Privacy Policy

• Account data: name, email, phone (optional), state, license type, license number, license issue date, supervision designation, mailing address.
• Supervision activity: clinical hour logs, supervision sessions, competency ratings, golden-thread case entries (with anonymized labels), export audit records, and attestations.
• Uploaded documents: supervision agreements, credentials, disclosure forms, and other documents you choose to upload to your document vault.
• Billing data: handled by Stripe. We store a Stripe customer ID and your subscription status; we do not store card numbers on our servers.
• Technical data: authentication cookies, IP address, basic device/browser data, and aggregate usage events needed to operate the service.

• To provide and improve the service you signed up for.
• To compute progress signals (pace, triage, milestones) from the data you log.
• To generate board-ready exports and attestations at your request.
• To send account-related email (invitations, billing receipts, security notices, and important product changes).
• To meet legal obligations, enforce our Terms, and prevent abuse.

We do not sell your personal information. We do not use your supervision data, case notes, or uploaded documents to train machine-learning models.

We share only what is necessary to operate the service:

• Your linked supervisor/supervisee. When you are in an active supervision relationship, the other party can see the supervision-related data relevant to that relationship (sessions, hour-log verifications, attestations, and metadata about documents you upload). You control whether to enter or leave a relationship.
• Subprocessors. We use these vendors to run the service:

• All traffic is encrypted in transit (HTTPS/TLS).
• Data at rest is stored in managed databases with encryption enabled by the vendor.
• Row-level security isolates each user's data; supervisors only see records tied to their active relationships.
• Uploaded documents live in a private storage bucket keyed to your user ID; other users cannot read or list them.
• No system is 100% secure. If we learn of a breach affecting your data, we will notify you in accordance with applicable law.

You can, at any time:

• Access your data through your dashboard or by emailing us.
• Export your hours and supervision records as CSV/PDF from the Export page.
• Correct inaccurate data from your Profile and log pages.
• Delete your account and associated data by emailing us. Some records may be retained as required by law (e.g., billing records) or to protect the integrity of attestations already relied upon.

If you are in the EU/UK or California, you have additional rights under GDPR and CCPA respectively, including the right to object to processing and to request portability. To exercise these rights, email support@theranotes.ai.

We retain your data while your account is active. After account deletion we delete identifiable data within 30 days, except where retention is required by law (typically 7 years for billing records) or where an export or attestation has already been generated and must be preserved for audit integrity.

We use first-party cookies only for authentication. We do not use advertising cookies. Product analytics (PostHog) may set a first-party identifier; you can opt out via your browser's Do Not Track setting.

SupervisionPath is a professional tool for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email us and we will delete it.

If we make material changes to this policy, we will notify you by email or an in-app notice before the changes take effect. The "Effective" date at the top of this policy indicates the current version.

Privacy questions or requests: support@theranotes.ai

TheraNotes AI, LLC (Alabama, USA)