Legal
Privacy Policy
Last updated: July 4, 2026
1. Who we are
PsychApp (“PsychApp”, “we”, “us”) provides practice-management software for mental-health practitioners in Canada, including scheduling, clinical documentation, psychometric assessments, a client portal, secure messaging, video sessions, and billing. This policy explains what information we handle, why, and the choices you have. Questions can be sent to hello@psychapp.ca.
2. Our role under privacy law
Practitioners who use PsychApp are health information custodians (or the equivalent under their provincial legislation) for the personal health information (“PHI”) they collect about their clients. PsychApp acts as a service provider (in Ontario, an “electronic service provider” supporting custodians under PHIPA) that stores and processes that information on the practitioner's instructions. We do not use client PHI for our own purposes, we do not sell it, and we do not use it to train artificial-intelligence models.
3. Information we collect
From practitioners
- Account details: name, email address, clinic name, password (stored as a secure hash).
- Practice details you choose to add: provider profile, registration number, services, availability, note templates, and forms.
- Billing details: subscription plan and payment status. Card numbers are collected and stored by Stripe, our payment processor — they never touch our servers.
About clients (entered by practitioners or clients)
- Contact and demographic information, appointment history, intake form responses, assessment responses and scores, clinical notes, diagnoses, treatment plans, files, messages, invoices, and insurance details — as created in the ordinary use of the platform.
Automatically
- Technical logs necessary to operate and secure the service (such as IP address, browser type, and timestamps) and essential cookies used for sign-in sessions. We do not run third-party advertising trackers.
4. How we use information
- To provide, maintain, and secure the service.
- To send transactional email you or your clients expect — booking confirmations, appointment reminders, and account notices.
- To provide support when you contact us.
- To meet legal obligations.
We do not sell personal information and we do not use PHI for advertising or analytics.
5. AI features
The Clinical AI Assistant and Session Scribe are optional. When a practitioner uses them, the text of the question or the session transcript is sent to our AI provider (Anthropic) to generate a response, and is not used to train models. Session audio is never stored: transcription happens in the practitioner's browser, and only the visible text transcript is processed. Practitioners agree to keep queries de-identified and are responsible for obtaining client consent before transcribing a session.
6. Where data lives
Client records are stored with our database provider (Supabase) in the Canada Central region, encrypted in transit (TLS) and at rest. Video sessions are peer-to-peer: encrypted audio and video flow directly between participants and are not recorded or stored by PsychApp.
7. Service providers (subprocessors)
- Supabase — database, authentication, and file storage (Canada Central).
- Vercel — application hosting and delivery.
- Stripe — subscription payments.
- Anthropic — AI responses for the optional assistant and scribe.
- Our email delivery provider — transactional email (confirmations and reminders).
Each provider is bound by contractual confidentiality and security obligations and receives only what is necessary to perform its function.
8. Security
- Encryption in transit and at rest.
- Row-level access controls so each practice can only access its own records.
- Signed clinical records become read-only with audited addenda.
- Unguessable, single-purpose links for client-facing tasks.
- Automated encrypted backups.
No system is perfectly secure. If we learn of a breach affecting your information, we will notify affected practitioners without unreasonable delay so custodians can meet their own notification duties.
9. Retention and deletion
Records remain available for as long as a practice maintains its account, because clinical record-retention obligations belong to the practitioner. When an account is closed, practitioners may export their data; we then delete or de-identify it within a reasonable period, except where law requires longer retention.
10. Your rights
Practitioners can access, correct, or export their account information by contacting us. Clients seeking access or correction of their health records should contact their practitioner, who is the custodian of those records; we support practitioners in fulfilling such requests.
11. Changes to this policy
If we make material changes, we will notify account holders by email or in-app notice before the changes take effect. The “last updated” date above always reflects the current version.
12. Contact
Privacy questions, requests, or complaints: hello@psychapp.ca. You may also contact your provincial privacy commissioner or the Office of the Privacy Commissioner of Canada.