Privacy Policy

1. Introduction

Extended Sessions AI ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our therapy AI platform, including our website, web application, and related services (collectively, the "Service").

Extended Sessions AI is a between-session companion for therapy patients, configured and supervised by licensed therapists. Our platform is designed to provide HIPAA-compliant support for patients between their therapy sessions while maintaining the highest standards of privacy and security.

2. Information We Collect

We collect information necessary to provide and improve the Service. This information may include:

Account Information

• For Patients: Name, email address, date of birth, and any other information you choose to provide in your profile
• For Therapists: Name, email address, professional license number, state of licensure, credentials, and contact information for your practice
• Password and Authentication: Encrypted authentication credentials through Firebase Auth

Chat Session Content

• All conversations between you and the AI assistant
• Messages, prompts, and responses within chat sessions
• Session metadata including timestamps and duration

Usage Data

• How often you access the Service
• Which features you use
• Session frequency and length
• Pages viewed and time spent on each page
• Any errors or technical issues encountered

Device and Browser Information

• Device type (computer, tablet, mobile phone)
• Operating system and browser type
• IP address
• Approximate location based on IP address
• Browser features and settings you use

Communication Information

• If you contact us, we keep records of your inquiry and our response
• Email addresses and content of support communications

3. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service

• Creating and maintaining your account
• Delivering chat support and AI responses
• Managing subscriptions and billing (if applicable)
• Enabling therapists to configure and manage patient accounts

Generating AI Responses

• Processing your messages to generate real-time AI responses
• Maintaining conversation context within a session
• Delivering personalized, context-aware support

Clinical Support

• Creating clinical summaries of sessions for your therapist
• Extracting key topics, progress indicators, and patient-reported concerns
• Enabling therapists to monitor patient wellbeing between sessions
• Detecting potential crisis situations and alerting appropriate parties

Crisis Detection and Safety

• Identifying indicators of suicidal ideation, self-harm, or imminent danger
• Taking appropriate action per crisis protocols (notifying therapist, emergency services if needed)
• Maintaining safety logs and incident records as required by regulation

Communication

• Sending transactional emails (password resets, account confirmations, session summaries)
• Notifying you of important account changes or security updates
• Responding to your inquiries and support requests

Service Improvement

• Analyzing usage patterns to improve user experience
• Identifying and fixing bugs and technical issues
• Developing new features and optimizations
• Conducting research to understand how our Service helps patients

Legal Compliance

• Complying with legal obligations and court orders
• Protecting against fraud and abuse
• Enforcing our Terms of Service and other agreements

4. AI and Your Data

How AI Processing Works

• When you send a message, it is securely transmitted to Vertex AI for real-time response generation
• The AI provider (Google) processes your message to generate a response
• Responses are generated in real-time and are not retained by the AI provider after delivery
• Your conversation data is not used to train or improve Google's AI models
• No data leaves your account for AI processing except what is necessary to generate your response

Data Retention by AI Provider

Google Cloud's Vertex AI service operates under strict data retention policies:

• AI-generated responses are not stored by the AI provider
• Your input is processed and immediately deleted after response generation
• No conversation history is maintained by the AI service for training purposes
• This complies with HIPAA requirements for data handling and privacy

Clinical Summaries

Clinical summaries created from your conversations are generated by the AI but stored on our secure servers so your therapist can review your progress. These summaries are covered under HIPAA protections like all your health information.

5. Data Storage and Security

Infrastructure

• All data is hosted on Google Cloud Run with HIPAA-compliant infrastructure
• We use Google Cloud's Firestore database with built-in encryption and access controls
• All infrastructure is subject to Google Cloud's BAA, meeting HIPAA standards

Encryption

• In Transit: All data transmitted to and from our servers uses TLS 1.2+ encryption
• At Rest: Data stored in Firestore is encrypted at rest using Google-managed encryption keys
• Passwords: User passwords are never stored in plain text; they are managed securely by Firebase Auth

Access Controls

• Only authorized staff have access to data systems
• Patients can only access their own data
• Therapists can only access their own patients' data
• Role-based access controls enforce these restrictions at the application and database levels
• Administrative access is logged and monitored

Audit Logging

• All access to patient data is logged with timestamps and user identifiers
• Audit logs are retained for 6 years to comply with HIPAA requirements
• Logs are secured and only accessible to authorized personnel

Email Security

• Transactional emails are sent through SendGrid with encryption in transit
• Session summaries and sensitive information are sent only to verified therapist email addresses
• Emails use secure, authenticated delivery protocols

6. Who Can Access Your Data

Patient Access

You can view your own data: You can access your chat history, account information, and any summaries generated from your sessions. You have full visibility into what information we hold about you.

