Scope & Definitions

PsyFi Technologies (Oaken Cloud Technologies, LLC d/b/a “PsyFi Technologies”, “PsyFi”, “we”, “us”) provides software and services for behavioral health organizations including PsyFi Assistant and PsyFi GPT (the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect information, including Protected Health Information (“PHI”) as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

For Customers that are Covered Entities or Business Associates under HIPAA, our processing of PHI is governed by a Business Associate Agreement (“BAA”). In the event of conflict between this Policy and an executed BAA, the BAA controls with respect to PHI.

Information We Collect

• Account & Contact Data: Name, email address, username, password (hashed), organization name, job title, department, phone number, profile photo.
• Authentication Data: Google OAuth identifiers, two-factor authentication (2FA) secrets (encrypted), recovery codes (hashed), session tokens.
• Usage & Device Data: IP address, browser type and version, operating system, device identifiers, pages viewed, features used, timestamps, referring URLs.
• Transactional & Billing Data: Subscription plan, billing history, invoices, payment method last 4 digits (via Stripe). We do not store full credit card numbers.
• Customer Content: Chat messages, prompts, AI-generated responses, uploaded files (PDFs, DOCX, TXT, etc.), conversation history, memory preferences, custom templates. This may include PHI depending on your use of the Services.
• Usage Quota Data: Daily request counts, quota limits, subscription tier.
• Support & Communication Data: Support tickets, emails, chat transcripts with our team, feedback submissions.
• Preferences & Settings: Theme preferences, notification settings, de-identification settings, memory enablement, appearance settings.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate and secure the Services. Cookies are small data files stored on your device.

Types of Cookies We Use:

• Essential Cookies: Required for authentication, session management, and core functionality. These include session cookies (expire when you close your browser) and authentication tokens.
• Security Cookies: Used for CSRF protection, 2FA verification, and fraud prevention.
• Preference Cookies: Store your settings such as theme preference and language.
• Analytics Cookies: Help us understand how the Services are used, which features are popular, and how to improve performance. These may be first-party or third-party cookies.

Managing Cookies: Most browsers allow you to control cookies through settings. Blocking essential cookies will prevent you from using the Services. To opt out of analytics cookies, you may use browser privacy settings or opt-out mechanisms provided by third-party analytics providers.

Do Not Track: We do not currently respond to Do Not Track (DNT) browser signals, as there is no industry-wide standard for DNT compliance.

Sources of Information

• Directly from you: Account creation, profile updates, chat inputs, file uploads, settings changes.
• From your organization: Administrators provisioning users, assigning roles, configuring organization settings.
• From third-party integrations: Google OAuth (name, email, profile photo), single sign-on (SSO) providers.
• Automatically collected: Cookies, log files, device and usage data collected when you access or use the Services.
• From payment processors: Stripe provides billing and payment confirmation data.

How We Use Information

• Service Delivery: Provide, maintain, secure, and improve the Services, including AI-assisted note generation, chat functionality, file processing, and search.
• Account Management: Create and manage your account, authenticate users, enforce usage quotas, and provide customer support.
• Billing & Payments: Process transactions, manage subscriptions, send invoices, and handle billing inquiries via our payment processor (Stripe).
• Communications: Send service announcements, security alerts, support responses, and occasional product updates. You may opt out of non-essential communications.
• Personalization: When memory features are enabled, use conversation history and preferences to personalize AI responses and improve your experience.
• Security & Fraud Prevention: Detect and prevent unauthorized access, abuse, security threats, and fraudulent activity.
• Legal Compliance: Comply with legal obligations, respond to legal requests, enforce our Terms, and protect our rights.
• Analytics & Improvement: Analyze usage patterns, performance metrics, and feature adoption to improve the Services and develop new features.
• De-identified & Aggregated Data: We may de-identify and aggregate data to analyze performance, quality, and usage trends. We will not attempt to re-identify such data.

Automated Decision-Making: The Services use AI to generate content suggestions and recommendations. These are assistive tools; final clinical decisions remain your responsibility. We do not make automated decisions that have legal or similarly significant effects without human involvement.

