Privacy & Data Protection

All Therapist OS data is stored on Render.com's managed PostgreSQL database hosted in a HIPAA-compliant workspace. Render has signed a Business Associate Agreement with us, meaning your data is protected by their infrastructure safeguards and our technical controls working together.

Database location: US-based infrastructure with automatic backups and disaster recovery.

All stored data is encrypted using AES-256 encryption, the same standard used by banks and government agencies.

• Database data: encrypted at rest on Render's infrastructure
• Clinical data (notes, transcripts): encrypted with AES-256-GCM at the application layer
• Uploaded CSV files: processed entirely in memory, never written to disk, automatically deleted after processing
• Import staging data: encrypted and deleted after 15 minutes or when confirmed

All data moving between your device and Therapist OS is protected by TLS 1.3 encryption.

• All connections use TLS 1.3 (the strongest standard available)
• HTTP requests are automatically redirected to HTTPS
• HSTS (HTTP Strict Transport Security) prevents downgrade attacks
• Database connections require SSL encryption

California BBS requires licensure documentation to be retained for 7 years. Here's how we handle retention and deletion:

• Session logs and supervision records: Retained for 7 years per BBS requirements, then permanently deleted
• Request deletion anytime: Email privacy@therapistos.com to delete any specific record (outside the 7-year retention window) — we confirm deletion within 48 hours
• Close your account: All data deleted permanently within 30 days; backups deleted within 90 days
• Raw recordings: Automatically deleted after transcription; if you don't transcribe, deleted after 30 days
• Export your data: Request a full data export at any time; we provide it in standard format within 5 business days

Therapist OS enforces client-identifying information minimization:

• Client names are never stored. The system converts any full name you enter (e.g., "John Doe") to initials (e.g., "J.D.") automatically before saving
• Session notes: If you write client names in session notes, they are encrypted separately from the audit trail, accessible only to you
• Supervisors see initials only. Supervision summaries contain hour totals and compliance status, not client identifying details
• BBS compliance: Therapist OS meets the minimal identifier requirement for licensure tracking — initials + session details are sufficient for state audits

We've designed access controls to ensure only authorized people see data:

• Only you (the logged-in user) can see your own sessions, logs, and supervision records
• Your supervisors see only aggregate compliance summaries, never raw session details or client identifiers
• Therapist OS employees cannot access clinical data or client information in production
• All data access is logged in an immutable audit trail for BBS compliance

Every significant action is recorded for compliance and security:

• Session creates, edits, and deletes
• Weekly log status changes
• Supervisor signature events (including timestamp and IP address)
• CSV imports (started and completed)
• Admin access and changes

The audit log is append-only — no record can be modified or deleted once written. This protects you in a BBS audit.

• We never sell or share your data with third parties for marketing
• We never use your session data to train AI models or improve unrelated products
• We never store client full names — only initials (e.g., "J.D.")
• We never put Protected Health Information in emails, SMS, or error messages
• We never keep uploaded files after processing

If we discover a breach or security incident affecting your data, we follow HIPAA's Breach Notification Rule:

• We notify you without unreasonable delay (within 60 days per HIPAA)
• We describe what happened, what data was affected, and what we're doing to prevent it
• We cover costs of credit monitoring if applicable
• We document the incident and risk assessment in our compliance records

To report a security vulnerability, contact security@therapistos.com. We respond within 24 hours and have an active responsible disclosure program.

Privacy questions or data requests: privacy@therapistos.com (48-hour response)

General support or account issues: support@therapistos.com (24-hour response)

Security vulnerabilities: security@therapistos.com (24-hour response)

We only use vendors who have signed HIPAA Business Associate Agreements with us:

• Render.com — Database hosting and PostgreSQL
• Resend — Email delivery for magic links only (no patient data in email)
• Anthropic — AI-powered clinical note generation (BAA in place)

We use PostHog to collect anonymous product analytics that help us understand how the product is used and where to improve it.

• Events tracked: login, session created, recording uploaded, transcription requested, note finalized, weekly log signed
• No patient names, session content, diagnosis codes, or any clinical data are ever included
• No session replay, screen recording, or keystroke capture

Analytics data is identified by your account ID (a random UUID), not your name or email. You can request deletion of your analytics profile by contacting support@therapistos.com.