Theralyft

Privacy Policy

Last updated: June 25, 2026

Theralyft ("we", "us", "our") operates a therapy on-demand marketplace that connects clients with licensed mental health professionals. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information — including sensitive health information — in compliance with applicable law in the United States (HIPAA), the European Union and United Kingdom (GDPR / UK GDPR), Australia (Privacy Act 1988 and the Australian Privacy Principles), and Zambia (Data Protection Act 2021).

To exercise any of your rights described in this policy, contact us at privacy@theralyft.com.

1. Information We Collect

Account & Profile Data

Full name, email address, phone number, location, account type (client, therapist, or organisation), and profile photo.

Health & Clinical Data

Therapy requests, session notes, specialisations, diagnoses discussed in sessions, and any health information you share with a therapist. This constitutes Protected Health Information (PHI) under HIPAA and sensitive data under GDPR and equivalent laws.

Therapist Professional Data

Professional licence number, licensing body, years of experience, therapy approaches, and Stripe Connect account details.

Payment Data

Payment transactions are processed by Stripe. We store payment reference IDs and amounts; we do not store card numbers or CVVs.

Communications Data

Messages exchanged in session rooms are handled via Stream Chat. Video session metadata is stored for scheduling purposes.

Technical Data

IP address, browser type, device information, cookies and similar tracking technologies. See our Cookie Policy for details.

2. How We Use Your Information

  • To provide, operate, and improve the Theralyft platform
  • To match clients with appropriate therapists
  • To process payments and payouts
  • To send transactional emails (session confirmations, invitations, payment receipts)
  • To verify therapist credentials and maintain platform safety
  • To comply with legal and regulatory obligations
  • To respond to support requests

3. Legal Basis for Processing (GDPR / UK GDPR)

For users in the EU and UK, our lawful bases for processing personal data are:

  • Contract performance — to deliver the services you signed up for
  • Explicit consent — for processing health and clinical data (Article 9 GDPR)
  • Legitimate interests — platform security, fraud prevention, and product improvement
  • Legal obligation — where required by applicable law

You may withdraw consent for health data processing at any time by contacting us, though doing so will prevent us from providing therapy services to you.

4. HIPAA Compliance (US Users)

Theralyft is committed to HIPAA compliance. We have entered into a Business Associate Agreement (BAA) with our infrastructure provider (Supabase). PHI is encrypted at rest and in transit. Access to PHI is restricted to personnel with a clinical or operational need. We maintain audit logs of PHI access. In the event of a data breach affecting PHI, we will notify affected individuals and the U.S. Department of Health and Human Services within the timeframes required by the HIPAA Breach Notification Rule.

5. Third-Party Service Providers

We share data with the following sub-processors solely to deliver our services:

ProviderPurposeLocation
SupabaseDatabase, authentication, file storageUS / EU
StripePayment processingUS
ResendTransactional emailUS
StreamIn-session messaging and videoUS

We do not sell your personal data to third parties.

6. International Data Transfers

Our infrastructure is primarily located in the United States. For users in the EU, UK, Australia, and Zambia, your data may be transferred internationally. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU/UK transfers, and contractual commitments from our sub-processors to handle data in accordance with applicable privacy law.

7. Your Rights

Depending on your jurisdiction, you have the following rights:

All Users

  • Access a copy of your personal data
  • Correct inaccurate data
  • Request deletion of your account and data

EU / UK Users (GDPR / UK GDPR)

  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing
  • Right to restrict processing
  • Right to lodge a complaint with your supervisory authority

Australian Users (Privacy Act 1988 / APP)

  • Access and correct your personal information
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC)

Zambian Users (Data Protection Act 2021)

  • Access, rectification, and erasure of your data
  • Object to processing
  • Lodge a complaint with the Zambia ICT Authority (ZICTA)

US Users (HIPAA)

  • Right to access and receive a copy of your PHI
  • Right to request amendment of PHI
  • Right to an accounting of disclosures

To exercise any of these rights, go to Settings in your account or email privacy@theralyft.com. We will respond within 30 days (or as required by your local law).

8. Data Retention

We retain your personal data for as long as your account is active, or as required by law. Clinical records may be subject to minimum retention periods under applicable healthcare regulations. Upon account deletion we delete your profile and associated data within 30 days, except where we are required to retain records for legal, tax, or regulatory purposes.

9. Children's Privacy

Theralyft is not intended for children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at privacy@theralyft.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the platform at least 14 days before the change takes effect.

11. Contact Us