Privacy Policy

Last Updated: February 2026

Theracharts ("we," "us," or "our") operates the web application at app.theracharts.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

By using Theracharts, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Password (stored as a one-way cryptographic hash — we never store your actual password)
  • Practice name (optional)
  • User role (therapist, client, or practice administrator)

Usage Data

We automatically collect certain information when you access our platform:

  • IP address (for security and rate limiting)
  • Browser type and user agent string
  • Pages visited and features used
  • Timestamps of account activity

Clinical Assessment Data

When clients complete assessments through our platform, we store:

  • Form responses and check-in data
  • Assessment completion dates and submission timestamps
  • Form assignment and frequency settings

Important: All clinical assessment data entered by clients is considered Protected Health Information (PHI) under HIPAA. We treat this data with the highest level of security and confidentiality.

Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive and store only:

  • Stripe customer ID
  • Subscription status and billing tier
  • General transaction confirmation (success or failure)

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Theracharts platform
  • Process account registration and authentication
  • Facilitate therapist-client relationships and assessment workflows
  • Generate data visualizations, trend analysis, and session preparation reports
  • Send transactional emails (account verification, client invitations, check-in reminders, session reminders, and response notifications)
  • Process subscription payments and manage billing
  • Monitor platform security and prevent unauthorized access
  • Comply with legal obligations

We do not use your data to:

  • Sell or rent personal information to third parties
  • Display advertisements
  • Train machine learning models on your clinical data
  • Contact you for marketing purposes without your consent

3. How We Share Your Information

We do not sell, trade, or otherwise transfer your personal information to outside parties except in the following circumstances:

Service Providers: We use trusted third-party services that process data on our behalf:

  • Neon (database hosting)
  • Railway (application hosting)
  • Stripe (payment processing)
  • Resend (transactional email delivery)

Each service provider processes only the minimum data necessary to perform their function. We require all service providers handling PHI to enter into a Business Associate Agreement (BAA) as required by HIPAA.

Legal Requirements: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of Theracharts, our users, or others.

With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

4. Data Security

We implement security measures designed to protect your information:

  • All data is encrypted in transit using TLS (HTTPS)
  • Database connections use SSL encryption
  • Passwords are hashed using bcrypt with salt
  • Role-based access controls ensure therapists can only access their own clients' data, and clients can only access their own responses
  • Rate limiting protects against brute-force attacks
  • Input validation and sanitization on all API endpoints
  • Security headers including HSTS, Content Security Policy, X-Frame-Options, and X-Content-Type-Options
  • Structured audit logging tracks data access events
  • Session tokens use secure JWT with expiration

No method of electronic storage or transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. HIPAA Compliance

Theracharts is designed with HIPAA compliance in mind for therapists and mental health professionals who handle Protected Health Information (PHI).

  • We maintain technical safeguards including encryption, access controls, and audit logging as required by the HIPAA Security Rule
  • We offer a Business Associate Agreement (BAA) for users on qualifying plans
  • Our email notifications are designed to never include PHI — they contain only non-identifying information such as reminders and links
  • We do not transmit PHI to Stripe or other payment processors

Therapist Responsibility: As a therapist using Theracharts, you are responsible for your own HIPAA compliance obligations, including obtaining appropriate client consent before using digital tools to collect health information.

6. Data Retention

  • Active accounts: We retain your data for as long as your account is active.
  • Canceled subscriptions: Your data is retained for 30 days after subscription cancellation. During this period, you may export your data or reactivate your subscription.
  • Account deletion: Upon request, we will permanently delete your account and all associated data within 30 days. Clinical assessment data associated with your account will be included in the deletion.
  • Audit logs: Security audit logs are retained for a minimum of 6 years as required for HIPAA compliance.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your account and associated data
  • Export your data in a portable format
  • Withdraw consent for optional data processing
  • Object to processing of your personal information

To exercise any of these rights, contact us at contact@theracharts.com.

8. Cookies and Local Storage

Theracharts uses:

  • Session cookies for authentication (required for the platform to function)
  • Local storage for theme preferences and PWA functionality

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Children's Privacy

Theracharts is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the platform after changes are posted constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Theracharts Email: contact@theracharts.com Website: theracharts.com