What we store, what we don't, and why.

Workspace data: therapist account (name, email, hashed password, role), workspace metadata, billing identifiers, and audit logs of administrative actions.

Patient data (controlled by the therapist): a minimal record — nickname, initials, and optional name / email / phone. Sensitive identifiers are encrypted at rest with AES-256-GCM. We deliberately do not ask for date of birth, diagnosis, or intake notes — those belong in your EHR.

Activity data: the structured responses your patient submits to a scale, worksheet, or exercise, and the computed score. We do not store free-text clinical notes.

Ephemeral links (`/e/`): a 24-hour link the therapist can issue with explicit consent. Both the access and the underlying response data expire after 24 hours and are purged irreversibly by a scheduled job every 15 minutes. An audit record of the issuance remains, but contains no PHI.

Magic links (`/p/`): the access token expires and becomes single-use after submit. The clinical data itself is permanent and lives on the patient's profile inside the therapist's workspace.

Habit links (`/h/`): reusable for the duration the therapist sets (7–90 days depending on plan). Each entry is kept on the patient's habit timeline.

In transit: TLS 1.3 between every browser, our edge, and our database.

At rest: AES-256-GCM for sensitive patient identifiers and database-level encryption for the rest of the dataset, managed by our infrastructure provider.

Tokens: magic-link, habit-link, and ephemeral tokens are stored only as cryptographic hashes — even an operator with database access cannot replay them.

Active records: kept for as long as the workspace is active and the therapist hasn't soft-deleted the patient.

Soft-delete window: deleting a patient places the record in a 30-day restorable window. After 30 days the PHI is purged irreversibly; an anonymized audit trail remains.

Configurable retention: workspace owners can tighten retention beyond the legal floor. The legal floor is 6 years for HIPAA-covered records.

Every workspace is isolated by row-level security. A therapist can only see their own patients. Roles are stored in a dedicated table, never on the user profile, and are checked by a security-definer function on every query.

The platform admin (a single account) can view metadata for compliance and incident response, but never the clinical payload of a response. Every admin view is itself logged.

Authentication events, administrative actions, link issuance, and admin compliance views are recorded in an append-only audit log. The database refuses any audit entry that contains personally identifiable information — this is enforced by a database trigger, not just by convention.

We maintain a written incident-response runbook with severity levels, containment steps, and regulator-notification guidance (HHS Office for Civil Rights for HIPAA breaches; ANPD for LGPD). Workspace owners are notified directly when an incident affects their data.

Suspected security issue? security@terapily.com

We will never sell or rent therapist or patient data.

We will never use patient responses to train AI models.

We will never send automated email, SMS, or push notifications to your patients. Delivery is always through your own channel.

We will never claim certifications we do not hold. Today, Terapily is HIPAA-aligned and pursuing the formal BAA stack required before onboarding non-test patients at scale.