← Signal by TheraPreneurTerms of Service

Privacy Policy

Last updated: March 22, 2026

1. Introduction

Signal by TheraPreneur ("Signal," "we," "us," or "our") is an AI-powered clinical intelligence and practice management platform designed exclusively for licensed mental health professionals. This Privacy Policy explains how we collect, use, disclose, and safeguard your information and the Protected Health Information ("PHI") of your clients when you use our platform at signal.therapreneur.app.

We are committed to maintaining the confidentiality, integrity, and availability of all data entrusted to us, in compliance with the Health Insurance Portability and Accountability Act ("HIPAA"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and applicable state and provincial privacy laws.

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, professional credentials, clinic name, and role within your organization (owner, admin, practitioner, or receptionist).

2.2 Client / Patient Data (PHI)

You may enter client names, contact details, diagnoses, session notes, treatment plans, outcome measures, insurance information, and billing records. Voice recordings captured during live sessions are processed for speech-to-text transcription and clinical analysis.

2.3 Usage and Technical Data

We automatically collect browser type, device information, IP address, pages visited, and feature usage patterns to improve platform performance and security.

2.4 Payment Data

Payment card information is collected and processed exclusively by Stripe, Inc. We do not store credit card numbers on our servers. We retain transaction records (amounts, dates, wallet balance changes) for billing purposes.

3. How We Use Your Information

  • Providing and operating the Signal platform, including live session analysis, clinical note generation, scheduling, and billing.
  • Processing voice audio through Deepgram for speech-to-text transcription. Audio is streamed in real time and is not permanently stored by Deepgram.
  • Running clinical analysis (emotion detection, crisis risk assessment, therapeutic modality suggestions) using our proprietary engine.
  • Submitting insurance claims to payers via Stedi (US) and TELUS eClaims (Canada) on your behalf.
  • Processing payments and managing your wallet balance.
  • Sending transactional communications (appointment reminders, billing receipts, security alerts).
  • Improving our services through aggregated, de-identified usage analytics.

4. HIPAA Compliance and PHI

Signal acts as a Business Associate under HIPAA when processing PHI on behalf of covered entities (licensed therapists and their practices). We maintain a Business Associate Agreement ("BAA") that governs our obligations regarding PHI.

  • All PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access to PHI is controlled through role-based access controls (RBAC) with four distinct roles: owner, admin, practitioner, and receptionist.
  • We maintain audit logs of all access to and modifications of PHI.
  • Our infrastructure is hosted on Google Cloud Platform, which maintains its own HIPAA compliance and BAA.
  • We conduct regular security risk assessments and maintain policies and procedures required under the HIPAA Security Rule.

5. Third-Party Services

We share data with the following service providers, each under appropriate agreements:

ProviderPurposeData Shared
Google Cloud / FirestoreDatabase and infrastructureAll platform data (encrypted)
DeepgramSpeech-to-text transcriptionReal-time audio stream
StripePayment processingPayment card data, billing amounts
StediUS insurance claims (EDI)Claim data (client name, diagnosis, CPT codes)
TELUS HealthCanadian insurance claimsClaim data for Canadian payers

6. Data Retention

  • Session recordings: Audio is processed in real time for transcription and analysis. Raw audio is not permanently stored on our servers after processing unless you enable offline recording, in which case encrypted audio is retained until upload and processing is complete.
  • Clinical data: Session reports, notes, treatment plans, and client records are retained for as long as your account is active, or as required by applicable record retention laws (typically 7–10 years for clinical records).
  • Account data: Retained for the duration of your account plus 30 days after deletion request.
  • Billing records: Retained for 7 years for tax and regulatory compliance.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access and receive a copy of your personal data.
  • Correct inaccurate personal data.
  • Request deletion of your data (subject to legal retention requirements).
  • Export your data in a portable format.
  • Withdraw consent for optional data processing.
  • Lodge a complaint with a supervisory authority.

As a therapist, you are responsible for honoring your clients' rights regarding their PHI under HIPAA and applicable state laws.

8. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule. We will provide all information required under 45 CFR § 164.410 to enable you to fulfill your notification obligations to affected individuals and the Department of Health and Human Services.

9. Security Measures

  • AES-256 encryption at rest for all stored data.
  • TLS 1.2+ encryption for all data in transit.
  • Role-based access controls with four permission tiers.
  • JWT-based authentication with configurable session expiry.
  • Cross-tab session synchronization and automatic logout on token expiry.
  • Regular security audits and penetration testing.
  • Infrastructure hosted on Google Cloud Platform with SOC 2 Type II certification.

10. Children's Privacy

Signal is designed for use by licensed mental health professionals, not by children or the general public. While therapists may create records for minor clients, the platform is operated solely by adult practitioners. We do not knowingly collect personal information directly from individuals under 18.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice within the platform and updating the "Last updated" date above. Your continued use of Signal after changes take effect constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, your data, or our HIPAA compliance practices, please contact us at:

TheraPreneur Privacy Office
Email: privacy@therapreneur.app
Website: https://www.therapreneur.app