Legal

Privacy Policy

We take your privacy — and your patients' privacy — seriously. This policy explains how Therasoft AI collects, uses, and protects information in compliance with HIPAA, HITECH, and applicable state law.

Effective: April 1, 2026 Last Updated: April 24, 2026 Company: Therasoft Inc., Seattle, WA
🔒 HIPAA Compliant
BAA Available
Azure-Hosted · Encrypted at Rest & in Transit
SOC 2 Type II (In Progress)

1. Overview

Therasoft AI is operated by Therasoft Inc., a Washington State corporation with its principal place of business in Seattle, WA. We provide AI-powered practice management software designed specifically for mental health practices ("the Service").

This Privacy Policy applies to:

  • The Therasoft AI platform at app.therasoft.ai
  • Our marketing website at therasoft.ai
  • All associated APIs, mobile applications, and integrations

As a healthcare technology company, we operate both as a Business Associate under HIPAA (when processing Protected Health Information on behalf of covered entities) and as a data controller for administrative information we collect independently.

🔒 HIPAA Business Associate

When your practice shares Protected Health Information (PHI) with Therasoft AI, we act as a HIPAA Business Associate. We are required by law to sign a Business Associate Agreement (BAA) with each covered entity before processing PHI. We do not use PHI for any purpose other than those permitted under your BAA and HIPAA regulations.

2. Data We Collect

We collect different categories of information depending on how you interact with our platform.

2.1 Account & Practice Information

When you create an account or register your practice, we collect:

  • Your name, email address, phone number, and job title
  • Practice name, address, NPI number, and Tax ID (EIN)
  • Clinician credentials and licensure information
  • Payer/insurance contract information
  • Billing and payment information (processed via our payment processor; we do not store raw card numbers)

2.2 Clinical & Patient Data (PHI)

When you use our AI agents to process patient information, you may provide us with Protected Health Information, including:

  • Patient demographic information (name, date of birth, contact information)
  • Insurance and eligibility data
  • Appointment and scheduling records
  • Clinical documentation (intake forms, session notes, treatment plans, assessments)
  • Diagnostic information (DSM-5/ICD-10 codes, assessment scores)
  • Billing records and claims data (CPT codes, ERA/EOB data)
  • Secure messages between clinicians and patients

🔒 PHI is Governed by Your BAA

All Protected Health Information processed through Therasoft AI is handled exclusively under the terms of your executed Business Associate Agreement. PHI is never sold, used for advertising, or shared with third parties except as required to deliver the Service or as permitted by HIPAA.

2.3 Usage & Technical Data

We automatically collect certain technical information when you use the platform:

  • IP address, browser type, operating system, and device identifiers
  • Pages visited, features used, and time spent on the platform
  • API request logs and error logs
  • Session identifiers and authentication tokens

2.4 Marketing & Communications Data

When you sign up for our newsletter, early access list, or contact us:

  • Name and email address
  • Message content and inquiry type
  • Email engagement data (open rates, link clicks) from our email platform
Data Category Examples Is it PHI?
Account Information Name, email, practice details No
Patient Demographics Name, DOB, contact info Yes
Clinical Notes SOAP notes, treatment plans Yes
Billing & Claims CPT codes, claim status, ERA Yes
Usage Data Login times, feature usage No
Marketing Data Email, inquiry messages No

3. How We Use Data

3.1 Service Delivery

We use collected information to provide, maintain, and improve the Therasoft AI platform, including:

  • Operating our AI agents (Frontdesk, Clinical, Billing, Financial, Marketing)
  • Processing insurance eligibility checks and claim submissions
  • Generating AI-assisted clinical documentation for clinician review
  • Providing analytics and reporting dashboards to practice owners
  • Sending appointment reminders and automated communications to patients on behalf of your practice

3.2 AI Model Operation

Therasoft AI uses large language models (LLMs) to power its agent capabilities. In operating these models:

  • PHI may be transmitted to our AI infrastructure (Microsoft Azure OpenAI Service) in encrypted form for processing
  • We do not permit our AI providers to train on your PHI or use it for any purpose other than returning results to your practice
  • All AI providers used to process PHI have executed appropriate Business Associate Agreements with us
  • AI-generated outputs (e.g., clinical notes) require clinician review and approval before finalization

3.3 Service Improvement

We may use de-identified and aggregated data (from which all PHI has been removed in compliance with HIPAA's de-identification standard at 45 CFR §164.514) to:

  • Improve the accuracy and performance of our AI models
  • Develop new features and product enhancements
  • Generate industry benchmarks and research reports
  • Train internal quality assurance systems

We will never use individually identifiable PHI to train our AI models without explicit written consent.

3.4 Communications

We use your contact information to:

  • Send transactional emails (account confirmations, invoices, security alerts)
  • Provide customer support and respond to inquiries
  • Send product updates and release notes
  • Send marketing communications (only with consent; unsubscribe anytime)

3.5 Security & Fraud Prevention

We use technical and usage data to detect unauthorized access, investigate suspicious activity, enforce our Terms of Service, and protect the security of your data and our platform.

