Privacy Policy

Last updated: March 5, 2026  ·  Effective: March 5, 2026

Your privacy is our priority. Learn how we protect your data and practice information with industry-leading standards.

Our Privacy Commitment

Built with privacy-first principles for healthcare professionals

CouchLoop maintains compliance with HIPAA, GDPR (for EU users), and CCPA. Your therapy practice data and client information are protected with AES-256 encryption at rest and TLS 1.2+ in transit.

Information We Collect

To provide our therapy practice management services

Account Information

Email address, name, and professional credentials for therapist accounts

Client Information

Names, contact information, and session notes as entered by therapists

Session Data

Appointment schedules, session notes, homework assignments, and treatment plans

Billing Information

Payment details processed securely through Stripe (we do not store full credit card numbers)

Usage Data

Login times, IP addresses, and feature usage for security monitoring

What We DON'T Do With Your Data

We will NEVER:

Sell your data to third parties

Use client information for marketing or advertising

Share Protected Health Information (PHI) without explicit consent

Train AI models on your therapy notes or client conversations

Allow unauthorized access to your practice data

Use your data for purposes other than providing our services

How We Protect Your Data

Industry-leading security measures at every layer

Encryption

AES-256 encryption at rest; TLS 1.2 or higher in transit. Encryption is applied to all PHI and practice data stored on the platform.

Access Control

Multi-level access controls ensure users only see their authorized data

Authentication

Secure password hashing and session management with automatic timeout protection

Audit Logging

Comprehensive audit trails track all access to sensitive data for compliance

Cookies & Analytics

What we track, how, and why, with no PHI ever sent to analytics providers

Functional Cookies (Required)

Supabase authentication session cookies are set when you log in. These are strictly necessary for the Service to function and cannot be disabled. They contain no PHI, only an encrypted session identifier.

Performance Analytics

Vercel Analytics and Vercel Speed Insights collect anonymized page-load performance data (e.g., Core Web Vitals, page views). No personally identifiable information or PHI is included. Data is processed by Vercel, Inc.

Product Analytics

PostHog is used to record anonymized feature usage events (e.g., which features are used, not what content is entered). Events are stripped of all PHI and identifying information before transmission. Data is processed by PostHog, Inc. under our data processing agreement.

No PHI, session note content, client names, or therapy-related data is ever transmitted to Vercel Analytics or PostHog. These tools receive only technical and behavioral metadata.

Your Data Rights & Access Control

Clear roles and comprehensive rights for all users

Admin Access

Practice Administrators have full access to their organization's data, user management, and billing settings

Therapist Access

Therapists can only access their assigned clients, sessions, and notes; never another therapist's data

Client Access

Clients can view only their own session notes, homework assignments, and treatment progress

Staff Access

CouchLoop Staff have no routine access; emergency access only with full audit trail logging

Access & Export

Access all your data anytime and export in machine-readable formats for portability

Correction & Deletion

Request correction of inaccurate data or complete account deletion at any time

Data Retention

How long we keep your information

Active Accounts

Data retained for the duration of your subscription

Closed Accounts

Data deleted within 90 days unless legal retention required

Legal Requirements

Some records may be retained for 7+ years per healthcare regulations

Audit Logs

Retained for security and compliance purposes

Third-Party Services

Trusted partners that help us deliver CouchLoop

Supabase

Secure database hosting with encryption and access controls

Vercel

Application hosting and content delivery

Stripe

Payment processing (PCI-DSS compliant)

OpenAI

AI features via Enterprise API under a Data Processing Agreement that prohibits using customer data for model training.

Supabase, Stripe, and OpenAI are covered under executed Business Associate Agreements (BAAs) and data processing agreements. Vercel provides HIPAA-eligible infrastructure and is currently under BAA evaluation.

GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights under GDPR

Right of Access

Request a copy of all personal data we hold about you (Article 15).

Right to Rectification

Request correction of inaccurate or incomplete personal data (Article 16).

Right to Erasure

Request deletion of your personal data where no legitimate grounds for retention exist (Article 17).

Right to Restriction

Request that we limit processing of your data in certain circumstances (Article 18).

Right to Portability

Receive your data in a structured, machine-readable format and transfer it to another controller (Article 20).

Right to Object

Object to processing of your data based on legitimate interests or for direct marketing (Article 21).

To exercise any of these rights, contact privacy@couchloop.com. You also have the right to lodge a complaint with your local supervisory authority. CouchLoop processes EU user data under GDPR Article 3(2) as a controller without EU establishment.

Legal Compliance

CouchLoop maintains compliance with HIPAA, GDPR (for EU users), and CCPA.

We may disclose information only if required by law, court order, or to prevent imminent harm. We will notify affected users whenever legally permitted.

Data Breach Notification

In the event of a breach affecting Protected Health Information (PHI), we will notify affected individuals within 60 calendar days per HIPAA requirements, and report to HHS within the same window. For EU users, we will additionally notify the relevant supervisory authority within 72 hours per GDPR Article 33.

Privacy Questions

If you have any questions about this privacy policy or how your data is handled, please contact our privacy team:

privacy@couchloop.com

Legal Entity: Couchloop, LLC

Address: 1111b South Governors Ave STE 37434, Dover, DE 19904

Policy Updates

Material changes will be communicated via email at least 30 days before taking effect.

See also: Terms of Service · Business Associate Agreement