Privacy Policy

1. Introduction

Practice Pad ("we," "our," or "us") — operated by Practice Pad Technologies LLC, an Arizona limited liability company — provides a digital clinical note-taking and practice organization application designed specifically for licensed mental health therapists and clinical professionals. This Privacy Policy explains how information is collected, used, stored, and protected in connection with the Practice Pad iOS application and website at practicepadapp.com.

Practice Pad is an iPad-only application that operates on an offline-first, "Store & Forward" model. Your clinical notes are captured and encrypted on your device. When you are connected to a secure Wi-Fi network and choose to sync, notes are forwarded to your own Google Drive — not to Practice Pad servers. This architecture is fundamental to how we approach your privacy.

2. Your Role as Data Controller

Under HIPAA and applicable privacy law, the licensed therapist using Practice Pad is the Covered Entity and Data Controller responsible for the Protected Health Information (PHI) of their clients. Practice Pad Technologies LLC acts as a Business Associate (BA) with respect to any PHI that passes through our systems. This distinction is important:

• You — the therapist — are responsible for obtaining appropriate consent from your clients, maintaining records in compliance with your licensing board and state law, and executing the Business Associate Agreements described in Section 6.
• We are responsible for maintaining appropriate technical, administrative, and physical safeguards for any PHI we access, process, or transmit on your behalf — and for notifying you promptly if a security incident affecting PHI occurs.

3. Google API Disclosure (Limited Use Policy)

Practice Pad's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Data Minimization: We request only the permissions necessary to deliver core functionality. Specifically: drive.file to create a Practice Pad folder hierarchy and upload session note PDFs and handwritten note images to your own Google Drive; spreadsheets to append session metadata to a Master Session Ledger you own in your Drive; calendar.events.readonly to read your upcoming appointments and pre-populate session note metadata; and forms.responses.readonly to retrieve client-completed intake assessment responses for scoring within the app.
• Calendar Data & PHI: Your Google Calendar appointment data — which may include client names, appointment times, and session types — is read-only and used solely to pre-populate session note metadata on your device. This data is treated as PHI and is never transmitted to Practice Pad's servers. Metadata derived from Calendar data is explicitly excluded from automated crash reporting and telemetry packets, even in the event of an application crash.
• Assessment Response Data & PHI: Client-completed intake assessment responses retrieved via forms.responses.readonly contain PHI (health screening data such as PHQ-9 and GAD-7 responses). See Section 5 for how this data is handled during automated scoring.
• No Data Selling: We do not sell any data received via Google APIs to third parties, nor do we use your Google Workspace data for advertising.
• AI Features (Planned — Not Available in V1): A future version of Practice Pad (V2) plans to offer optional AI-powered note refinement. Any AI processing will be disclosed in full at the time of that feature's release, including which AI provider is used, what data is processed, and what HIPAA compliance measures apply. No AI features that process PHI are active in the current version of the app.

3a. Website Analytics & Cookies (practicepadapp.com)

This section covers data collected through the practicepadapp.com marketing website only. It is separate from how the Practice Pad iOS application handles data, which is described throughout the rest of this Privacy Policy.

• No Behavioral Advertising Cookies: We do not use advertising cookies, behavioral tracking pixels, retargeting scripts, or third-party ad networks on practicepadapp.com. We do not track visitors across other websites or build advertising profiles.
• Analytics: The practicepadapp.com website may use privacy-focused analytics (such as aggregate page view counts and referral source statistics) to understand how visitors find and use the site. Any analytics we use are configured to avoid collecting personally identifiable information and to respect Do Not Track signals. We do not share website analytics data with advertising networks.
• Essential Cookies: The website may set strictly necessary session cookies (e.g., for form state preservation or navigation). These cookies do not contain PHI or personally identifiable information and are not used for tracking or advertising.
• No Third-Party Trackers: We do not embed Facebook Pixel, Google Ads tags, LinkedIn Insight Tag, or similar third-party tracking scripts on the marketing website.
• Netlify Hosting: practicepadapp.com is hosted by Netlify, Inc. Netlify may collect standard server access logs (IP address, browser type, page requested, timestamp) as inherent in website hosting. These logs are retained by Netlify per their standard retention policies. Netlify does not receive PHI from practicepadapp.com.
• Contact Forms: If you submit a contact or waitlist form on practicepadapp.com, the information you provide (name, email address, message) is transmitted to Practice Pad Technologies LLC and used solely to respond to your inquiry or to notify you of app availability. This data is not shared with third parties for marketing purposes.
• Do Not Track: We respect Do Not Track (DNT) browser signals. When DNT is enabled, we do not deploy any optional analytics or tracking on the website.

