TheraBasics

Privacy Policy

Version 1.0 · Effective 2026-05-20

Your wellness data is yours. We built TheraBasics to help you check in with yourself and, when you choose, share with a therapist. Everything you write — moods, journal entries, period logs, reflections — stays private by default. You decide what to share and with whom.

We do not sell your information. We do not use it for advertising. The third parties who help us run the service (database, AI summaries for your therapist, push notifications) are bound by signed agreements that limit them to working on our behalf. The full policy below explains the details.

1. Plain-English summary

This is the short version of what follows:

  • What we collect: the account info you give us (email, name); the wellness data you log in the app (mood check-ins, rituals, journal entries, and — if you turn it on — period tracking); and basic operational data (IP address, device info, audit logs).
  • How we use it: to provide the app to you, to generate therapist-facing summaries when you’re in Connected Mode, to detect language that suggests you may be in crisis, and to keep the service secure.
  • Who else sees it: your connected therapist (if any), bound by the visibility settings you control; and a small set of service providers that help run the app (listed below). We do not sell your data and do not share it for advertising.
  • Your controls: change what your therapist can see, disconnect from your therapist, delete your account, or contact us to access or correct your data.

2. Who we are

TheraBasics is operated by TheraBasics LLC (“TheraBasics,” “we,” “us,” or “our”), a California company located at 5123 Onaknoll Ave, Los Angeles, CA 90043. The clinical direction of the product is led by Raven Barrow, PsyD, MA, MFT, a licensed marriage and family therapist.

This policy applies to the TheraBasics mobile application, the TheraBasics therapist web dashboard, and the TheraBasics website at therabasics.com (together, the “Service”).

3. Information we collect

3.1 Account information

When you create an account, we collect:

  • Your email address (from Apple Sign-In or Google Sign-In)
  • The display name you choose
  • Your time zone (so reminders fire at the right local time)
  • Your role (client or therapist) and, for therapists, license credentials

3.2 Wellness and reflection data you log

The core of the Service is the data you choose to log:

  • Mood and check-in data: daily mood (1–5 scale and weather metaphors), sleep quality, energy level, stress level, physical symptoms, morning intentions, and end-of-day reflections
  • Journal entries: the text you write, including any optional prompts you respond to
  • Rituals: rituals you create or your therapist assigns, daily completions, and any notes you attach to a completion
  • Period and cycle tracking (only if you opt in): period start and end dates, flow level, and cycle-related symptoms
  • Pre-session notes (Connected Mode only): notes you choose to send to your therapist before a session

This information is sensitive. Some of it (mental health, reproductive health) is treated as “sensitive personal information” under applicable U.S. state laws and as Protected Health Information (PHI) under the U.S. Health Insurance Portability and Accountability Act (HIPAA) when you are connected to a therapist. See our Notice of Privacy Practices for the HIPAA-specific disclosures.

3.3 Automated safety flags

When you submit a journal entry, check-in, morning intention, or pre-session note, our system scans the text for language that may indicate a risk to your safety. Flagged content (along with the source category, severity, and timestamp) is recorded so we can notify your therapist when appropriate. See Section 7 for details.

3.4 Operational and device data

  • IP address, device type, operating system, and a user-agent string — collected automatically when you use the Service
  • Push notification tokens (so we can send you reminders or notify you when your therapist assigns a ritual)
  • Audit logs: what was accessed, by whom, and when, retained to satisfy HIPAA and to investigate any security incident
  • Consent records: which version of which agreement you accepted, with timestamp and IP address

3.5 What we do not collect

  • We do not collect government IDs or Social Security Numbers
  • We do not access your microphone, camera, contacts, photos, or location
  • We do not import data from Apple Health, Google Fit, calendar, or any other third-party source unless you explicitly enable that integration in the Service
  • We do not use third-party advertising trackers

4. How we use your information

We use the information described above to:

  • Provide the core Service (check-ins, rituals, journal, period tracking)
  • Send you reminders and notifications you’ve configured (morning intention, evening check-in, ritual reminders)
  • In Connected Mode only: generate AI-assisted weekly summaries (“session briefs”) for your connected therapist, based on the data categories you’ve chosen to share
  • Detect language that suggests a risk to your safety and notify your therapist so they can follow up (see Section 7)
  • Authenticate you, prevent fraud or abuse, and investigate violations of the Terms of Service
  • Maintain audit logs as required by HIPAA and to satisfy lawful requests from regulators
  • Communicate with you about service updates and policy changes
  • Improve the Service in aggregate (we do not train AI models on your data)

5. Service providers (sub-processors)

We rely on a small set of vendors to operate the Service. Each is bound by a written agreement (Business Associate Agreement, Data Processing Addendum, or equivalent) requiring them to protect your information and use it only on our behalf.

