Legal

Privacy Policy

Effective date: May 23, 2026 · Last updated: May 23, 2026

HIPAA Notice: Therapy Aperture is designed for use by covered entities and business associates under HIPAA. We act as a Business Associate when handling Protected Health Information (PHI) on your behalf. A Business Associate Agreement (BAA) is required and available upon request before any PHI is processed through our platform.

1. Who We Are

Therapy Aperture ("we," "us," or "our") is a clinical intelligence platform for licensed mental health therapists, clinical supervisors, and supervised students or interns. We are operated by Therapy Aperture, Inc. Our platform is accessible via mobile application (iOS and Android) and any associated web interfaces.

Questions about this policy may be directed to info@therapyaperture.com.

2. Scope of This Policy

This Privacy Policy applies to all users of the Therapy Aperture application and website, including therapists, clinical supervisors, supervised interns and students, and clinic or practice administrators. It describes how we collect, use, store, and protect information — including Protected Health Information (PHI) — and what rights you have over that information.

This policy does not apply to third-party services you may use alongside Therapy Aperture (e.g., your EHR, telehealth platform, or practice management software).

3. Information We Collect

Account Information

When you or your organization creates an account, we collect:

Name, email address, and professional credentials (e.g., license number, license type)
Organization or clinic name and your role (therapist, supervisor, student/intern)
Authentication credentials managed through Amazon Cognito
Billing and subscription information (processed by our payment provider; we do not store full payment card data)

Session Audio and Transcripts (PHI)

The core function of Therapy Aperture involves processing session recordings. This data constitutes Protected Health Information (PHI) under HIPAA and is handled accordingly:

Audio recordings captured in-app and uploaded to encrypted AWS S3 storage
Transcripts generated by Amazon Transcribe, including speaker diarization labels
Redacted transcripts after automatic PII scrubbing via Amazon Comprehend (names, phone numbers, addresses, and other identifiers are removed before analysis)
AI analysis outputs including intervention detection tags, missed moment observations, competency scores, and session summaries

You are responsible for obtaining informed consent from your clients before recording any session. The application requires you to confirm consent has been obtained and logs that confirmation before a recording can begin.

Usage Data

We collect non-PHI usage information to operate and improve the platform, including:

Feature usage patterns, session counts, and app interaction data
Device type, operating system version, and app version
Error and crash logs
IP address and general geographic region (country/state)

4. How We Use Your Information

We use the information we collect to:

Provide the Therapy Aperture platform — transcription, analysis, scoring, and reporting
Authenticate users and enforce role-based access controls (therapist vs. supervisor)
Generate competency insights, missed moment flags, and growth trends
Enable supervisors to review sessions and therapist trends within their authorized caseload
Send transactional communications (account setup, session processing notifications, security alerts)
Improve platform accuracy and features using aggregated, de-identified data
Comply with legal obligations and enforce our Terms of Service

We do not use session recordings, transcripts, or PHI to train AI models without explicit written consent from the covered entity.

5. How We Share Your Information

We do not sell your personal information or PHI. We share information only in the following limited circumstances:

Service Providers (Subprocessors)

We use the following AWS services to process data on our behalf. All are HIPAA-eligible services covered under AWS's standard Business Associate Agreement:

Amazon S3 — encrypted audio and transcript storage
Amazon Transcribe — speech-to-text processing
Amazon Comprehend — PII detection and redaction
Amazon Bedrock (Claude) — clinical intelligence analysis
Amazon Cognito — user authentication and identity management
AWS Lambda & API Gateway — serverless pipeline orchestration
Amazon DynamoDB & RDS — session metadata and relational data storage
AWS CloudTrail — audit logging

Within Your Organization

If your account is part of a clinic or group practice, clinical supervisors designated by your organization may access your session data, competency scores, and transcript analysis as part of their authorized supervisory role. Access is controlled by your organization's administrator.

Legal Requirements

We may disclose information if required by law, subpoena, court order, or to protect the safety and rights of our users or the public. We will notify you of such requests where legally permitted.

6. Data Retention and Deletion

Retention of session recordings and transcripts is configurable by your organization:

Audio recordings are subject to S3 lifecycle rules that automatically delete files after your configured retention window (default: 90 days)
Transcripts and analysis outputs are retained in DynamoDB and RDS for the period configured by your organization or until account deletion
Audit logs are retained for a minimum of 6 years in compliance with HIPAA requirements
Account data is retained for the duration of your subscription and deleted within 30 days of account closure upon written request

To request deletion of your data, contact us at info@therapyaperture.com. Note that certain audit records may be retained even after deletion to satisfy legal obligations.

7. Security

We take the security of PHI seriously and implement the following safeguards:

Encryption at rest: All audio recordings and transcripts are encrypted using AWS S3 Server-Side Encryption with AWS KMS-managed keys (SSE-KMS)
Encryption in transit: All data transmitted between the app, our APIs, and AWS services uses TLS 1.2 or higher
Access controls: Role-based access enforced via Amazon Cognito; MFA required for all accounts
Audit logging: All access to PHI is logged via AWS CloudTrail
No PHI in URLs: We never include PHI in URL parameters or query strings
Automatic PII redaction: Client identifiers are stripped from transcripts before clinical analysis

No system is perfectly secure. If you believe your account or data has been compromised, contact us immediately at info@therapyaperture.com.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your account and associated data (subject to legal retention obligations)
Portability: Request an export of your session history and analysis data in a machine-readable format
Objection: Object to certain processing activities

For PHI-related requests under HIPAA, your rights flow through the covered entity (your clinic or practice). Contact your organization's administrator or contact us at info@therapyaperture.com.

9. Children's Privacy

Therapy Aperture is intended for use by licensed mental health professionals, supervised interns, and clinical supervisors. It is not directed at children under 18. We do not knowingly collect personal information from minors. If client sessions involve minors, the therapist is solely responsible for obtaining appropriate consent from a parent or guardian in accordance with applicable law.

10. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your California rights, contact us at info@therapyaperture.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or in-app notification. Your continued use of Therapy Aperture after changes take effect constitutes acceptance of the revised policy.

12. Contact Us

For privacy-related questions, data requests, or to execute a Business Associate Agreement, contact us at:

Therapy Aperture, Inc.
info@therapyaperture.com