4. Information We Collect for App Operations

Practice Pad is designed to minimize what we collect. The following describes information we receive or generate in the course of operating the service:

• Account Data: Your email address (via Google OAuth), subscription tier status, and support communication history. This is stored by Practice Pad and used to manage your account.
• App Telemetry: We collect anonymized usage statistics and crash logs to improve the app. All telemetry is stripped of user-generated content, handwriting, client names, and PHI before leaving your device. We do not receive raw clinical content through telemetry.
• Payment Information: Subscriptions and one-time purchases are processed entirely through the Apple App Store. Practice Pad Technologies LLC does not receive, store, or process your credit card or payment account information.
• Audit Log: A local audit log of sync events, timestamps, sync destination identifiers (Google Drive file IDs and folder IDs), and operational actions is stored on your device to support HIPAA compliance, clinical accountability, and the Accounting of Disclosures requirements under 45 CFR § 164.528. This log is not transmitted to Practice Pad servers. The inclusion of sync destination identifiers enables you to reconstruct a record of where PHI was transmitted, consistent with HIPAA's Accounting of Disclosures standard.
• OAuth Tokens: Your Google OAuth refresh token is stored in your device's encrypted keychain (expo-secure-store) and is used solely to authenticate your account with Google APIs. We do not store your Google credentials on Practice Pad servers.

5. Assessment Scoring

Practice Pad includes automated scoring for standardized clinical assessment instruments (PHQ-9, GAD-7, PCL-5, ACE, C-SSRS). All scoring is performed entirely on your device — PHI never leaves your iPad during this process.

• How It Works: When you initiate a sync, the app reads your clients' completed intake assessment responses directly from your Google Forms response sheets using your own authorized OAuth token (forms.responses.readonly scope). All scoring calculations are performed locally on your device in the app. Computed scores (e.g., "PHQ-9 Score: 14 — Moderate") are stored locally and logged to your Master Session Ledger in your Google Sheets — no intermediate server is involved at any point in this process.
• PHI Stays on Your Device: Assessment response data is retrieved from your Google account directly by the app and processed on-device. It is never transmitted to Practice Pad's servers or any third-party infrastructure for scoring purposes. This architecture is consistent with our broader "Store & Forward" privacy model and is analogous to how handwriting recognition (OCR) is performed entirely on-device using Apple's Vision Framework.
• C-SSRS Suicide Risk Flagging: If a C-SSRS intake screening result meets a threshold for active suicidal ideation, the app displays a risk alert to the clinician at next launch. The score and risk flag are stored locally on your device and logged to your Master Session Ledger in Google Sheets — not to Practice Pad's infrastructure.