ProviderPurposeData sharedAgreement
Amazon Web Services (RDS, Cognito, SES)Database, identity hosting, and transactional email deliveryAll data stored in the Service; email and authentication tokens; recipient email + body for transactional and crisis-alert emailAWS Business Associate Addendum
Anthropic Claude models via AWS BedrockAI inference for therapist session briefs, reflective responses, and crisis-language classificationThe wellness data your therapist is allowed to see, plus the text fragments scanned for safety — processed within our AWS account boundary; Anthropic does not directly receive or retain itCovered under our AWS Business Associate Addendum (Bedrock processes Anthropic-licensed models without sending data outside the AWS BAA boundary)
Expo (Push Notifications)Delivers push notifications to your devicePush token and notification payload (e.g., reminder titles)Expo Data Processing Addendum
SentryCrash and error monitoring (no Session Replay, no performance tracing)Stack traces and error messages only; request bodies, headers, cookies, form input, and PHI URLs are scrubbed before transmissionSentry Business Associate Agreement
StripePayment processing for therapist subscriptions (web checkout + customer portal)Your email, billing address, and payment instrument details — never any wellness data, journal entries, mood check-ins, or clinical contentStripe Data Processing Addendum (no BAA needed — Stripe never receives PHI by technical design)
RevenueCatSubscription state management for mobile in-app purchasesAnonymized app user ID + purchase metadata (transaction ID, product ID, renewal state) — never any wellness data or clinical contentRevenueCat Data Processing Addendum (no BAA needed — RevenueCat never receives PHI by technical design)
Apple App Store / Google PlayIn-app purchase processing and receipt validation for mobile subscriptionsStandard purchase metadata (transaction ID, receipt, product ID) — never any wellness data or clinical contentApple Developer Program License Agreement and Google Play Developer Distribution Agreement (no BAA needed — neither platform receives PHI by design)

Payment vendors never receive Protected Health Information. Stripe, RevenueCat, Apple, and Google receive only the billing and purchase metadata required to operate subscriptions. They never see your wellness data, journal entries, mood check-ins, period logs, AI-generated session briefs, or any clinical content. The technical separation between the billing path and the clinical-data path is documented in our internal subprocessor review.

We will update this list when we add or change providers.

6. Sharing with your therapist

TheraBasics has two modes:

  • Solo Mode: nothing is shared with anyone. Your data is yours alone.
  • Connected Mode: you’ve used a therapist’s invite code to link your account to theirs. Your therapist can see the data categories you allow, in the format the dashboard provides.

In Connected Mode, you control what your therapist can see through per-category visibility toggles in your settings:

CategoryDefaultWhat it includes
Mood and check-insVisibleDaily mood scores and check-in summaries
RitualsVisibleRitual list, completions, and notes
Reflections (journal & pre-session notes)VisibleFree-text reflections you've recorded
Cycle and period trackingHiddenPeriod dates, flow, cycle phase (opt-in)
Sleep, energy, stress, physical symptomsHiddenGranular wellness signals (opt-in)

You can change these settings at any time. Changing a category to “hidden” immediately removes that category from your therapist’s view going forward. Historical data that was previously visible remains in our records (so we can honor lawful requests and audit needs) but is no longer surfaced in their dashboard.

You can disconnect from your therapist at any time. After you disconnect, the therapist loses dashboard access immediately. We retain a record of the connection (start and end dates) for audit purposes.

7. Automated safety monitoring

When you submit a check-in, journal entry, morning intention, or pre-session note, the Service runs an automated two-step scan for language indicating you may be in crisis or at risk of self-harm:

  • Step 1 — keyword scan: a fast on-server check for explicit crisis language (e.g., references to suicide or self-harm).
  • Step 2 — AI classification: if Step 1 flags anything, the text is processed by a Claude model running on AWS Bedrock (Anthropic-licensed, executed inside our AWS environment) to assess severity (low, medium, or high). The AI is instructed to err on the side of safety.

If a flag is created and you are in Connected Mode, we notify your therapist:

  • High and medium severity: we email your therapist immediately. The email contains only a link to their dashboard — no PHI is sent in the email body itself.
  • Low severity: we include the flag in a daily summary email sent to your therapist (also pointer-only).
  • High severity unacknowledged: we send up to two follow-up reminders, one hour apart, until the therapist acknowledges the flag in the dashboard.

