Privacy Policy
1. Introduction
Steady Clinical, LLC ("Steady Clinical," "we," "our," "us") operates a clinical development platform that provides AI-assisted tools for licensed mental health professionals. This Privacy Policy describes how we collect, use, store, and protect information — including Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
This Privacy Policy is part of our Terms of Service. If you have executed a Business Associate Agreement ("BAA") with us, the BAA governs the use and disclosure of PHI to the extent of any conflict with this Privacy Policy. Capitalized terms not defined here have the meanings given in our Terms of Service or BAA.
2. Information We Collect
Account Information
- Name, email address, and phone number
- Authentication credentials (passwords are cryptographically hashed using industry-standard algorithms; we do not store plaintext passwords)
- Professional credentials and onboarding responses
Clinical Data (PHI)
- Client names and identifiers entered by therapists
- Session notes and clinical observations
- Clinical consultation notes and session summaries
- AI-generated educational content (consultation responses, Q&A responses)
- Chat conversation history
Billing Information
- Subscription plan, billing interval, and payment status
- Payment details are collected and processed directly by Stripe; we do not store credit card numbers or full payment credentials on our servers
Technical Data
- Authentication tokens and session identifiers
- API usage and cost tracking
- Error logs (excluding PHI)
- Device and browser information (when cookies are accepted; see Section 11)
3. How We Use Information
- Provide platform services: Generate AI-assisted clinical consultation notes, session summaries, and educational Q&A for professional development
- Authenticate users: Verify identity via multi-factor authentication (MFA) and maintain secure sessions
- Process payments: Manage subscriptions and billing through Stripe
- Improve the platform: Monitor system performance and reliability using anonymized and aggregated data only, applying the minimum necessary standard to limit data use to the least amount needed
- Communicate: Send MFA verification codes via SMS, password reset emails, and service notifications
We do not:
- Sell or share PHI with third parties for marketing or advertising
- Use PHI for AI model training or improvement — our AI provider (AWS Bedrock) contractually prohibits the use of customer inputs and outputs for model training
- Access client records except as necessary for system administration, support, or as required by law
- Use or disclose PHI beyond what is permitted under our BAA and applicable law
4. De-Identification Practices
When processing clinical data through AI models, we apply de-identification measures to reduce exposure of identifiable information. Specifically, client names are replaced with the generic identifier "the client" before data is transmitted to AI services. This practice reduces the identifiability of PHI during AI processing while preserving clinical context.
Any data that has been de-identified in accordance with 45 CFR §164.514 is no longer considered PHI and may be used for operational improvements, analytics, and platform development.
5. How We Store and Protect Information
Encryption
- In transit: All data transmitted via TLS 1.2 or higher (HTTPS)
- At rest: Database encrypted using AES-256 (AWS RDS encryption)
- Secrets: Application credentials stored in AWS Secrets Manager with encryption at rest
Access Controls
- Mandatory multi-factor authentication (MFA) via email verification codes for all user accounts
- Access tokens expire after 1 hour; refresh tokens expire after 7 days
- Role-based access control (admin and user roles)
- User data isolation — each therapist can only access their own data
- Trusted device management to balance security with usability
- Automatic session timeout after 15 minutes of inactivity, requiring re-authentication
- Account lockout after 10 failed login attempts, requiring a password reset to unlock
- Mandatory password expiry every 180 days, requiring users to reset their password to continue
Infrastructure Security
- Hosted entirely on AWS using HIPAA-eligible services, covered under our AWS Business Associate Agreement
- Database deployed in a private subnet with no public internet access
- IAM least-privilege access policies with MFA enforcement on all administrative accounts
- Container-based deployment (AWS ECS/Fargate) with network isolation
- AWS Web Application Firewall (WAF) with geographic restrictions limiting access to the United States
Monitoring and Auditing
- AWS CloudTrail for infrastructure-level API activity logging
- VPC Flow Logs for network traffic monitoring
- Amazon GuardDuty with Runtime Monitoring for real-time threat detection on EC2 instances
- Application-level audit logging for administrative actions and PHI access events
- Amazon CloudWatch alarms for infrastructure and application health monitoring
Backups
- Automated daily database backups with 7-day retention
- All backups encrypted at rest using AES-256
6. AI Data Processing
Steady Clinical uses Anthropic's Claude AI models exclusively through Amazon Bedrock to provide clinical consultation support.
- No direct Anthropic relationship: All AI processing occurs through AWS Bedrock, a HIPAA-eligible service covered under our AWS BAA. We do not transmit data directly to Anthropic. AWS Bedrock contractually guarantees that customer inputs and outputs are not used for model training or improvement.