Therapist Access

Your therapist can view: Conversations with the AI, clinical summaries of your sessions, and progress indicators. Your therapist configured your account and can see this information to better understand your needs and tailor your in-session therapy accordingly.

Data Sharing Policy

• No Sales: We do not sell your data to third parties under any circumstances
• No Advertising: We do not use your information for third-party advertising or marketing
• No Unauthorized Sharing: We do not share your data with any outside organization unless required by law
• Service Providers: We only share data with service providers (Google Cloud, SendGrid, Firebase) who are contractually bound to protect your information

Legal Exceptions

We may disclose your information if required by law, court order, or government authority, such as:

• Responding to valid legal process or government requests
• Protecting against fraud, security, or technical issues
• Enforcing our Terms of Service
• Protecting the rights, property, and safety of Extended Sessions AI, our users, or the public

7. Data Retention

Chat Session Data

• Your chat conversations are retained according to your therapist's configuration settings
• Your therapist can set retention periods (e.g., delete sessions after 90 days, or retain indefinitely)
• You can request deletion of individual sessions at any time
• When your therapist relationship ends or your account is closed, sessions are deleted per your request or therapist's configuration

Clinical Summaries

• Summaries are retained as part of your clinical record
• These may be retained longer to maintain continuity of care
• Deletion of summaries is coordinated between you and your therapist

Audit Logs

• Audit logs and access records are retained for 6 years to comply with HIPAA requirements
• These logs are not accessible to users but help us maintain security and compliance

Account Deletion

Upon request, you can request complete deletion of your account and associated data. To do so:

• Contact us at the email below with a request to delete your account
• We will verify your identity and process the deletion within 30 days
• Some information may be retained if required by law or for legitimate business purposes (e.g., audit logs for 6 years)

8. Cookies and Tracking

Firebase Authentication Cookies

• We use Firebase Auth session cookies to maintain your login state
• These are functional cookies necessary for the Service to work
• They are not used for tracking or advertising purposes
• Cookies are deleted when you log out or your session expires

Third-Party Tracking

• We do not currently use third-party tracking cookies or analytics services
• We do not allow Google Analytics, Facebook Pixel, or similar tracking technologies on our platform
• Your browsing activity on Extended Sessions AI is not tracked by external services

Your Cookie Preferences

Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, blocking functional cookies may prevent you from using the Service properly. We recommend keeping Firebase Auth cookies enabled.

9. Your Rights

You have the following rights with respect to your personal information:

Right to Access

You can request and download a copy of all personal information we hold about you in a machine-readable format.

Right to Deletion

You can request deletion of your account and associated data. Some information may be retained if required by law (e.g., audit logs for 6 years).

Right to Correction

You can update or correct inaccurate information in your account profile at any time.

Right to Withdraw Consent

For any optional data collection or use, you can withdraw consent at any time. This will not affect the legality of processing based on consent given before withdrawal.

Right to Data Portability

You can request a copy of your data in a standard, portable format that can be transferred to another service.

How to Exercise Your Rights

To exercise any of these rights, please contact us at bryan.leishman@gmail.com with your request. We will respond to your request within 30 days and may ask to verify your identity before proceeding.

10. Children's Privacy

Extended Sessions AI is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has created an account or provided information, we will delete that account and information promptly.

If you are a parent or guardian and believe your child has used our Service, please contact us immediately at bryan.leishman@gmail.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by prominently posting a notice on our website.

Your continued use of the Service following the posting of revised Privacy Policy means that you accept and agree to the changes.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

We will respond to your inquiry as promptly as possible, typically within 5-7 business days.