Privacy Policy

Effective date: June 7, 2026

Theraflow LLC (“Theraflow,” “we,” “us”) provides a practice-management platform for therapists and mental-health professionals at theraflow.llc (the “Service”). This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have. It applies to our website and the Service.

In plain terms: we collect what we need to run the Service, we protect it carefully, we never sell it, and client health information is handled under strict HIPAA business-associate obligations.

1. Information we collect

• Account information. When a therapist creates an account: name, email address, and a password (stored only as a secure one-way hash — we cannot read your password).
• Practice information. Details you add in Settings, such as practice name, timezone, session rates, and telehealth room link.
• Client records (Protected Health Information). Therapists may store records about their clients — contact details, appointments, session notes, intake responses, assessment results, and consent forms. This information belongs to the therapist’s practice; we process it only to provide the Service (see Section 3).
• Payment information. Payments are processed by Stripe. Card numbers are entered directly with Stripe and never touch our servers; we store only references (such as a customer ID and payment status).
• Usage and security data. Standard technical logs — such as IP address and timestamps for sign-in and sign-up attempts — used for security, rate-limiting, and fraud prevention, plus records of data-access events kept in an audit log.
• Communications. If you contact support, we receive the contents of your message. Please do not include client/patient details in support messages.

2. Cookies

We use only essential cookies: a session cookie that keeps you signed in. We do not use advertising cookies or third-party tracking cookies on the Service.

3. Client health information and HIPAA

Therapists using Theraflow are healthcare providers (“covered entities” under HIPAA), and Theraflow acts as their business associate. Each therapist accepts a Business Associate Agreement (BAA) inside the Service. Under that agreement, we use and disclose client health information only to provide the Service, as permitted by the BAA, or as required by law — never for marketing, and never for sale.

We deliberately keep health details out of email: appointment reminders, intake invitations, and payment requests contain only what is necessary (such as a date, a secure link, or an amount) — never diagnoses, notes, or assessment results.

If you are a client of a therapist who uses Theraflow: your therapist controls your records. For questions about your information or to exercise your rights (access, correction, deletion), please contact your therapist directly; we support them in fulfilling those requests.

4. How we use information

• To provide and operate the Service (scheduling, charting, billing, reminders, telehealth links).
• To secure the Service: authentication, abuse and bot prevention, rate-limiting, and audit logging.
• To process subscription payments and client payments through Stripe.
• To send transactional email (account, reminder, and billing messages) — not marketing email.
• To respond to support requests and improve the Service.

5. How we share information

We never sell personal information, and we do not share it for advertising. We share information only with:

• Service providers (subprocessors) that help us run the Service: Amazon Web Services (hosting and encrypted database), Stripe (payment processing), Resend (transactional email delivery), and Cloudflare (bot protection on our sign-up page). Each processes data only as needed for its function.
• Legal requirements. If required by law, subpoena, or to protect rights, safety, or the integrity of the Service.
• Business transfer. If Theraflow is acquired or merged, information may transfer under the same protections; we would notify account holders of any material change.

6. Security

All data is encrypted in transit (HTTPS) and at rest. The database is private, access-controlled, and isolated per practice so one therapist can never access another’s records. Passwords are hashed, sessions are signed, repeated failed sign-ins and automated sign-ups are rate-limited, and data-access events are recorded in an audit log. No system is perfectly secure, but security is a core design commitment of the Service.

7. Data retention, export, and deletion

Your data remains available for as long as your account is active. Therapists can export a full archive of their practice data from Settings at any time. You may request deletion of your account and data by contacting us; we will delete it except where retention is required by law or by your own record-keeping obligations as a provider. Backups age out on a fixed schedule.

8. Children

The Service is for licensed professionals and is not directed to children. We do not knowingly collect information directly from children. Records concerning minors may be entered by their treating provider as part of clinical care, under the protections described in Section 3.

9. Changes to this policy

If we make material changes, we will update the effective date above and notify account holders by email or an in-app notice before the changes take effect.

10. Contact

Questions or requests: support@theraflow.llc. Please do not include any client/patient information in your message.