- De-identification in transit: Client names are replaced with "the client" before transmission to AI services (see Section 4)
- Storage: AI-generated content is stored in our platform database under the same encryption and access controls as all other PHI
- Advisory only: All AI output is educational and advisory in nature. Licensed clinicians are responsible for independently evaluating all AI-generated content and making their own clinical decisions
7. Data Retention
- Account data: Retained while the account is active. Upon account closure or termination, account data is deleted within 30 days, except as required by law or our BAA obligations
- Clinical data (PHI): Retained while the account is active. Therapists may delete individual client records and session data at any time through the platform
- Billing records: Retained as required for tax, legal, and accounting purposes
- Backups: Retained for 7 days on a rolling basis; older backups are automatically overwritten
- Audit logs: Retained for a minimum of 6 years per HIPAA requirements (45 CFR §164.530(j))
8. Data Sharing
We share data only with the following service providers, each operating under appropriate agreements:
| Party | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, database hosting, AI processing (Bedrock), email delivery (SES) including MFA verification codes | All platform data (covered under AWS BAA) |
| Stripe | Payment processing and subscription management | Name, email, billing details (no PHI) |
| PostHog | Product analytics (only when cookies accepted) | Anonymized usage events, device/browser info (no PHI) |
| MailerLite | Marketing email communications | Name and email address (no PHI) |
Important clarifications:
- PHI is only shared with AWS, which operates under our BAA. No other third party listed above receives PHI.
- We do not share, sell, or disclose PHI to any party not listed above unless required by law (e.g., court order, subpoena, or as required by HHS for compliance investigations).
- If we engage additional subcontractors who may access PHI, we will ensure appropriate Business Associate Agreements are in place as required by HIPAA and the HITECH Act.
9. User Rights
Therapists using Steady Clinical may exercise the following rights:
- Access: View all your data at any time through the platform interface
- Delete: Remove individual client records, session data, and chat history
- Export: Request a complete export of your data in a machine-readable format (JSON). Export requests will be fulfilled within 30 days
- Close account: Request deletion of your account and all associated data by contacting reese@steadyclinical.com
- Restrict processing: Request that we limit certain uses of your data
Since Steady Clinical serves therapists (not patients directly), individual patient rights under HIPAA — including the right to access, amend, and receive an accounting of disclosures of their PHI — are the responsibility of the therapist as the Covered Entity. Steady Clinical acts as a Business Associate and will cooperate with therapists in fulfilling these obligations as described in our BAA.
10. Breach Notification
In the event of a breach of unsecured PHI as defined under 45 CFR §164.402, we will:
- Notify affected therapists without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach, as required by the HITECH Act (42 U.S.C. §17932)
- Provide sufficient information for therapists to fulfill their own breach notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS)
- Report directly to the HHS Office for Civil Rights as required for breaches affecting 500 or more individuals
- Mitigate, to the extent practicable, any harmful effects of the breach
11. Cookies and Analytics
Steady Clinical uses cookies and similar technologies as follows:
Essential Cookies
Required for the platform to function. These include authentication session cookies (steady_access and steady_refresh) and cookie consent preferences. Essential cookies cannot be declined.
Analytics Cookies (Optional)
If you accept cookies via our cookie banner, we load PostHog analytics to understand how the platform is used. PostHog collects anonymized usage data such as page views, feature interactions, and device/browser information. No PHI is ever sent to PostHog.
If you decline cookies, no analytics scripts are loaded and no tracking occurs beyond essential platform functionality. You may change your preference at any time by clearing your browser's local storage for this site.
12. State Privacy Laws
In addition to HIPAA and the HITECH Act, we comply with applicable state privacy laws. To the extent that your clinical data constitutes Protected Health Information under HIPAA, federal law generally preempts conflicting state requirements for that data. For non-PHI data (such as account information, marketing preferences, and analytics data), the following state laws may apply:
- Tennessee Information Protection Act (TIPA): Steady Clinical is headquartered in Tennessee. We provide notice of our data collection practices through this Privacy Policy, honor opt-out requests for non-essential data processing (including analytics cookies via our consent banner), and do not sell personal information
- Other state privacy laws: If you are located in a state with comprehensive privacy legislation (such as California, Virginia, Colorado, or Connecticut), we will comply with applicable requirements, including honoring data access, deletion, and opt-out requests
For state-specific privacy inquiries, contact us at reese@steadyclinical.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top will reflect the most recent revision. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
14. Contact
Reese Armstrong serves as the designated HIPAA Privacy and Security Officer for Steady Clinical, LLC. For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:
Reese Armstrong, HIPAA Privacy & Security Officer
Steady Clinical, LLC
Email: reese@steadyclinical.com
Website: https://www.steadyclinical.com