4. HIPAA & Protected Health Information

🔒 Business Associate Agreement Required

We require all healthcare customers (covered entities and their business associates) to execute a Business Associate Agreement with Therasoft Inc. before using any feature that involves Protected Health Information. Contact hello@therasoft.ai to request a BAA.

4.1 Our HIPAA Obligations

As a HIPAA Business Associate, Therasoft Inc. is contractually and legally required to:

  • Use and disclose PHI only as permitted by your BAA and HIPAA regulations (45 CFR Part 164)
  • Implement and maintain appropriate administrative, physical, and technical safeguards for PHI
  • Report any breach of unsecured PHI to you within 60 days of discovery (and within 30 days when feasible)
  • Make PHI available to individuals upon request in accordance with the Privacy Rule
  • Return or destroy PHI upon termination of the BAA, where feasible
  • Ensure any subcontractors who handle PHI on our behalf also execute BAAs and comply with HIPAA

4.2 Permitted Uses and Disclosures of PHI

We will only use or disclose PHI to:

  • Provide the contracted services to your practice
  • Perform data aggregation services on behalf of covered entities
  • Report or respond to violations of law discovered during service delivery
  • Respond to a court order, subpoena, or legal process (with notice to you when permitted)
  • Fulfill our own legal obligations as a Business Associate

4.3 Minimum Necessary Standard

We adhere to the HIPAA Minimum Necessary Standard. Our systems are designed to access, process, and transmit only the minimum amount of PHI necessary to accomplish the intended purpose. AI agents are scoped to the data they require for their specific function.

4.4 Breach Notification

In the event of a breach of unsecured PHI, Therasoft Inc. will notify affected covered entities without unreasonable delay and no later than 60 calendar days after discovery, as required by 45 CFR §164.410. Our breach response plan includes immediate containment, forensic investigation, patient notification support, and regulatory reporting assistance.

5. Data Security

We implement comprehensive technical, administrative, and physical safeguards to protect your data.

5.1 Encryption

  • In transit: All data transmitted between your browser, our applications, and our APIs is encrypted using TLS 1.2 or higher. We enforce HTTPS-only connections.
  • At rest: All data stored in our databases, file storage, and backups is encrypted using AES-256 encryption.
  • PHI in AI processing: PHI transmitted to AI processing services is encrypted end-to-end and processed within HIPAA-compliant Azure OpenAI Service endpoints.

5.2 Infrastructure & Hosting

  • Hosted on Microsoft Azure in US-based data centers
  • Azure provides HIPAA-eligible services with BAA coverage
  • Multi-region redundancy with automated failover
  • Network segmentation, Web Application Firewall (WAF), and DDoS protection
  • Regular vulnerability scans and penetration testing

5.3 Access Controls

  • Role-based access control (RBAC) — users only see data relevant to their role
  • Multi-factor authentication (MFA) available for all accounts
  • Audit logging of all access to PHI, with tamper-evident logs
  • Automatic session timeouts for inactive users
  • Employee access to production PHI is logged and requires documented business justification

5.4 Organizational Measures

  • HIPAA Security Rule training required for all employees with PHI access
  • Dedicated HIPAA Security Officer
  • Annual security risk assessments per 45 CFR §164.308(a)(1)
  • SOC 2 Type II audit in progress — contact us for our current security posture documentation
  • Vendor management program — all sub-processors handling PHI are BAA-covered

5.5 Reporting a Security Issue

If you discover a potential security vulnerability, please disclose it responsibly to hello@therasoft.ai. We will acknowledge receipt within 48 hours and work to resolve confirmed issues promptly.

6. Third-Party Services & Sub-Processors

We work with trusted third-party services to deliver the Therasoft AI platform. Where these services process PHI on our behalf, we execute appropriate Business Associate Agreements.

Provider Purpose Processes PHI? BAA in Place?
Microsoft Azure Cloud hosting, storage, databases, AI services Yes Yes
Azure OpenAI Service LLM-powered AI agent processing Yes Yes
Google OAuth Authentication (sign-in with Google) No (name/email only) N/A
Stripe Payment processing & subscription billing No (financial data only) N/A
Twilio SMS/voice for appointment reminders Limited (name, appointment time) Yes
SendGrid / Postmark Transactional email delivery Limited (name, appointment details) Yes
Google Analytics / GTM Marketing website analytics (not app) No N/A

ℹ️ AI Model Providers

Our primary AI processing uses Microsoft Azure OpenAI Service, which provides HIPAA-eligible API endpoints with a BAA. Azure OpenAI Service processes your data to return AI-generated responses and does not use customer data to train or improve its foundational models. For the most current information, see the Azure OpenAI Data Privacy documentation.

We do not sell your data (including PHI or personal information) to any third party, period.

