Privacy Policy
Effective date: March 21, 2026
1. Who We Are
Innerbreath ("we," "us," or "our") operates the Innerbreath mobile application (the "App"), a practice management platform for licensed massage therapists and their clients. Our contact email is hello@innerbreath.app.
2. HIPAA Notice
Innerbreath is designed to support HIPAA compliance for covered entities. We maintain a Business Associate Agreement (BAA) with each of our infrastructure providers that process Protected Health Information (PHI). PHI collected through the App (including session notes, intake forms, and appointment records) is stored on AWS infrastructure located in the United States and is protected under our security program.
If you are a massage therapist using Innerbreath as part of your practice, you remain the covered entity or business associate responsible for your clients' PHI under HIPAA. Please contact us at hello@innerbreath.app to request a Business Associate Agreement.
3. Information We Collect
Account Information
When you create an account, we collect your email address or phone number to authenticate you via one-time passcode (OTP). We also store your role (therapist or client) and, for therapists, your business name and service offerings.
Appointment and Session Data
Therapists create appointment records (date, time, service type, price) and session notes (SOAP notes generated via voice transcription). This data constitutes PHI and is stored securely on AWS RDS (PostgreSQL), accessible only to the therapist who created it and, where appropriate, the client it pertains to.
Voice Transcription
SOAP notes are generated using on-device speech recognition (Apple's SFSpeechRecognizer). Audio is processed entirely on your device and is never uploaded to our servers or any third-party service. Only the resulting text transcript is sent to Microsoft Azure OpenAI for SOAP note generation — and only after you explicitly consent in the app before your first note is generated.
Payment Information
Payments are processed by Stripe, Inc. We do not store credit card numbers, bank account details, or other financial account information on our servers. Stripe may collect and store payment information in accordance with their own privacy policy and PCI DSS compliance program.
Analytics
We use PostHog for product analytics. No PHI is included in analytics events — only anonymized, non-identifying behavioral data (e.g., "appointment created," "SOAP note generated") is sent to PostHog.
Crash Reporting
We use Sentry for crash reporting in production. Before any crash report is sent, we remove all user-identifying fields, extra context, and breadcrumb history to ensure no PHI is transmitted.
Device Identifiers
The App collects device or other identifiers — such as a randomly generated analytics device ID (PostHog), a crash-reporting installation ID (Sentry), a push notification token (Expo / Firebase Cloud Messaging), and device signals used by Stripe for fraud prevention. These identifiers are used only for app functionality, analytics, and security; they are never sold, never used for advertising, and are only transferred to the service providers listed above acting on our behalf.
4. How We Use Your Information
- To provide, operate, and improve the Innerbreath App
- To authenticate your identity via OTP
- To generate AI-assisted SOAP notes from your voice transcripts
- To process payments for appointments and subscriptions
- To send appointment reminders and account notifications via email or SMS
- To maintain audit logs of PHI access as required for HIPAA compliance
- To detect and fix bugs and crashes
We do not sell your personal information or PHI to any third party. We do not use your clinical data for advertising purposes.
5. Data Sharing
We share data only as necessary to operate the service:
- AWS (Amazon Web Services) — cloud infrastructure (Cognito auth, RDS database, Lambda compute, SES email, SMS messaging). BAA in place.
- Microsoft Azure OpenAI — AI-assisted SOAP note generation. Only the text transcript (no audio, no direct identifiers) is sent, and only after you consent in the app. Your data is never used to train AI models. Azure OpenAI processes this data under a signed Business Associate Agreement (BAA), providing the same level of protection for your data that we do.
- Stripe, Inc. — payment processing. PHI is never included in payment data.
- PostHog — product analytics. PHI is stripped before any event is sent.
- Sentry — crash reporting. PHI is stripped before any report is sent.
We may disclose information if required by law, court order, or to protect the rights and safety of our users or the public.
6. Data Retention
We retain your account and clinical records for as long as your account is active or as needed to provide services. If you request account deletion, we will delete your data within 30 days, except where retention is required by law (e.g., HIPAA requires covered entities to retain certain records for 6 years).
Audit logs of PHI access are retained for a minimum of 6 years in accordance with HIPAA requirements.
7. Security
- All data in transit is encrypted using TLS 1.2 or higher
- Database storage is encrypted at rest (AWS RDS with AES-256)
- Authentication uses one-time passcodes (OTP) — no passwords stored
- Session tokens expire after 30 minutes of inactivity
- Access to PHI is logged in a tamper-evident audit trail
- The database is in a private VPC subnet with no public internet access
- All clinical data is scoped server-side to the treating therapist
8. Your Rights
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your account and associated data
- Receive a copy of your data in a portable format
- Opt out of non-essential communications
To exercise any of these rights, email us at hello@innerbreath.app.
9. Children's Privacy
The Innerbreath App is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at hello@innerbreath.app.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify users via email or an in-app notice. Your continued use of the App after any changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices:
Innerbreath
Email: hello@innerbreath.app
© 2026 Innerbreath. All rights reserved.
