TheraBasics

Notice of Privacy Practices (HIPAA)

Version 1.0 · Effective 2026-05-20

This Notice describes how protected health information (PHI) created or maintained in TheraBasics may be used and disclosed, and how you can exercise your rights under the U.S. Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). It applies when you use TheraBasics in Connected Mode (linked to a therapist) and to certain operations even when you use the Service in Solo Mode.

Please read it carefully. If anything is unclear, contact our Privacy Officer using the details in Section 7.

1. Required header statement

2. Who this notice covers

TheraBasics LLC (“TheraBasics,” “we,” or “us”) provides the TheraBasics platform. When a licensed therapist uses TheraBasics with their clients in Connected Mode, that therapist is the Covered Entity under HIPAA, and TheraBasics is acting as their Business Associate. We have signed a Business Associate Agreement with each therapist who uses the platform.

When you use TheraBasics without a therapist (Solo Mode), most of the information you log is not PHI under HIPAA. However, we voluntarily extend the protections described in this Notice — including encryption, access logging, and breach notification — to all wellness data you log, regardless of mode.

The PHI covered by this Notice includes: the wellness data you log (mood, sleep, stress, energy, journal entries, period tracking, rituals), your identifiers (email, name, account ID), records of your relationship with your therapist, and any AI-generated summaries (“session briefs”) we create on your therapist’s behalf.

3. How we use and disclose your PHI

3.1 For treatment

In Connected Mode, we share PHI with your connected therapist as part of providing care. The categories of data shared are governed by the visibility settings you control in the app (mood, rituals, reflections, cycle/period, sleep and energy, stress, and physical symptoms). Your therapist may use this information to plan and deliver care, including by viewing AI-generated session briefs we create on their behalf.

3.2 For payment and healthcare operations

TheraBasics does not currently process payments to or from your therapist for your care. If we add payment functionality in the future, we will update this Notice to describe how PHI may be used or disclosed for payment and healthcare operations.

3.3 To you

You always have access to your own information through the app and through the rights described in Section 4.

3.4 As required by law

We will disclose PHI when required to do so by federal, state, or local law — for example, in response to a valid court order, a subpoena that satisfies HIPAA’s requirements, or a mandated-reporter obligation. We will challenge requests we believe are improper.

3.5 To avert a serious threat to health or safety

3.6 To our Business Associates

We share PHI with the service providers (sub-processors) who help us operate the platform. Each Business Associate is bound by a written Business Associate Agreement requiring them to safeguard PHI and use it only on our behalf. The current list of providers is available in our Privacy Policy, Section 5.

3.7 Public health activities, health oversight, and judicial proceedings

We may use or disclose PHI as permitted by 45 CFR § 164.512 — including for public health activities (for example, reporting communicable disease as required), health-oversight activities (for example, audits or investigations authorized by law), and certain judicial and administrative proceedings — when we believe in good faith that the disclosure is required.

3.8 Other uses require your authorization

Any use or disclosure of PHI not described in this Notice will be made only with your written authorization. Specifically, your written authorization is required for: (a) most uses or disclosures of psychotherapy notes; (b) use or disclosure of PHI for marketing; and (c) any sale of PHI. We do not sell PHI and do not use it for marketing. You may revoke an authorization at any time, in writing, except to the extent we have already acted in reliance on it.

4. Your rights under HIPAA

4.1 Right to inspect and copy

You have the right to inspect and obtain a copy of your PHI maintained in the designated record set. Most of this information is available directly in the app. To request a complete copy in a portable format, contact support@therabasics.com. We will respond within 30 days.

4.2 Right to request amendment

If you believe PHI we maintain about you is incorrect or incomplete, you may ask us to amend it. Submit your request in writing to support@therabasics.com with the reason for the amendment. We may deny your request in limited circumstances; if we do, we will explain why and how you can appeal.

4.3 Right to an accounting of disclosures

You have the right to receive an accounting of certain disclosures we have made of your PHI in the six years before the date you request the accounting, excluding disclosures made for treatment, payment, healthcare operations, or made directly to you. Contact support@therabasics.com to request an accounting. One accounting per twelve-month period is provided at no charge.

4.4 Right to request restrictions

You have the right to request a restriction on the uses or disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to a restriction except in narrow circumstances required by law (for example, when PHI relates to a service you paid for in full out of pocket and the disclosure would be made to a health plan). Where we agree, the restriction is binding except in emergencies.

4.5 Right to confidential communications

You may request that we communicate with you about your PHI by alternative means or at an alternative location. We will accommodate reasonable requests.

4.6 Right to a paper copy of this Notice

You may request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically, by contacting support@therabasics.com.

4.7 Right to be notified of a breach

We will notify you in writing without unreasonable delay (and in any event within 60 days) if we discover that unsecured PHI about you has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed in a manner not permitted by HIPAA.

5. Our duties

We are required by law to:

  • Maintain the privacy and security of your PHI
  • Provide you with this Notice of our legal duties and privacy practices
  • Notify you of a breach of unsecured PHI
  • Abide by the terms of the Notice currently in effect. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. When we make a material change, we will post a revised Notice on this page and, where required by law, notify you by email or in the app.

6. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer at the contact information below. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

  • By web: hhs.gov/ocr/complaints
  • By phone: 1-800-368-1019 (TDD: 1-800-537-7697)
  • By mail: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Room 509F HHH Building, Washington, DC 20201

We will not retaliate against you for filing a complaint.

7. Contact us

To exercise your rights or for any HIPAA-related questions:

  • Privacy Officer: Raven Barrow, PsyD
  • Email: support@therabasics.com
  • Mailing address: TheraBasics LLC, Attn: Privacy Officer, 5123 Onaknoll Ave, Los Angeles, CA 90043