Skip to main content

Universal Services Agreement · v2.0.0

Privacy Policy

This is Section 2 of Psy180's Universal Services Agreement, published verbatim. The full agreement preview contains all six sections.

2. Universal Privacy Policy

What we collect, how we use it, who handles it, and your rights — at the strictest US standard.

(a) Data We Collect. We collect (i) account data (name, email, role, clinic affiliation); (ii) Protected Health Information (PHI) — clinical notes, consent documents, session metadata — under the HIPAA Business Associate Agreement embedded in Section 3; (iii) authentication metadata (IP, user-agent, timestamps) used for HIPAA audit logging under 45 CFR §164.312(b); (iv) consumer health data inferable from app usage patterns to the extent required to be disclosed under Washington's My Health MY Data Act (RCW 19.373).

(b) Sub-Processors. Psy180 uses HIPAA-eligible sub-processors for storage, compute, and telecommunications, each bound by a Business Associate Agreement and held to AWS BAA standards or stricter. The current list is published at https://psy180.com/subprocessors and updated with at least thirty (30) days' notice before adding new sub-processors that handle PHI.

(c) Use of Data. PHI is used solely to provide the platform to the covered entity, as set out in Section 3. Non-PHI account data is used to operate, secure, and improve the platform. We do not sell PHI or consumer health data, and we do not use PHI for marketing without separate written authorisation under 45 CFR §164.508.

(d) Retention. PHI is retained for at least seven (7) years from the date of the last access or as longer required by applicable state law. Audit logs are retained for at least seven (7) years and are immutable. Account data is retained while your account is active and for a reasonable wind-down period thereafter.

(e) Data Rights — Strictest US Standard. Subject to applicable law, you have the rights to access, correct, delete, restrict, port, and obtain confidential communications regarding your data. Where multiple state laws apply, the most-protective standard applies. To exercise these rights, contact support@psy180.com. Psy180 will respond within thirty (30) days, or sooner where required by applicable state law (e.g. RCW 19.373.040 for Washington-resident consumer health data).

(f) California CMIA-Grade Confidentiality. Notwithstanding your state of residence, Psy180 will treat your medical information at the standard of California's Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.) — including (i) the prohibition on selling, sharing, or using medical information for purposes incompatible with the original collection without written authorisation, and (ii) the disclosure-tracking requirements applicable to providers and contractors of providers.

(g) Washington MHMD-Grade Consumer Health Data. Psy180 will handle non-PHI consumer health data inferable from platform use (geolocation, app-usage patterns from which a health condition could be inferred) at the standard of Washington's My Health MY Data Act (RCW 19.373), including consent for collection, prohibition on sale, and right-to-access / right-to-deletion / right-to-withdraw-consent.