6. HIPAA Compliance & Protected Health Information

Practice Pad is designed for use by licensed healthcare professionals who handle Protected Health Information (PHI) as defined under HIPAA. We implement safeguards across all three categories required by the HIPAA Security Rule:

• Technical Safeguards — Encryption at Rest: All locally stored clinical data, session notes, and handwritten canvas images are encrypted using AES-256 via SQLCipher. Access to the app requires your device's native biometric authentication (Face ID or Touch ID) or a secure device passcode.
• Technical Safeguards — Encryption in Transit: All communication with Google Workspace APIs occurs over HTTPS with TLS 1.3.
• Technical Safeguards — On-Device OCR: Handwriting-to-text conversion is performed entirely on your device using Apple's Vision Framework (VNRecognizeTextRequest). No handwritten content is transmitted to any external server during this process.
• Technical Safeguards — Local Audit Log: All sync events are logged locally with timestamps, providing an access and activity record consistent with HIPAA audit control requirements.
• Administrative Safeguards: Practice Pad Technologies LLC maintains internal policies governing workforce access to systems and credentials. The founder, Perry Emerick, LPC, serves as the designated Privacy and Security Officer.
• Physical Safeguards: Practice Pad does not operate physical server infrastructure that stores PHI. Your clinical data resides on your iPad (subject to your physical device security practices) and your Google Drive (subject to Google's physical and organizational safeguards).
• BAA Requirements & Execution: HIPAA requires that a Business Associate Agreement be in place before any PHI is transmitted. Therapists who enable Cloud or Pro tier features must execute a BAA with both Google LLC (for your Google Workspace account) and Practice Pad Technologies LLC before syncing any PHI. The Practice Pad BAA is presented as a click-through agreement during Cloud or Pro onboarding and must be accepted before sync features are activated. You may not bypass this step. If you require a countersigned paper BAA for your records, contact support@practicepadapp.com with the subject line "BAA Request."
• No PHI in Telemetry: All anonymized usage statistics and crash logs are stripped of any user-generated content, handwriting, or PHI before leaving your device.

7. Data Processors & Subcontractors

Practice Pad engages the following third-party service providers who may process personal data or PHI in connection with delivering the app:

• Google LLC — Provides the Workspace APIs (Drive, Sheets, Calendar, Forms) that power Cloud and Pro tier sync features. PHI synced to Google Drive is stored in your Google Workspace account. Google's HIPAA compliance and BAA obligations are between you and Google. Visit workspace.google.com for details on executing a Google Workspace BAA.
• Netlify, Inc. — Hosts the practicepadapp.com website and one serverless function (provision-library.js) that copies community template files into your Google Drive when you first connect your account. This function operates using your own OAuth token and copies non-clinical template files (Google Drive file IDs and folder identifiers) only. Netlify processes only administrative metadata — template file identifiers used to provision your library — and never receives, processes, or stores PHI. Netlify infrastructure logging is disabled for this function; no PHI appears in Netlify server logs or infrastructure at any level. No PHI is ever transmitted to or processed by Netlify infrastructure. Netlify is not a HIPAA Subcontractor in the context of Practice Pad's operations.
• Apple Inc. — Processes App Store subscriptions and one-time purchases on our behalf. Apple does not receive clinical data or PHI. Apple's on-device frameworks (Vision Framework for OCR, PencilKit for handwriting, CryptoKit for encryption) are used locally on your iPad.

Important — Google Workspace Paid Account Required: Cloud and Pro tier features require a paid Google Workspace account (such as Business Starter, Business Standard, or higher). Personal Google accounts (@gmail.com) are not covered by Google's HIPAA Business Associate Agreement and are not HIPAA-compliant environments for storing PHI. Using Practice Pad's sync features with a personal Gmail account would constitute a HIPAA violation. Practice Pad does not validate your Google account type at the infrastructure level — you are responsible for ensuring you are signed into a paid, HIPAA-configured Workspace account before enabling sync. Practice Pad does not audit, verify, or monitor your Google account configuration after onboarding. Compliance with the Google Workspace paid account requirement is your sole ongoing responsibility as the Covered Entity. We recommend periodically confirming that your Google Workspace account remains on an active paid plan and that your Google BAA remains in effect.

We do not sell personal data or PHI to any third party. We do not share user data with advertising networks.

8. How Your Data Is Stored and Secured

Practice Pad employs a "Store & Forward" architecture to maximize both privacy and clinician control.

