Universal Services Agreement

These Universal Terms of Service govern your use of the Psy180 platform ("Psy180," "we," "our," "us") whether you access the platform as a clinic administrator, a licensed mental health professional, or a client receiving services from a Psy180-using clinic.

(a) Account Eligibility. You may use Psy180 only if you are at least 18 years old (or have valid parent/guardian authorisation under applicable state minor-consent law and have completed the per-encounter clinical consent flow administered by your treating provider). Clinics and providers must hold all required licences in every state in which they render services.

(b) Acceptable Use. You agree not to (i) attempt to access PHI you are not authorised to view; (ii) reverse engineer, scrape, or stress-test the platform without written authorisation; (iii) use the platform to deliver services in a state in which the treating provider is not licensed; (iv) upload malware or attempt to circumvent the platform's security controls; or (v) re-identify de-identified data.

(c) Fees. Subscription fees are billed in advance through Stripe and are non-refundable except as required by applicable consumer-protection law. Psy180 may modify fees with at least thirty (30) days' written notice. Failure to pay may result in suspension of platform access; PHI handling and breach-notification obligations under Section 3 of this Agreement survive any suspension.

(d) Intellectual Property. The platform, its software, design, and documentation are owned by Psy180, Inc. You retain all rights to clinical content (including notes, consent forms, and session recordings) you create on the platform, subject to the licence grant in Section 2.

(e) Termination. Either party may terminate this Agreement at any time. Upon termination, Psy180 will, at the covered entity's election, return or securely destroy all PHI consistent with Section 3 of this Agreement.

(f) Governing Law and Venue. Subject to Section 6 (State-Law Supremacy), this Agreement is governed by the laws of the State of Delaware without reference to its conflict-of-laws principles. Disputes will be resolved in the state or federal courts of New Castle County, Delaware, except claims that are non-waivable by applicable state law (including state mental-health-provider rights and state consumer-protection rights).

(g) No Warranty; Limitation of Liability. Psy180 provides the platform "as is." Nothing in this section limits Psy180's obligations under the HIPAA Business Associate Agreement embedded in Section 3 below.

(a) Data We Collect. We collect (i) account data (name, email, role, clinic affiliation); (ii) Protected Health Information (PHI) — clinical notes, consent documents, session metadata — under the HIPAA Business Associate Agreement embedded in Section 3; (iii) authentication metadata (IP, user-agent, timestamps) used for HIPAA audit logging under 45 CFR §164.312(b); (iv) consumer health data inferable from app usage patterns to the extent required to be disclosed under Washington's My Health MY Data Act (RCW 19.373).

(b) Sub-Processors. Psy180 uses HIPAA-eligible sub-processors for storage, compute, and telecommunications, each bound by a Business Associate Agreement and held to AWS BAA standards or stricter. The current list is published at https://psy180.com/subprocessors and updated with at least thirty (30) days' notice before adding new sub-processors that handle PHI.

(c) Use of Data. PHI is used solely to provide the platform to the covered entity, as set out in Section 3. Non-PHI account data is used to operate, secure, and improve the platform. We do not sell PHI or consumer health data, and we do not use PHI for marketing without separate written authorisation under 45 CFR §164.508.

(d) Retention. PHI is retained for at least seven (7) years from the date of the last access or as longer required by applicable state law. Audit logs are retained for at least seven (7) years and are immutable. Account data is retained while your account is active and for a reasonable wind-down period thereafter.

(e) Data Rights — Strictest US Standard. Subject to applicable law, you have the rights to access, correct, delete, restrict, port, and obtain confidential communications regarding your data. Where multiple state laws apply, the most-protective standard applies. To exercise these rights, contact support@psy180.com. Psy180 will respond within thirty (30) days, or sooner where required by applicable state law (e.g. RCW 19.373.040 for Washington-resident consumer health data).

(f) California CMIA-Grade Confidentiality. Notwithstanding your state of residence, Psy180 will treat your medical information at the standard of California's Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.) — including (i) the prohibition on selling, sharing, or using medical information for purposes incompatible with the original collection without written authorisation, and (ii) the disclosure-tracking requirements applicable to providers and contractors of providers.

(g) Washington MHMD-Grade Consumer Health Data. Psy180 will handle non-PHI consumer health data inferable from platform use (geolocation, app-usage patterns from which a health condition could be inferred) at the standard of Washington's My Health MY Data Act (RCW 19.373), including consent for collection, prohibition on sale, and right-to-access / right-to-deletion / right-to-withdraw-consent.

This Section binds (i) clinics ("Covered Entities"), (ii) therapists in their capacity as workforce members of a covered entity or as solo-practitioner covered entities, and (iii) Psy180, Inc. ("Business Associate"). This Section does not bind clients (whose obligations are covered by Section 4 — Notice of Privacy Practices Acknowledgment).

