Privacy Policy
Last updated: June 23, 2026
This Privacy Policy explains how TheraForge ("we", "us") collects, uses, and shares information when you use our Service. For Protected Health Information ("PHI") handled on behalf of a covered entity, this Policy is supplemented by our Business Associate Agreement and HIPAA Policy.
1. Information We Collect
- Account data: name, email, license info, billing address.
- Clinical content: client records, session transcripts, AI-generated notes, appointments, superbills — created by you in the course of your practice.
- Usage data: log records, device identifiers, IP address, feature interactions, error reports.
- Payment data: handled by our payments processor; we do not store full card numbers.
2. How We Use Information
- To operate, secure, and improve the Service.
- To process AI requests you initiate (transcription, drafting, summarization).
- To send service announcements and, with consent, product updates.
- To comply with legal obligations and enforce our Terms.
3. Legal Bases (GDPR / UK GDPR)
Where applicable law requires a legal basis, we rely on: performance of a contract (operating the Service), legitimate interests (security, fraud prevention, product improvement), consent (optional features and marketing), and legal obligation (tax, regulatory).
4. Sharing
We share information only with: (i) subprocessors who provide infrastructure, AI inference, and payments under written confidentiality and security obligations; (ii) authorities when required by law; and (iii) successors in a merger or acquisition, subject to this Policy.
5. Subprocessors
Our current subprocessors include cloud hosting (Cloudflare), database and auth (Lovable Cloud / Supabase), AI inference (OpenAI, Google), email delivery, and payments. A current list is available on request.
6. Data Retention
We retain clinical content for as long as your account is active, plus a 30-day post-termination grace period to allow export. Backups are retained for up to 90 days. You can request earlier deletion of specific records from your account or by contacting us.
7. Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Access to production systems is role-based, audited, and protected by MFA. See our HIPAA Policy for further detail.
8. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data. Email privacy@theraforge.app to make a request.
9. International Transfers
We host data in the United States. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.
10. Children
The Service is not directed to children under 13. Clinicians may store records about minor clients only with appropriate guardian consent.
11. Changes
We will notify you in-app and by email of material changes to this Policy.
12. Contact
Privacy questions: privacy@theraforge.app.