cross-device sync. Your iPad-at-the-clinic and your Mac-at-home don't share state.
You manage your own keys. Five minutes once. After that it's a copy-paste into Settings.
If your laptop dies, your last visit dies with it. Export notes as you go, or set a screen-share retention policy with your practice IT.

Where we drew lines

A few specific calls worth naming:

Templates over toggles

Every feature is a customizable template or pattern, not a setting buried in a menu. If you want different behavior, write a template.

Discipline over fabrication

Prompts default to omitting unstated content rather than confabulating it. Boilerplate negatives ("all other systems negative") are blocked unless your template says otherwise.

Visible failures over silent ones

Diarization can fail. brtlb detects when it likely did and surfaces a banner with a one-click fix. Better to warn than to ship a wrong note quietly.

Audit-friendly by construction

Every LLM call is visible in your provider dashboard. Every prompt is in the open-source repo. Nothing to subpoena from brtlb — we have nothing.

It's open

brtlb is open source for beta users. Read the prompts, fork the repo, deploy your own copy, audit the network traffic, change anything you want. If we ever turned hostile, you keep what you have.

Email for repo access during the beta — full public availability comes later.

Limitations to know about. brtlb is a documentation tool, not an EHR. It does not push notes into Elation/Athena/etc. — you copy/paste. It does not store patient identifiers as structured fields. It does not bill for E/M codes. If those matter to your workflow, brtlb is the wrong shape for you (yet).