AI & Third-Party Processing

The Services utilize Microsoft Azure OpenAI Service to provide AI-powered features. When you submit prompts, upload files, or use chat functionality:

• Data Transmission: Your inputs are transmitted to Azure OpenAI for processing. This may include prompts, conversation history, and file content.
• No Training on Customer Data: We have configured Azure OpenAI to not use your inputs to train or improve their models. Your data is used solely to generate responses for you.
• De-identification: You may enable optional de-identification features that redact PHI/PII before transmission to AI providers using Microsoft Presidio or AWS Comprehend Medical.
• Embeddings & Search: The Services may create embeddings (numerical representations) of your content for search and retrieval features using Azure Cognitive Search and Azure OpenAI embedding models.
• Logging: We may log request metadata (timestamps, model used, input/output length) for troubleshooting and quota management. Actual prompts may be hashed (HMAC-SHA256) or stored in de-identified form based on your organization's settings.

Azure OpenAI is a subcontractor subject to a Business Associate Agreement where PHI is involved.

Sharing & Disclosure

We share information in the following circumstances:

• Within Your Organization: Organization administrators can view account information, usage data, and settings for users in their workspace. Conversation content is visible only to the user who created it unless shared.
• With Subprocessors: We engage third-party service providers to support the Services (see Subprocessors section below). We impose contractual confidentiality obligations and, where applicable, execute BAAs.
• Legal Requirements: We may disclose information to comply with law, respond to subpoenas or court orders, cooperate with law enforcement, or protect the rights, property, and safety of PsyFi, users, or the public.
• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, subject to confidentiality obligations and continued privacy protections.
• With Your Consent: We may share information with third parties when you direct us to do so or consent to the sharing.

We Do Not Sell Personal Information: We do not sell, rent, or trade personal information, including PHI, to third parties for their marketing purposes. Under California law, we do not "sell" or "share" personal information as those terms are defined in the CCPA.

Subprocessors

We use the following categories of third-party service providers (subprocessors) to deliver the Services:

• Cloud Infrastructure: Amazon Web Services (AWS) - hosting, storage (S3), compute (EC2), database (RDS), task queuing (SQS).
• AI Services: Microsoft Azure (Azure OpenAI Service, Azure Cognitive Search) - AI model hosting and search.
• Payment Processing: Stripe, Inc. - subscription billing, payment processing.
• Authentication: Google LLC - OAuth authentication (optional).
• De-identification: Microsoft (Presidio), Amazon Web Services (Comprehend Medical) - PHI/PII detection and redaction (when enabled).
• Malware Scanning: ClamAV (open-source, self-hosted or cloud-hosted) - file scanning (when enabled).
• Email Delivery: Transactional email providers for account notifications and support communications.
• Analytics & Monitoring: Infrastructure monitoring and error tracking services.

Subprocessors that access PHI are subject to Business Associate Agreements. We periodically review and update our subprocessor list. A current list is available upon request.

HIPAA & BAA

When we receive, create, maintain, or transmit PHI on your behalf, PsyFi acts as a Business Associate under HIPAA. We sign BAAs with Covered Entities and with our Subcontractors as required. Our safeguards include (without limitation) encryption in transit and at rest; access controls and least‑privilege; audit logging; vulnerability management; and incident response procedures. See our Security & Compliance page for details.

Security Measures

• TLS 1.2+ for data in transit; AES‑256 for data at rest.
• SSO/OAuth, role‑based access control, and optional MFA.
• Network segmentation and VPC isolation on HIPAA‑eligible cloud services.
• Logging, monitoring, and alerting for key events.
• Regular backups and tested restoration procedures.

Retention & Deletion

We retain information for as long as necessary to deliver the Services, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type:

• Account Data: Retained for the duration of your account plus 90 days (for backup retention) after account deletion, unless longer retention is required by law.
• Chat History & Files: Retained for the duration of your account or as configured by organization administrators. Deleted chats are purged from active systems within 30 days and from backups within 90 days.
• Usage Logs: Request logs retained for up to 2 years for troubleshooting, security analysis, and compliance. May be de-identified for longer-term analytics.
• Billing Records: Retained for 7 years to comply with tax and accounting requirements.
• Support Communications: Retained for 3 years for quality assurance and dispute resolution.
• PHI: Retention of PHI is governed by the BAA and applicable law. We will delete or return PHI upon termination or as directed by the Covered Entity.

Data Deletion: Upon account deletion or termination, we will delete or de-identify your personal data in accordance with the retention schedule above, subject to legal holds and regulatory requirements. Backup copies are purged on a rolling 90-day schedule.

Legal Holds: We may retain information longer if required by law, litigation hold, regulatory investigation, or to protect our legal rights.

