Privacy Policy

Effective Date: January 1, 2026

Same Time Next Week LLC (“Therhappy”, “we”, “us”, or “our”) values your privacy. This Privacy Policy explains how we collect, use, store, and protect information through our platform, including websites, applications, telehealth features, and related services (collectively, the “Services”).

1. Scope

This Privacy Policy applies to Providers (licensed healthcare professionals), Authorized Users (staff or personnel), and Clients (patients receiving services) who interact with Therhappy.

2. Information We Collect

  • Provider / Authorized User Information: account registration data, credentials, contact info, role assignment.
  • Client / Patient Information: Protected Health Information (PHI), including health records, treatment notes, appointment history, and communications entered by Providers.
  • Usage Data: logs, device information, IP addresses, browser type, actions within the Services.
  • Third-Party Data: data obtained via integrations or authorized connections.

3. Ownership and Control of Data

Providers retain full ownership and control of all Client data. Therhappy acts solely as a HIPAA Business Associate, processing PHI only on behalf of Providers under their direction.

4. How We Use Information

  • Provide and maintain the Services
  • Support HIPAA-compliant telehealth, messaging, and scheduling functionality
  • Perform analytics and improvements using de-identified and aggregated data in accordance with HIPAA standards
  • Communicate about account, service updates, and legal obligations

5. De-Identified and Aggregated Data

Therhappy may use de-identified or aggregated information for analytics, research, and product improvement. De-identification is performed following HIPAA standards so that no individual can be reasonably identified.

6. Data Security and Safeguards

Therhappy implements administrative, technical, and physical safeguards designed to protect PHI, including but not limited to:

  • Encryption of data in transit (TLS) and at rest (AES-256 or industry equivalent)
  • Multi-factor authentication (MFA) for Provider and Authorized User accounts
  • Role-based access control with strict permission assignments
  • Audit logging and monitoring of system access
  • Regular penetration testing and security assessments
  • High availability infrastructure, data redundancy, and disaster recovery planning

While we employ reasonable safeguards, no system is completely secure. Users are responsible for safeguarding credentials and devices.

7. Breach Notification and Incident Response

In the event of a confirmed breach of PHI or other sensitive data, Therhappy will promptly notify affected Providers in accordance with HIPAA breach notification requirements and applicable law. We maintain a documented incident response plan to address security events.

8. Data Retention and Deletion

PHI and other account data are retained only as long as necessary for business and legal purposes. Providers may request deletion of their account data; Therhappy will delete such data in accordance with HIPAA and internal retention policies, subject to legal obligations. If a practice closes, Therhappy retains data for 30 days.

9. Third-Party Services

Therhappy may use third-party service providers for hosting, analytics, integrations, or telehealth functionality. We ensure these providers comply with HIPAA standards. Therhappy is not responsible for the security practices of third-party services beyond our contractual agreements.

10. Government Requests and Audits

Therhappy may disclose information in response to lawful subpoenas, audits, regulatory inquiries, or other legal requirements. Providers will be notified when permissible, unless prohibited by law.

11. Telehealth and Electronic Communication

Therhappy supports telehealth and electronic communications. Providers are responsible for determining telehealth appropriateness, obtaining consent, and complying with state and federal regulations. Therhappy does not guarantee video or audio quality, session continuity, or delivery of messages, and is not responsible for missed communications.

12. International and Minors

All PHI is stored in the United States. Users outside the U.S. should be aware that U.S. laws apply. The Services are not intended for individuals under 13, and we do not knowingly collect data from minors without parental consent.

13. Data Subject Rights

Providers may access, amend, or request deletion of Client data under HIPAA and applicable state law. Requests must be made via the account interface or contacting support.

14. Changes to This Privacy Policy

Therhappy may update this Privacy Policy periodically. Providers will be notified of material changes, and continued use of the Services constitutes acceptance.

15. Contact Information

Same Time Next Week LLC
Operating Therhappy
Email: legal@therhappy.com

Let's talk about
your practice.

Have questions about HIPAA compliance, pricing, or migration? Our team of experts is here to help you make the switch.

  • A question

    Whether it's a question about features, pricing, or HIPAA compliance, we're here to help.

  • Schedule a demo

    Let's set up a time to walk you through the platform and answer any questions you have.

  • Just to say Hi!

    We'd love to hear from you, whether it's feedback, a suggestion, or just a friendly hello.