Psy Planner

Data encryption

In transit

All data transmitted between your browser or app and Psy Planner's servers is encrypted using TLS 1.2 or higher. Unencrypted HTTP connections are not permitted — all traffic is redirected to HTTPS automatically. HTTP Strict Transport Security (HSTS) is enforced to prevent downgrade attacks.

At rest

All data stored within Psy Planner's infrastructure is encrypted at rest using AES-256 encryption. This includes client records, session notes, form submissions, assessment scores, and all other data stored in our database and file storage systems.

Protected Health Information (PHI)

Psy Planner stores data that qualifies as Protected Health Information (PHI) under HIPAA, including:

• Client names, contact details, and demographic information
• Session notes and clinical documentation
• Intake form responses and standardised assessment results (PHQ-9, GAD-7, SRS, and others)
• Outcome tracking data and clinical trend records
• Booking requests and consent records

PHI is never included in application logs at any level. Access to PHI is restricted by row-level security controls — each therapist can only access data associated with their own account and clients. PHI is never used for advertising, product analytics, or any purpose other than delivering and improving the Services described in our Terms of Use.

HIPAA

Psy Planner implements technical safeguards aligned with the HIPAA Security Rule, including:

• Encryption of PHI in transit and at rest
• Access controls limiting PHI to authorised users only
• Audit logging of access to clinical records
• Session timeouts to limit exposure on unattended devices
• Procedures for breach detection, investigation, and notification

Business Associate Agreements (BAA)

Therapists and practices subject to HIPAA who use Psy Planner to store or process PHI may require a signed Business Associate Agreement. To request a BAA, contact us at team@psyplanner.app. We will respond within 5 business days.

Note: Psy Planner provides technical safeguards to support your HIPAA compliance. You remain responsible for the administrative and physical safeguards required under HIPAA, and for ensuring your own practice's compliance with applicable regulations.

Access controls

Authentication

All accounts are protected by password authentication. We enforce minimum password complexity requirements. Passwords are hashed using a strong one-way algorithm — plain-text passwords are never stored.

Session management

Authenticated sessions expire after a period of inactivity. Session tokens are invalidated on logout and on password change.

Account isolation

Each therapist account operates in strict isolation. Row-level security controls at the database layer ensure that no user can access another user's client records, session notes, or form submissions — even in the event of an application-layer error.

Group practice access

Where a group practice account includes multiple clinicians, access permissions are role-based. Supervisors, clinicians, and administrators have different levels of access. No staff role has access to clinical notes outside their own assigned caseload unless explicitly granted by the account owner.

Audit logging

Psy Planner maintains audit logs for access to sensitive clinical data including:

• Session note reads and writes
• Client record access
• Form submission access
• User authentication events (including failed login attempts)

Audit logs are stored separately from application logs, are append-only, and cannot be modified by the application. Logs are retained for a minimum of 6 years consistent with clinical record-keeping standards.

Data storage and residency

Psy Planner's customer-facing application is hosted on Vercel. Core cloud infrastructure and related platform services (including storage and integrated third-party services) are provided by Amazon Web Services and other vendors listed in our vendor list. Data may be processed in multiple regions according to how each service is configured; our vendor list summarises typical processing locations for each subprocessor (for example, US and multi-region deployments where stated).

We do not store or process data in regions that do not meet applicable legal standards for cross-border data transfers. Where data is transferred internationally, we apply appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) where required by GDPR.

Subprocessors and third-party vendors

Psy Planner works with a limited number of third-party service providers who may process customer data on our behalf. All subprocessors are subject to data processing agreements and are evaluated for security and compliance before engagement.

Where a subprocessor handles PHI, we ensure an appropriate BAA or equivalent agreement is in place.

A current list of our subprocessors is available at www.psyplanner.app/processors.

Key categories include:

• Cloud hosting and database infrastructure — servers, storage, and managed database services
• Email delivery — transactional emails including appointment reminders and account notifications
• Payment processing — billing and subscription management (Paddle)
• Error monitoring — application error tracking (configured to exclude PHI from error payloads)

Session notes and clinical records

Signed notes are immutable

Once a session note is signed and finalised within Psy Planner, it is locked and cannot be edited or deleted through the application. This protects the integrity of clinical records. Signed notes are retained for a minimum of 6 years from creation.

Template snapshots

When a note is written using a template, a frozen copy of that template's structure is stored alongside the note answers. If the template is later edited, existing signed notes are unaffected — they always render from their own snapshot, preserving the original clinical context.

Draft notes

Notes saved as drafts are editable until signed. Draft notes are subject to the same access controls and encryption as signed notes.

Forms and submissions

Intake forms and assessments

Form submissions — including intake questionnaires, PHQ-9, GAD-7, and other standardised assessments — are stored with the same encryption and access controls applied to session notes. Submissions are linked to the therapist's account and accessible only to that therapist.

Public forms and booking pages

When a client submits a form or booking request via a public link, their data is transmitted over TLS and stored immediately under the therapist's account. Public form endpoints do not expose any other client's data. Public links are scoped to a single therapist and cannot be used to access other accounts.

Consent records

Where a form includes a consent field, the client's consent timestamp is stored alongside their submission. Consent records are retained as part of the submission record.

Breach notification

In the event of a data breach affecting your account or your clients' data, Psy Planner will:

• Notify affected Customers without undue delay and no later than 72 hours of becoming aware of a breach, where feasible
• Provide information about the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address it
• Support Customers in meeting their own breach notification obligations to clients and regulators

Suspected security incidents should be reported immediately to team@psyplanner.app.

Vulnerability disclosure

If you discover a security vulnerability in Psy Planner, please report it responsibly to team@psyplanner.app. We will acknowledge your report within 48 hours and work to address confirmed vulnerabilities promptly. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.

What this page does not cover

This page covers Psy Planner's own security practices. It does not cover:

• The security of your local devices or network
• The security of third-party telehealth video providers you connect via integration
• Your own HIPAA administrative and physical safeguard obligations
• Security of any data you export from the platform and store externally

Contact

For security questions, BAA requests, or to report a suspected incident:

Email: team@psyplanner.app

Website: www.psyplanner.app