• Local Offline Storage: Session notes, handwritten canvas images, and client records are stored exclusively on your iPad's local storage until you initiate a sync. This data is encrypted at rest using AES-256 (via SQLCipher).
• Biometric Access: Access to the app is protected by your device's native security: Face ID, Touch ID, or a secure device passcode. The app will auto-lock after a configurable period of inactivity.
• Your Google Drive as Archive: After sync, finalized session note PDFs, handwritten images, and intake documents are stored in a structured folder hierarchy within your Google Drive — not on Practice Pad servers. You own and control this data. Practice Pad does not retain copies of synced records.
• One-Direction Sync: Data flows from your iPad to Google Drive only. Practice Pad does not pull edits from Google Drive back to the app. Your iPad is the source of truth until a session note is finalized and synced.
• Offline Queue Integrity: If sync is interrupted, notes are held in an encrypted offline queue on your device and retried the next time you open the app on a Wi-Fi connection. The queue is never discarded silently.

9. Data Retention & Deletion

Practice Pad's data retention approach reflects our architecture: clinical records are yours, stored in your environments, not ours.

• Clinical Data: Session notes, handwritten content, and client records stored locally on your device are retained until you delete them from within the app or uninstall the app. Notes synced to your Google Drive are retained in your Drive until you delete them directly in Google Drive. Practice Pad does not retain copies of clinical records on its own servers.
• Account Data: Your email address and subscription status are retained for as long as your account is active and for a period of up to 12 months thereafter, after which they are deleted from our records. You may request deletion at any time by contacting support@practicepadapp.com.
• Telemetry: Anonymized usage and crash logs are retained for up to 12 months for product improvement purposes, after which they are deleted. Telemetry is stripped of PHI before leaving your device (see Section 6); Practice Pad does not hold PHI in telemetry or application logs. To the extent any Business Associate Agreement executed with Practice Pad Technologies LLC requires specific retention or destruction procedures for BA-held data, those BAA terms govern over the general timelines in this section. If you require written confirmation of data destruction upon termination, contact support@practicepadapp.com with the subject line "BAA Data Destruction Request."
• Deletion Requests: To request deletion of your Practice Pad account data, email support@practicepadapp.com. We will process your request within 30 days. Note: deletion of your local app data and synced Google Drive records must be performed by you directly, as Practice Pad does not control your Google Drive.
• Clinician Record-Keeping Obligations: Deleting the Practice Pad app or your account does not relieve you of your professional and legal obligation to maintain client records in compliance with your licensing board and applicable state law. Maintain parallel records per your jurisdiction's requirements.

10. Your Privacy Rights

Depending on your jurisdiction, you may have rights with respect to your personal information. These rights vary by state and may include the right to know what personal information we hold about you, to request correction of inaccurate information, to request deletion, and to opt out of certain data practices. To exercise any of the rights listed below, contact us at support@practicepadapp.com with the subject line "Privacy Rights Request." We will verify your identity before processing any rights request and will respond within 30 days (or as otherwise required by applicable law).