Your Privacy Rights

Depending on your location, you may have rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Data Portability: Receive your data in a structured, machine-readable format (JSON, CSV).
• Restriction: Request that we limit processing of your information in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.

Exercising Your Rights:

• For PHI: Requests related to PHI should typically be directed to your healthcare provider or the Covered Entity that controls the PHI.
• For Account Data: Contact us at privacy@psyfitechnologies.com with your request. We will verify your identity and respond within 30 days (45 days for complex requests).
• Account Settings: Many preferences can be managed directly in your account settings (theme, notifications, memory, 2FA).

No Discrimination: We will not discriminate against you for exercising your privacy rights.

State Privacy Rights

California Residents (CCPA/CPRA): Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have additional rights:

• Right to Know: Request categories and specific pieces of personal information collected, sources, purposes, and third parties with whom it's shared.
• Right to Delete: Request deletion of personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by the CCPA.
• Right to Limit Sensitive Personal Information: We do not use sensitive personal information for purposes other than providing the Services.
• Right to Non-Discrimination: Exercise rights without discriminatory treatment.

Sensitive Personal Information: We collect sensitive personal information (account credentials, 2FA secrets, PHI) only as necessary to provide the Services and secure your account. We do not use or disclose it for other purposes.

Other States: Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights. Contact us at privacy@psyfitechnologies.com to exercise your rights.

Authorized Agent: You may designate an authorized agent to make requests on your behalf. We will require proof of authorization.

User Controls & Settings

You can manage many privacy settings directly through your account:

• Memory Settings: Enable or disable the memory feature that personalizes AI responses based on conversation history. Disabling memory prevents future learning; past memory data can be deleted.
• De-identification: Organization administrators can enable de-identification to redact PHI/PII before transmission to AI providers.
• Two-Factor Authentication (2FA): Enable or disable 2FA for enhanced account security.
• Notification Preferences: Manage email and in-app notification settings.
• Theme & Appearance: Customize visual preferences (light/dark mode, etc.).
• Data Export: Request export of your conversation history and files.
• Account Deletion: Request permanent deletion of your account and associated data.

For organization-level settings, contact your organization administrator or billing admin.

International Users & Data Transfers

Our Services are primarily intended for use in the United States. Our servers and data infrastructure are located in the United States, and our subprocessors may operate globally.

Cross-Border Transfers: If you access the Services from outside the United States, you acknowledge and consent to the transfer and processing of your information in the U.S. and other jurisdictions where we or our subprocessors operate. These jurisdictions may have data protection laws that differ from those in your country.

Transfer Safeguards: For transfers of personal information from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions for transfers to jurisdictions recognized as providing adequate protection.
• Other lawful transfer mechanisms as applicable.

If you have questions about international data transfers, contact privacy@psyfitechnologies.com.

Children's Privacy

The Services are not intended for use by individuals under 18 years of age. We do not knowingly collect personal information directly from children under 13 without verifiable parental consent.

Pediatric PHI: Healthcare providers may use the Services to process PHI related to pediatric patients. Such processing is conducted under the Customer's authorization and the BAA, and the Customer is responsible for obtaining any necessary consents from parents or guardians.

If you believe we have inadvertently collected information from a child under 13, contact us immediately at privacy@psyfitechnologies.com.

Changes to this Policy

We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. When we make material changes, we will:

• Post the updated Policy on our website with a new effective date.
• Notify you via email or in-app notification if the changes materially affect your rights.
• For PHI, obtain any required consents or authorizations under HIPAA before implementing material changes.

Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.

Contact Us

Privacy Questions & Requests: Email privacy@psyfitechnologies.com or write to: PsyFi Technologies, Attn: Privacy Officer, 555 Fayetteville St, Raleigh, NC 27601.

Data Breach Notification: In the event of a breach affecting PHI or personal information, we will notify affected individuals and regulatory authorities as required by law. Notifications will be provided without unreasonable delay and in accordance with HIPAA (for PHI) and applicable state breach notification laws. Notifications will include the nature of the breach, types of information involved, steps we are taking to investigate and mitigate, and steps you can take to protect yourself.

Complaints: If you have concerns about our privacy practices, you may file a complaint with:

• PsyFi Technologies at privacy@psyfitechnologies.com
• U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA concerns): www.hhs.gov/ocr/privacy/hipaa/complaints/
• Your state attorney general or data protection authority (for privacy law concerns)

We take all privacy concerns seriously and will investigate and respond to complaints promptly.