Data Handling & HIPAA

The short version

Therapy Resources is built so you don't need to upload Protected Health Information (PHI). You describe the materials you want, the AI illustrates them, and you print them. Client names, diagnoses, and case notes never enter the system. Because we don't process PHI, HIPAA's Business Associate Agreement (BAA) framework doesn't apply — but the standards it sets (encryption, access control, retention, deletion) inform how we operate anyway.

No PHI required

Nothing in the create flow asks for client-identifying information. You don't need to share:

• Client names, ages, or identifying details
• Diagnoses or clinical notes
• Session content or case histories
• Photos, recordings, or quotes from clients

If you already keep PHI in your EHR or paper records, leave it there. Therapy Resources works at the level of generic therapy concepts — an emotion card labeled "frustrated", a worksheet about coping strategies, a board game about social skills — not client-specific case material.

About HIPAA specifically

Therapy Resources is not HIPAA-certified, and we do not sign Business Associate Agreements. HIPAA governs Protected Health Information — patient names, diagnoses, treatment notes, and similar data tied to identifiable individuals. Because Therapy Resources is designed around generic therapy materials rather than client-specific records, there's typically no PHI to protect.

If a particular workflow does require creating materials that include PHI (for example, a personalized social story naming a specific child), that material should be created and stored inside your HIPAA-compliant EHR or local files — not here.

Encryption, residency, and retention

All traffic between your browser and Therapy Resources runs over HTTPS (TLS 1.2+). Data is stored in Convex (US-East region) with encryption at rest. Passwords are hashed with bcrypt — we never see or store plaintext passwords. Payment credentials are handled exclusively by Dodo Payments (PCI-DSS compliant) and never touch our servers.

Image generation runs on Google Gemini. Prompts and reference images are sent to Google's API for processing but Gemini does not persist your prompts. We don't transfer your data to advertising networks or analytics brokers.

When you delete your account, we permanently remove your styles, characters, resources, generated images, and prompt history. Removal typically completes within 7 days, with backups expiring within 30 days. You can export or delete individual items at any time from Settings.

Subprocessors

We share operational data with the following services:

• Convex (US) — Database and file storage. Hosts account data, content, and generated images.
• Google Gemini — AI image generation. Receives style descriptions and character prompts; does not persist them.
• Dodo Payments (US) — Payment processing as merchant of record. Receives name, email, and payment details for billing.
• AhaSend — Transactional email. Receives email addresses for password resets and account notifications.

We do not sell your data. The full data inventory and your rights over each category are in the Privacy Policy.