Back

Privacy Policy

Last updated: April 5, 2026

1. Overview

Psycontext ("we", "us", or "our") is committed to protecting the privacy of all users. This Privacy Policy explains how we collect, use, and protect data for Therapists (registered users) and Respondents (anonymous survey participants). We are designed as a privacy-first platform where data minimization is a core architectural principle.

2. Data We Collect

2.1 From Therapists (Registered Users)

  • Account data: Email address, name, and optional practice information provided during registration
  • Authentication data: Managed by Supabase Auth (password hashes, OAuth tokens). We never store passwords in plain text
  • Survey data: Surveys you create, patient codes (anonymous identifiers), and survey questions
  • Usage data: Activity logs within the platform (surveys created, responses received)

2.2 From Respondents (Survey Participants)

We are intentionally designed to collect the absolute minimum from respondents:

  • Relationship type: How the respondent relates to the patient (e.g., friend, family, coworker)
  • Survey answers: Responses to the survey questions

We do NOT collect from respondents:

  • Names or email addresses
  • IP addresses (checked for rate limiting only, never stored)
  • Device fingerprints or browser information
  • Cookies or tracking identifiers
  • Location data

3. How We Use Data

  • Therapist data: To provide the Service, authenticate access, and enforce subscription limits
  • Survey responses: Displayed to the treating therapist only, aggregated by relationship type
  • Activity logs: To provide recent activity feeds within the dashboard
  • We do not sell, share, or use your data for advertising purposes
  • We do not use patient data or survey responses to train AI models

4. Data Isolation and Security

  • Row Level Security (RLS): Every database table has RLS policies ensuring therapists can only access their own data
  • Encryption at rest: AES-256 encryption on all stored data
  • Encryption in transit: TLS 1.3 for all data transfers
  • Anonymous submission: Survey responses are submitted through a dedicated API endpoint using a service-role client, with no authentication required from respondents
  • One-time-use links: Each survey link can only be used once and expires automatically after 7 days

5. Data Retention and Deletion

  • Survey responses: Automatically and permanently deleted 15 days after a survey is closed
  • Survey structure: The survey template and questions remain after response deletion, but contain no patient-identifying information
  • Therapist accounts: Retained until you request deletion
  • Export before deletion: You may export survey data as a PDF at any time before the 15-day auto-deletion

6. Data Processing Infrastructure

Your data is processed by:

  • Supabase: Database and authentication, hosted on AWS infrastructure
  • Vercel: Application hosting and serverless functions

Both services maintain SOC 2 Type II compliance and offer data processing agreements. Data may be processed in regions where AWS and Vercel operate infrastructure.

7. GDPR Compliance (EU Users)

For users in the European Economic Area, we comply with the General Data Protection Regulation (GDPR):

  • Legal basis: Legitimate interest for service provision; consent for optional data collection
  • Data minimization: We collect only what is necessary for the Service to function
  • Right to access: You may request a copy of your data at any time
  • Right to rectification: You may update your profile data at any time
  • Right to erasure: You may request deletion of your account and all associated data
  • Right to portability: You may export your data via PDF reports
  • Data Protection Officer: Contact support@psycontext.com

8. LOPD-GDD Compliance (Spain)

For users in Spain, we comply with the Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales (LOPD-GDD). The anonymous nature of survey data collection follows the principle of purpose limitation as defined by the Agencia Española de Protección de Datos.

9. Cookies

Therapist dashboard: We use essential session cookies for authentication. No tracking, analytics, or advertising cookies are used.

Survey pages: No cookies are set whatsoever. Respondents can complete surveys without any cookies being stored in their browser.

10. Third-Party Services

We use the following third-party services:

  • Supabase: Database, authentication, and storage
  • Vercel: Hosting and deployment
  • Google OAuth: Optional sign-in method (only when you choose "Sign in with Google")

We do not share data with any other third parties.

11. Children's Privacy

The Service is intended for use by licensed professionals and is not directed at individuals under 18. We do not knowingly collect data from children. If survey respondents are minors, it is the therapist's responsibility to ensure appropriate consent has been obtained.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For any privacy-related questions, data access requests, or concerns, contact us at support@psycontext.com.