• Access & Correction: You may request a summary of the personal information Practice Pad holds about your account (email address, subscription tier, support communication history) and may request correction of any inaccurate information.
• Deletion: You may request deletion of your account information as described in Section 9. We will process deletion requests within 30 days, subject to any legal hold obligations. Note that deletion of local app data and synced Google Drive records must be performed by you directly.
• Data Portability: You may request a copy of the personal information we hold about your account in a portable, machine-readable format. Note: clinical session notes and PHI are stored on your device or in your Google Drive — you already have direct access to and control over this data.
• Do Not Sell or Share My Personal Information: Practice Pad does not sell your personal information to third parties, and does not share your personal information with third parties for cross-context behavioral advertising purposes, as those terms are defined under applicable California law (CCPA as amended by CPRA). If we ever change this practice, we will update this Privacy Policy, provide advance notice, and establish a clear opt-out mechanism before any such sharing occurs.
• Opt Out of Sensitive Personal Information Processing: Practice Pad does not use sensitive personal information (including health information) for purposes other than providing the core Services and as otherwise required by law. No opt-out from core processing is available without terminating your account, as such processing is necessary to deliver the Services.
• California Residents — CCPA and CPRA Rights: California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023). These include: (a) the right to know what categories and specific pieces of personal information we collect, use, disclose, or sell; (b) the right to delete personal information, subject to legal exceptions; (c) the right to correct inaccurate personal information; (d) the right to opt out of the sale or sharing of personal information (Practice Pad does not sell or share); (e) the right to limit the use and disclosure of sensitive personal information; and (f) the right to non-discrimination for exercising privacy rights. To exercise California privacy rights, contact us at the address below. We do not discriminate against users who exercise their CCPA/CPRA rights.
• HIPAA Individual Rights & BA Assistance Obligation: Your clients' rights to access, amend, restrict, or obtain an accounting of disclosures of their PHI are rights they hold against you as the Covered Entity under 45 CFR §§ 164.524, 164.526, 164.528, and 164.522. Under the HITECH Act (§ 13405(e)), Practice Pad as your Business Associate is required to assist you in fulfilling those obligations to the extent PHI is within our possession or control. The Practice Pad app provides built-in tools to view, export, and delete local client records for this purpose. PHI synced to your Google Drive is in your direct possession — access it there. Contact support@practicepadapp.com if you need Business Associate assistance responding to a client HIPAA rights request.
• Right to Lodge a Complaint: If you believe your privacy rights under HIPAA have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint. Submitting a complaint to HHS OCR does not affect your right to pursue other remedies. Practice Pad will not retaliate against any user for filing a complaint with HHS OCR or any other regulatory authority. If you have a privacy concern about the practicepadapp.com website, you may also contact your state's consumer protection authority.
• De-Identification: Practice Pad does not create or use de-identified datasets derived from your PHI for commercial purposes. If we ever do so in connection with a future feature, we will update this Policy, provide advance notice, and implement the de-identification standards required by 45 CFR § 164.514.

11. Security Incidents & Breach Notification

Practice Pad Technologies LLC takes the security of PHI seriously and maintains an internal incident response process consistent with HIPAA's Breach Notification Rule (45 CFR §§ 164.400–414).

• What Constitutes a Breach: A "breach" under HIPAA is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
• Our Notification Obligation: If Practice Pad Technologies LLC discovers a breach of unsecured PHI that we created, received, maintained, or transmitted as your Business Associate, we will notify you — the affected therapist (Covered Entity) — as soon as possible, and in no event later than 60 calendar days following discovery of the breach, as required by 45 CFR § 164.410. In practice, we aim to notify affected covered entities within 10 business days of determining that a reportable breach has occurred, as many state laws and executed BAAs impose shorter timelines than HIPAA's federal maximum.
• Notification Contents: Our breach notification to you will include: a description of what happened and when the breach occurred (if known); the types of PHI involved (e.g., assessment scores, session metadata); the steps we have taken to investigate and mitigate the breach; and contact information for questions.
• Your Obligation: Upon receiving notice of a breach from us, you as the Covered Entity are responsible for notifying affected individuals and, where required, the U.S. Department of Health and Human Services, in accordance with the HIPAA Breach Notification Rule.
• Reporting a Suspected Incident: If you notice unusual behavior in the app — such as unexpected sync activity or unauthorized access — contact us immediately at support@practicepadapp.com.

12. Changes to This Policy

We may update this Privacy Policy as Practice Pad evolves. For material changes — those that meaningfully affect how your data or PHI is handled — we will provide at least 30 days' advance notice before the change takes effect. Notice will be delivered via the email address associated with your account and/or via a notice within the app.

Non-material changes (such as clarifications, formatting corrections, or contact information updates) may be made without advance notice. The "Effective Date" at the top of this page will always reflect the date of the most recent update. Continued use of Practice Pad after the effective date of a material change constitutes your acceptance of the updated policy.