Privacy Policy

This Privacy Policy explains how Terapily ("Terapily", "we", "us") collects, uses, discloses, and protects information when licensed mental health clinicians ("Therapists") and the people they care for ("Patients") interact with the Terapily platform (the "Service"). It applies in addition to any Business Associate Agreement (BAA) or Data Processing Addendum (DPA) executed between Terapily and a Therapist or their organization.

1. Roles under HIPAA and LGPD

Under the U.S. Health Insurance Portability and Accountability Act (HIPAA), Therapists are Covered Entities and Terapily acts as a Business Associate when processing Protected Health Information (PHI) on their behalf.

Under the Brazilian Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018), Therapists are the Controllers (controladores) of Patient personal data and Terapily is an Operator (operador) processing such data under the Therapist's instructions and the legal basis appropriate to the care relationship (Art. 7 / Art. 11 LGPD).

2. Information we process

Therapist account data: name, professional email, hashed password, professional license metadata you choose to store, billing identifiers, and product telemetry.

Patient data, on behalf of the Therapist: a minimal record entered by the Therapist (nickname, initials, and optional name / email / phone — encrypted at rest where applicable), structured responses to scales and worksheets, scores computed by the platform, consent records, and link-issuance metadata.

Operational logs: authentication events, administrative actions, and security events. These logs are designed to contain identifiers (UUIDs) only and are protected by a database trigger that rejects entries containing personal information.

3. How we use information

• To provide the Service to Therapists and their Patients.
• To compute scores, generate reports, and produce PDFs that the Therapist can use clinically.
• To maintain security, prevent abuse, and respond to incidents.
• To meet our legal, regulatory, and contractual obligations.
• To bill Therapists for paid plans through our payment processor.

We do not currently use Patient data to train artificial intelligence models, sell or rent Patient data, or send unsolicited communications to Patients. Should any future feature require the use of Patient data for AI training or any materially new purpose, it will be introduced only after a clear, separate, and revocable opt-in by the responsible Therapist (and, where applicable, the data subject) and after this Policy is updated to disclose that processing.

4. Legal bases (LGPD)

• Execution of a contract with the Therapist (Art. 7, V).
• Compliance with a legal or regulatory obligation (Art. 7, II).
• Protection of the life or physical safety of the data subject (Art. 7, VII; Art. 11, II, "f") for clinical-risk flags.
• Legitimate interest, balanced against fundamental rights, for security and abuse prevention (Art. 7, IX).

5. Sharing

We share data only with sub-processors that are necessary to operate the Service (cloud hosting, database, payment processing, analytics on de-identified events). Sub-processors that handle PHI are bound by a BAA. We do not sell personal data.

We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of users or the public.

6. International transfers

Therapist and Patient data may be processed outside the country of the Therapist's residence, including in the United States. International transfers from Brazil rely on the safeguards permitted by Art. 33 LGPD (specific contractual clauses, adequacy where applicable, and the data-subject's rights preserved).

7. Retention

Active patient records are retained for as long as the workspace is active. Soft-deleted records enter a 30-day restorable window, after which PHI is irreversibly purged while an anonymized audit trail remains. Where a Therapist must comply with a longer statutory retention (e.g. 6 years under HIPAA), retention follows the legal floor.

8. Security

We use TLS 1.3 in transit and AES-256-GCM for sensitive identifiers at rest where applicable. Authentication tokens (magic-link, habit-link, ephemeral) are stored only as cryptographic hashes. Access is enforced by row-level security in the database and by explicit role checks in application code. No security measure is absolute; we continuously review and improve our controls. See our Trust page for a plain-language description of these controls.

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, restrict, or delete personal data we process about you, to object to certain processing, to withdraw consent, and to lodge a complaint with a supervisory authority (the U.S. HHS Office for Civil Rights for HIPAA matters; the Autoridade Nacional de Proteção de Dados — ANPD — for LGPD matters).

Patients: Terapily processes your data on behalf of your Therapist. To exercise rights over your clinical record, contact your Therapist directly. We will assist them in responding to verified requests within the legal time frame.

Therapists: contact us at privacy@terapily.com to exercise your rights or to obtain a Business Associate Agreement (HIPAA) or Data Processing Addendum (LGPD).

10. Children and minors

Terapily is intended for use by licensed clinicians. Where a minor receives care, the Therapist remains solely responsible for verifying legal authority to treat the minor, for obtaining valid parental or guardian consent and any other authorization required by applicable law (HIPAA, COPPA where relevant, Art. 14 LGPD, and equivalent local rules), and for the legitimacy of processing the minor's data through the Service. Terapily does not independently verify guardianship or the legal basis for treating a minor and relies on the Therapist's professional judgment and recordkeeping in this regard.

11. Breach notification

In the event of a security incident affecting protected information, we will notify the affected Therapist(s) without undue delay, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414, 60-day clock) and LGPD Art. 48 (notification to ANPD and affected data subjects within a reasonable period). Our internal runbook is documented at docs/security/incident-response.md.

12. Changes

We will post any material changes to this Policy on this page and update the "Effective" date above. Continued use of the Service after changes take effect constitutes acceptance.

13. Contact

Privacy Officer / Encarregado de Dados (DPO): privacy@terapily.com
Security: security@terapily.com

This document is provided for transparency and does not constitute legal advice. Therapists remain responsible for their own regulatory obligations to their patients.