(a) Permitted Uses and Disclosures by Business Associate. Psy180 may use and disclose PHI only as necessary to (i) provide platform services to the Covered Entity (clinical documentation, telehealth session management, consent management, scheduling); (ii) host PHI on HIPAA-compliant infrastructure that meets all AWS BAA standards; (iii) generate aggregate de-identified analytics consistent with 45 CFR §164.514; (iv) carry out its legal obligations, including disclosures to the Secretary of HHS under 45 CFR §164.502(j)(2); (v) carry out the data-aggregation services described in 45 CFR §164.504(e)(2)(i)(B) on behalf of the Covered Entity. Psy180 will not sell PHI or use PHI for marketing without separate written authorisation under 45 CFR §164.508.

(b) Safeguards. Psy180 will implement and maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C), NIST SP 800-53 / SP 800-66, and Massachusetts 201 CMR 17.00 (Written Information Security Program — incorporated regardless of client residence as the floor security standard). Psy180 operates on HIPAA-compliant infrastructure that meets all AWS BAA standards, including: AES-256 encryption at rest with customer-managed keys, TLS 1.2+ in transit, private network isolation, least-privilege access controls, multi-factor authentication for administrative access, and immutable seven-year audit logging.

(c) Subcontractors. Psy180 will ensure that each subcontractor that creates, receives, maintains, or transmits PHI on behalf of Psy180 agrees in writing to restrictions and conditions at least as stringent as those in this Section (45 CFR §164.504(e)(2)(ii)(D)).

(d) Breach Notification — 30-Day Floor. Psy180 will notify the Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery. This 30-day floor is stricter than HIPAA's 60-day default and aligns with the strictest applicable state regimes (Florida FIPA §501.171; Colorado §6-1-716; Washington RCW 19.255.010 as amended 2023; Massachusetts Chapter 93H §3). Notification will include the description, date of breach and discovery, types of PHI involved, mitigation steps, and recommended individual protective steps to the extent then known. The Covered Entity remains responsible for individual notifications under 45 CFR §164.404 and HHS Secretary notifications under 45 CFR §164.408.

(e) Access, Amendment, Accounting. Psy180 will make PHI available to the Covered Entity to satisfy individual requests under 45 CFR §§164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures). Psy180 will make its internal practices, books, and records relating to PHI handling available to the Secretary of HHS for compliance audits under 45 CFR §164.504(e)(2)(ii)(H).

(f) Minimum Necessary. Psy180 will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose (45 CFR §164.502(b)).

(g) Termination and Return of PHI. Upon termination of the Covered Entity's platform subscription, Psy180 will, at the Covered Entity's direction, return or securely destroy all PHI in its possession that is feasible to return or destroy. PHI that is not feasible to return or destroy (e.g. as part of immutable audit logs required for HIPAA compliance) will continue to be protected under this Section for as long as Psy180 retains it.

(h) Provider HIPAA Acknowledgment (Workforce-Member Obligations). [Binds therapists.] If you are a therapist signing as a workforce member of a covered entity (or as a solo-practitioner covered entity), you acknowledge: (i) your independent obligations under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule; (ii) the minimum-necessary standard; (iii) your duty to maintain the confidentiality of your platform credentials and to enable multi-factor authentication; (iv) your duty to report any actual or suspected Breach of PHI to Psy180 and your clinic's Privacy Officer immediately upon discovery; (v) your obligation to complete HIPAA Privacy and Security training appropriate to your role within thirty (30) days and annually thereafter; (vi) the federal civil penalties (45 CFR §160.404 — up to USD 1.9 M per violation category per year) and criminal penalties (42 U.S.C. §1320d-6 — up to USD 250,000 and 10 years imprisonment for wilful misuse) for HIPAA violations; (vii) the additional obligations imposed by the state(s) in which you hold an active licence.

This Section binds clients receiving services through a Psy180-using clinic and acknowledges receipt of Psy180's HIPAA Notice of Privacy Practices.

(a) Uses and Disclosures. Your PHI may be used and disclosed for treatment, payment, and healthcare operations as permitted by 45 CFR §§164.502 and 164.506; as required by law; for public-health activities under 45 CFR §164.512(b); and for other purposes described in the full Notice of Privacy Practices, available at https://psy180.com/notice-of-privacy-practices.

(b) Your HIPAA Rights. You have the rights to (i) access your PHI within thirty (30) days of request (45 CFR §164.524); (ii) request amendment of inaccurate information (45 CFR §164.526); (iii) receive an accounting of certain disclosures (45 CFR §164.528); (iv) request restrictions on use or disclosure (45 CFR §164.522); (v) request confidential communications by alternative means (45 CFR §164.522(b)); (vi) receive a paper copy of the Notice of Privacy Practices upon request.