7. Data Retention & Deletion

7.1 Retention Periods

We retain data for different periods depending on its type and your contractual obligations:

Data Type Retention Period Notes
PHI / Clinical Records As required by applicable law (typically 7–10 years from last encounter) Governed by your BAA and state law; you are the custodian of record
Billing & Financial Records 7 years minimum Required for Medicare/Medicaid compliance
Account Information Duration of account + 3 years after closure May be deleted earlier upon verified request
Audit Logs 6 years Required by HIPAA Security Rule
Marketing & Contact Data Until unsubscribed or deletion requested Removed within 30 days of request
Usage / Technical Data 12 months Used for security and performance analysis

7.2 Account Closure & Data Export

When you close your Therasoft AI account:

  • You may request a full export of your practice data (including clinical records and billing data) before closure
  • We will export data in standard formats (CSV, JSON, HL7 FHIR where applicable)
  • Following account closure and any required retention period, PHI will be securely destroyed using NIST 800-88 compliant methods
  • We will provide written confirmation of destruction upon request

7.3 Deletion Requests

For non-PHI personal data (such as marketing contact data or account information), you may request deletion at any time. We will fulfill deletion requests within 30 days except where retention is required by law. PHI deletion must comply with your BAA and applicable medical record retention laws — we will advise you on the process.

8. Your Rights

8.1 Rights as a Practice (Covered Entity)

As a healthcare practice using Therasoft AI, you have the following rights regarding data we hold:

  • Access: Request a copy of any data we hold about your practice or organization
  • Correction: Request correction of inaccurate account or administrative information
  • Data Portability: Request export of your data in a machine-readable format
  • Restriction: Request limitation of certain processing activities
  • Deletion: Request deletion of non-PHI personal data (subject to legal retention requirements)
  • BAA Amendment: Request amendments to your Business Associate Agreement

8.2 Patient Rights (Under HIPAA)

Patients whose PHI is processed through Therasoft AI have rights under HIPAA including access to their records, right to request amendments, and right to an accounting of disclosures. These rights are fulfilled by your practice as the covered entity. Therasoft AI will assist you in fulfilling these obligations as required under your BAA.

8.3 Marketing Communications

You may opt out of marketing emails at any time by clicking "Unsubscribe" in any email or by emailing hello@therasoft.ai. Opting out of marketing communications does not affect transactional emails related to your account or subscription.

8.4 California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at hello@therasoft.ai.

8.5 Submitting a Rights Request

To exercise any of the above rights, please email hello@therasoft.ai with the subject line "Privacy Rights Request." We will verify your identity and respond within 30 days (or the applicable legal deadline).

9. Cookies & Tracking

9.1 What We Use Cookies For

We use cookies and similar tracking technologies on our marketing website (therasoft.ai) and application (app.therasoft.ai) for the following purposes:

Cookie Type Purpose Examples
Essential Authentication, session management, security Login tokens, CSRF tokens
Functional Remembering preferences, UI settings Language, timezone, layout prefs
Analytics Understanding how our site is used Google Analytics (_ga, _gid)
Marketing Measuring ad effectiveness on our website Google Tag Manager (GTM)

9.2 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or be notified when a new cookie is set. Disabling cookies may limit some functionality of our website. Essential cookies cannot be disabled as they are necessary for the platform to function.

9.3 Third-Party Analytics

We use Google Analytics 4 and Google Tag Manager on our marketing website to understand visitor behavior. These services set their own cookies and are governed by Google's privacy policy. We do not use analytics cookies inside the clinical application where PHI is accessed.

9.4 Do Not Track

We honor browser-level "Do Not Track" signals on our marketing website by limiting analytics cookie loading where technically feasible.

10. Children's Privacy

Therasoft AI is designed for use by licensed healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18 for account creation purposes. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

Note: Mental health practices may treat minors as patients. PHI relating to minor patients is handled in accordance with HIPAA and applicable state minor consent laws. Your practice is responsible for ensuring appropriate consent and authorization for minor patients; Therasoft AI will process such PHI according to your BAA and your instructions.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send an email notification to account administrators
  • Display a prominent notice in the platform for 30 days after the change takes effect

Your continued use of Therasoft AI after the effective date of a revised Policy constitutes your acceptance of the revised terms. If you disagree with material changes, you may terminate your account in accordance with our Terms of Service.

For BAA-related changes that materially affect PHI handling, we will provide at least 30 days' advance written notice and seek your acknowledgment before implementing the change.

12. Contact Us

If you have questions about this Privacy Policy, our data practices, HIPAA compliance, or wish to exercise your privacy rights, please contact us:

Therasoft Inc. — Privacy Office

📧 hello@therasoft.ai

🌐 therasoft.ai

📍 Seattle, WA, United States

For BAA requests, security incident reports, or HIPAA-specific inquiries, please include the relevant subject line in your email and we will route your request to our Privacy Officer or HIPAA Security Officer within 1 business day.

If you are a patient seeking access to your health records, please contact your healthcare provider directly. Your provider is the HIPAA covered entity and custodian of your records. Therasoft AI processes records on your provider's behalf and cannot independently fulfill patient record requests.