Privacy Policy

Last updated: February 25, 2026

1. Introduction

CBT Assistant Pro ("we", "us", "our") is a clinical productivity platform for licensed mental health professionals. We are committed to protecting the privacy and security of your personal data and the Protected Health Information (PHI) of your clients. This Privacy Policy explains how we collect, use, store, and disclose information when you use our platform.

We comply with the Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

2. Data Controller & Processor

Under the GDPR, the therapist (our customer) is the Data Controller for client PHI entered into the platform. CBT Assistant Pro acts as a Data Processor on behalf of the therapist. For data that relates to the therapist's own account (email, name, billing), we act as the Data Controller.

3. Information We Collect

3.1 Account Data

  • Full name, email address, professional credentials/license number
  • Hashed password (bcrypt, cost factor 12)
  • Billing and subscription information (processed by Stripe)

3.2 Clinical Data (PHI)

  • Client demographics (name, date of birth, contact details)
  • Session notes, CBT formulations, working hypotheses
  • Assessment results, treatment plans, treatment goals
  • Audio recordings and transcriptions (when transcription feature is used)
  • Worksheets and homework assignments

3.3 Technical Data

  • IP address, browser type, device information (for session security)
  • Operational product metrics derived from first-party service events (no PHI)
  • Error logs (sanitized to exclude PHI)

4. Lawful Basis for Processing (GDPR)

  • Contract performance — Processing account data to provide the service you subscribed to (Art. 6(1)(b) GDPR).
  • Legitimate interests — Platform security, fraud prevention, and service improvement (Art. 6(1)(f) GDPR).
  • Consent — Where required, we obtain explicit consent before processing (Art. 6(1)(a) GDPR), e.g., marketing communications.
  • Legal obligation — Compliance with HIPAA, tax records, and other applicable laws (Art. 6(1)(c) GDPR).

5. How We Use Your Data

  • Provide the CBT case conceptualization platform and related features
  • Generate AI-assisted drafts (hypotheses, formulations, session notes)
  • Process audio transcriptions via secure third-party APIs
  • Authenticate users and manage session security
  • Process billing through Stripe (PCI DSS compliant)
  • Detect and prevent abuse, fraud, or security incidents
  • Comply with legal and regulatory obligations

We never sell your data or PHI. We do not use client PHI for advertising, marketing, or AI model training purposes.

6. Data Sharing & Sub-Processors

We share data only with the following categories of sub-processors, each bound by data processing agreements:

  • Cloud Infrastructure — Amazon Web Services (AWS), US East region. Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • AI Processing — Azure OpenAI Service (Microsoft). Data processed under Microsoft's HIPAA BAA. No data is used for model training.
  • Payment Processing — Stripe Inc. PCI DSS Level 1 compliant. We never store payment card details.
  • Audio Transcription — Deepgram (when used). HIPAA-compliant, BAA available.

We do not transfer PHI outside the scope of these sub-processor relationships. All sub-processors maintain HIPAA Business Associate Agreements (BAAs) where applicable.

7. Data Security

We implement administrative, technical, and physical safeguards including:

  • Encryption at rest (AES-256) for all database storage
  • Encryption in transit (TLS 1.2+) for all network communications
  • Bcrypt password hashing with HIPAA-appropriate cost factor
  • HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)
  • CSRF protection on state-changing operations using token checks and same-origin safeguards
  • Rate limiting on authentication endpoints
  • Automatic session timeout after 60 minutes of inactivity
  • Concurrent session management with device tracking
  • Audit logging of PHI access events
  • Role-based access controls (therapist sees only their own data)

8. Data Retention

We retain your data for as long as your account is active. Clinical data (PHI) is retained for the duration of your subscription plus a grace period of 30 days after account deletion request, to allow for data export.

After the grace period, all data is permanently and irreversibly deleted from our systems, including backups, within 90 days.

Audit logs are retained for a minimum of 6 years in compliance with HIPAA record retention requirements.

9. International Data Transfers

Our infrastructure is hosted in the United States (AWS US-East). If you are located in the European Economic Area (EEA), your data is transferred to the US under one or more of the following safeguards:

  • EU-US Data Privacy Framework (DPF) adequacy decision
  • Standard Contractual Clauses (SCCs) with our sub-processors
  • Your explicit consent to the transfer at account registration

10. Your Rights

Under GDPR (EEA residents)

  • Right of Access — Request a copy of your data
  • Right to Rectification — Correct inaccurate data
  • Right to Erasure — Request deletion of your account and data
  • Right to Data Portability — Export your data in a machine-readable format (JSON)
  • Right to Restrict Processing — Limit how we use your data
  • Right to Object — Object to processing based on legitimate interests
  • Right to Withdraw Consent — Withdraw consent at any time

You can exercise your rights directly from your Account Settings page (Export Data, Delete Account) or by contacting us at the address below.

Under HIPAA (US)

  • Right to access your PHI
  • Right to request amendment of your PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on use/disclosure
  • Right to file a complaint with HHS if you believe your rights have been violated

11. Cookies & Similar Technologies

We use the following cookies:

  • Essential cookies — Authentication session token (httpOnly, secure, SameSite=Lax). Required for the platform to function. Cannot be disabled.
  • CSRF token — Cross-site request forgery protection cookie. Essential for security. Cannot be disabled.

We do not use advertising, tracking, or analytics cookies. We do not use third-party cookies. No cookie consent is required for strictly necessary cookies under the ePrivacy Directive, but we provide a consent banner for transparency.

12. Children's Privacy

CBT Assistant Pro is designed for licensed mental health professionals. We do not knowingly collect data from individuals under the age of 18. If a therapist enters minor client data, that data is processed as PHI under the therapist's clinical responsibility.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice on the platform at least 30 days before the changes take effect.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a security concern, please contact us:

EU residents may also lodge a complaint with your local Data Protection Authority.