(c) Privacy Officer. Psy180's designated Privacy Officer (45 CFR §164.530(a)) may be contacted at support@psy180.com. Your clinic also has its own Privacy Officer responsible for clinic-level HIPAA compliance.

(d) Filing a Complaint. You may file a privacy complaint with Psy180's Privacy Officer or with the U.S. Department of Health and Human Services, Office for Civil Rights (https://www.hhs.gov/ocr or 1-800-368-1019). You will not be retaliated against for filing a complaint.

(e) Per-Encounter Clinical Consents Are Separate. This Acknowledgment does not substitute for state-mandated per-encounter clinical consents (telehealth informed consent under e.g. WAC 246-815-160 or Cal. B&P §2290.5; minor consent path under e.g. RCW 71.34.530, OH §5122.04, MD §20-104, Cal. HSC §124260; consumer health data notice under RCW 19.373). Those consents are administered by your treating provider through Psy180's per-encounter consent flow before each applicable service is rendered.

(a) E-SIGN / UETA. This Agreement is executed electronically. By typing your full legal name in the signature field and clicking the affirmative checkbox, you create a legally binding signature under the Electronic Signatures in Global and National Commerce Act (15 U.S.C. §7001) and the Uniform Electronic Transactions Act as adopted in your state.

(b) Hardware and Software Requirements. To view and retain this Agreement, you need a current web browser (latest two major versions of Chrome, Safari, Firefox, or Edge), an internet connection, and the ability to download and store HTML or PDF files.

(c) Right to Paper Copies. At any time, you may request a paper copy of this Agreement at no charge by emailing support@psy180.com. You may also withdraw your consent to electronic delivery; doing so does not retroactively invalidate prior electronic signatures but means future agreements with Psy180 will be delivered on paper, which may delay your access to the platform.

(d) Updating Your Information. You may update your email address or other contact information through your account settings.

(e) Record of Signature. Psy180 captures your typed full legal name, IP address, user-agent, timestamp, and the document version at the moment of signature, and stores an immutable HTML snapshot of this Agreement in encrypted, HIPAA-compliant storage that meets all AWS BAA standards for at least seven (7) years. The record of your signature is summarised in the audit footer of this document.

(a) Supremacy Clause. Where any applicable state law currently in effect — including, without limitation, California's Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.), Washington's RCW 70.02 (Uniform Health Care Information Act) and RCW 19.373 (My Health MY Data Act), Massachusetts Chapter 93H and 201 CMR 17.00, Illinois 740 ILCS 110 (MHDDCA), Minnesota §144.291–§144.298, New York Mental Hygiene Law §33.13 — provides greater protection of PHI, mental-health information, or consumer health data than this Agreement or HIPAA, the more protective standard applies and is incorporated by reference.

(b) Strictest-Floor Provisions. Regardless of any contrary provision in this Agreement, Psy180 incorporates the following strictest-state floors as platform-wide commitments:

• Breach Notification — 30 days. Psy180 will notify Covered Entities of any Breach of PHI within thirty (30) calendar days of discovery (matches FL FIPA, CO §6-1-716, WA RCW 19.255.010, MA Chapter 93H §3 — stricter than HIPAA's 60-day default).
• Written Information Security Program — Massachusetts 201 CMR 17.00. Psy180 maintains a written, comprehensive information-security programme containing the administrative, technical, and physical safeguards required under 201 CMR 17.03, regardless of where the covered entity or data subject resides.
• Confidentiality of Medical Information — California CMIA. Psy180 treats all PHI at the CMIA standard (Cal. Civ. Code §56 et seq.), including (i) the express-authorisation requirements of §56.10 for disclosures outside treatment / payment / operations and (ii) the disclosure-tracking obligations of §56.10(c).
• Consumer Health Data — Washington MHMD. Psy180 handles non-PHI consumer health data inferable from platform usage at the standard of RCW 19.373, including the prohibition on sale (RCW 19.373.030(4)), consent-for-collection requirements (RCW 19.373.020), and consumer right-to-access / right-to-deletion / right-to-withdraw-consent (RCW 19.373.040).
• Mental-Health Confidentiality. Where the covered entity or treating provider is licensed in Illinois (MHDDCA), Minnesota (§144.293), Michigan (MCL 330.1700), New York (Mental Hygiene Law §33.13), or any other state with mental-health-specific confidentiality protections stricter than HIPAA, Psy180 will support the covered entity's compliance with those statutes — including by treating mental-health record disclosures as requiring express written authorisation rather than the looser HIPAA standing-authorisation model.

(c) Per-Encounter Clinical Consents Remain Separate. Nothing in this Section replaces or substitutes for state-mandated per-encounter clinical consents (telehealth informed consent, minor consent path, consumer-health-data notice). Those are administered by the treating provider through Psy180's per-encounter consent flow under lib/compliance/stateStacking.ts.