Privacy Policy
1. Informed Consent for Data Collection & Usage
- Clients must explicitly agree to the collection and storage of their personal profile information and therapy notes.
- Clear descriptions should be provided on why each type of data is collected and how it will be used.
- Include consent checkboxes during account creation and profile setup for:
- Personal account data (name, email, etc.)
- Therapy session notes storage and access
2. Consent for Data Sharing & Third-Party Access
- Clients should be informed if their data will be shared with:
- Their therapist (explicit permission for therapists to access and store notes)
- Any third-party services (e.g., analytics, payment processors, external health apps)
- Clients must be able to grant or withdraw consent for sharing their data at any time.
3. Right to Withdraw Consent
- Clients should be able to delete their account or request data deletion at any time.
- The system should provide a simple way to withdraw consent for specific data (e.g., personal notes, account profile).
- Consider a cooling-off period where a client can change their mind before full deletion.
4. Consent for Data Retention Periods
- Define how long TTAMS will retain therapy notes and personal data.
- Allow clients to choose:
- Permanent storage (until they request deletion)
- Automatic deletion after a specified period (e.g., 6 months, 1 year)
- Manual deletion (clients can delete therapy notes whenever they want)
5. Consent for Communication Preferences
- Allow clients to opt in/out of:
- Session reminders
- Marketing emails (if applicable)
- Follow-up communications from therapists
- Provide a settings page where clients can update their preferences.
6. Parental or Guardian Consent (if applicable)
- If minors are allowed on TTAMS, include an age verification system.
- Require guardian consent for account creation and therapy data retention.
7. Audit Trail & Record-Keeping of Consents
- Store timestamps and logs of when clients give or withdraw consent.
- Ensure that any changes to consent preferences are recorded.
8. Legal Compliance (GDPR, HIPAA, etc.)
- If operating in the EU, ensure compliance with GDPR (users should be able to download or delete their data).
- If dealing with health-related data in the US, ensure HIPAA compliance (secure storage, data encryption, limited access).
- Provide a privacy policy that outlines all data management practices.