Crisis detection is automatic and cannot be disabled while you remain in Connected Mode. It exists to protect you. If you would prefer this monitoring not occur, you can switch to Solo Mode at any time, in which case no flags are forwarded to anyone (although flags are still recorded so we can demonstrate the safety practice exists).

8. Your rights and choices

You have the following rights with respect to your information:

  • Access and correct. See what we hold about you and correct anything inaccurate. Most data is visible directly in the app; for anything else, contact support@therabasics.com.
  • Export. Request a copy of your data in a portable format. We currently fulfill these requests by email at support@therabasics.com within 30 days; self-service export is on our roadmap.
  • Delete. Permanently delete your account and the data associated with it. You can do this from your account settings, or by emailing us. After deletion, we retain only what we must keep for legal, audit, or safety reasons (described in Section 9).
  • Control sharing. Change your visibility settings or disconnect from your therapist at any time.
  • Withdraw consent. Withdraw consent to AI-assisted features or to Connected Mode. Withdrawal does not undo past processing, but stops it going forward.
  • Complain. If you believe we have mishandled your information, contact our Privacy Officer at support@therabasics.com. You may also lodge a complaint with the U.S. Department of Health and Human Services Office for Civil Rights or your state’s privacy regulator.

9. How long we keep your information

We keep your information only as long as needed to provide the Service and meet our legal obligations:

  • Active accounts: for as long as your account is open.
  • Deleted accounts: we soft-delete your account immediately (preventing further access) and hard-delete the underlying records within 30 days, except for records we are required to retain for compliance or audit reasons.
  • Audit logs: retained for 6 years to satisfy HIPAA recordkeeping requirements.
  • Backups: retained for up to 30 days before being overwritten.
  • Crisis flags: retained as part of the underlying safety record for the duration of audit-log retention, even after account deletion, to demonstrate that our safety practices were followed.

10. How we protect your information

We use technical and organizational measures to protect your information:

  • All data in transit is encrypted using TLS (HTTPS). All data at rest is encrypted using AWS-managed encryption.
  • Authentication is handled by AWS Cognito; passwords (where applicable) are never stored in plaintext.
  • Our error-monitoring pipeline strips request bodies, cookies, and PHI-bearing URLs before any error report leaves our servers.
  • Access to production systems is restricted to a minimum set of authorized personnel and is itself audit-logged.
  • Every sub-processor that handles PHI has signed a Business Associate Agreement (BAA) with us.
  • We will notify you and the appropriate regulators of a breach affecting your information without unreasonable delay, in accordance with HIPAA and applicable state law.

No system is perfectly secure. If you discover a security issue, please contact us at support@therabasics.com before disclosing it publicly.

11. Children's policy (18+)

The Service is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with information, please contact us at support@therabasics.com and we will delete it.

12. U.S. state-law disclosures

12.1 California (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct inaccuracies, the right to limit our use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise any of these rights, contact support@therabasics.com.

12.2 Washington My Health My Data Act

Washington residents have rights under the My Health My Data Act regarding consumer health data. We collect only the consumer health data described in Section 3, use it only as described in Section 4, and share it only with the providers listed in Section 5 (each bound by an agreement). We do not sell consumer health data. You have the right to access, delete, and withdraw consent. Contact support@therabasics.com to exercise these rights.

12.3 Other states (Connecticut, Colorado, Virginia, Nevada, and others)

Residents of states that have enacted comprehensive privacy laws have similar rights to access, correct, delete, and opt out of certain processing. Contact support@therabasics.com to exercise these rights. If we deny a request, you may appeal by replying to our denial email; we will respond to appeals within 60 days.

13. International users and data transfers

The Service is operated from and stores data in the United States (AWS us-east-1 region). If you access the Service from outside the United States, your information is transferred to and processed in the United States, which may have different data-protection laws than your home country.

The Service is currently designed for use in the United States and is not actively offered to residents of the European Economic Area, the United Kingdom, or other jurisdictions with comprehensive data-export restrictions. If you choose to use the Service from such a jurisdiction, you do so on your own initiative and consent to the transfer of your information to the United States.

14. Changes to this policy

We may update this policy from time to time. When we make a material change, we will notify you in the app, by email, or both, at least 30 days before the change takes effect (except where a shorter notice period is required by law or to address a security issue). The “Effective” date at the top of this page reflects the most recent version. Prior versions are available on request.

15. Contact us

For privacy questions, to exercise your rights, or to file a complaint:

  • Privacy Officer: Raven Barrow, PsyD
  • Email: support@therabasics.com
  • General support: support@therabasics.com
  • Mailing address: TheraBasics LLC, 5123 Onaknoll Ave, Los Angeles, CA 90043