← Back to Home
Business Associate AgreementPrivacy PolicyTerms of ServiceHIPAA NoticeSecurity Practices

Privacy Policy

Last Updated: May 2026

Psychiartist (“we,” “us,” or “our”) operates a practice management platform for mental health professionals. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Account Information

When you register, we collect:

  • Name, email address, phone number
  • Professional credentials (license number, NPI number)
  • Organization details (practice name, address, specialty)
  • Billing information (processed securely via Stripe or Razorpay)

1.2 Protected Health Information (PHI)

On behalf of healthcare providers who use our platform, we may process:

  • Client/patient names, contact information, and demographics
  • Appointment schedules and session history
  • Clinical notes, assessments, and treatment plans
  • Prescriptions and medication records
  • Diagnoses and clinical observations
  • Invoices and insurance information

Important: We act as a Business Associate under HIPAA. All PHI is processed only as directed by the Covered Entity (the subscribing healthcare provider) and subject to our Business Associate Agreement.

1.3 Usage Data

  • Device type, browser, and operating system
  • IP address and approximate location
  • Pages visited and features used
  • Error logs and performance data

2. How We Use Information

  • Provide Services: Operate the platform, manage appointments, process billing, and facilitate clinical workflows.
  • Security: Detect and prevent fraud, abuse, and security threats. Maintain audit logs as required by HIPAA.
  • Communication: Send appointment reminders, billing notifications, and essential service updates (with opt-out options).
  • Improvement: Analyze aggregated, de-identified usage patterns to improve platform features. We never use PHI for marketing or analytics.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.

3. Your HIPAA Rights

If you are a patient/client of a healthcare provider using our platform, you have the following rights under HIPAA:

  • Right to Access: Request a copy of your health records maintained on our platform.
  • Right to Amendment: Request corrections to your health information.
  • Right to Accounting of Disclosures: Receive an accounting of disclosures of your PHI made in the prior 6 years.
  • Right to Restriction: Request restrictions on how your PHI is used or disclosed.
  • Right to Confidential Communications: Request that we communicate with you by alternative means or at alternative locations.
  • Right to Complain: File a complaint with your healthcare provider, with us, or with the U.S. Department of Health and Human Services.

To exercise these rights, contact your healthcare provider directly or reach us at privacy@psychiartist.com.

4. Data Retention

  • PHI: Retained for a minimum of 6 years per HIPAA requirements, or longer as required by applicable state law. Individual retention periods may be configured per client.
  • Audit Logs: Retained for 6 years per HIPAA § 164.530(j).
  • Account Data: Retained for the duration of the subscription plus 90 days. After termination, data is securely deleted or returned upon request.
  • Usage Data: Retained for 2 years in aggregated, de-identified form.

5. Data Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for all PHI at rest
  • TLS 1.2+ encryption for all data in transit
  • Role-based access controls with minimum necessary access
  • Automatic session timeout (configurable, default 15 minutes)
  • Comprehensive audit logging of all PHI access
  • Regular security assessments and monitoring
  • Secure, SOC 2 compliant cloud infrastructure

6. Third-Party Service Providers

We use select third-party services to operate our platform. Each provider that may access PHI has executed a Business Associate Agreement with us:

  • Cloud Infrastructure: Hosting and database services (encrypted at rest and in transit)
  • Payment Processing: Stripe (US) and Razorpay (India) for billing — both are PCI-DSS compliant; Stripe has signed a BAA
  • Email: Transactional email for appointment reminders and notifications
  • Telehealth: HIPAA-compliant video conferencing for virtual sessions

7. Children's Privacy

Our platform is designed for use by licensed mental health professionals. We do not knowingly collect personal information from children under 13. If a healthcare provider treats minors, the provider is responsible for obtaining parental/guardian consent in accordance with applicable laws.

8. State-Specific Rights

California (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

Other States

Residents of states with comprehensive privacy laws (Colorado, Connecticut, Virginia, Utah, etc.) may have additional rights. Contact us to exercise any applicable rights.

9. International Transfers

For US-based organizations, all PHI is processed within the United States. For India-based organizations, data is processed in accordance with the Digital Personal Data Protection Act (DPDPA), 2023.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last Updated” date. Continued use of the platform constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions or to exercise your rights:

To file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights, visit hhs.gov/hipaa/filing-a-complaint.