a) Account information: email address (collected via Firebase Authentication), display name, and — if voluntarily provided during onboarding — first name, last name, phone number, and a link to a personal website or professional profile.
b) Subscription information: selected plan, activation date, license token, payment status.
c) Usage analytics: AI request count, feature usage frequency, session timestamps. No clinical content is included in analytics.
a) Pseudonym (nickname) — the primary identifier used for AI processing. This is the only identifier transmitted to external AI services.
b) Contact data (real name, phone, email, address) — stored locally in the User's browser and/or in the MySQL database. Never transmitted to AI services.
c) Demographic data: age (derived from date of birth; exact date of birth is never transmitted to AI), gender, marital status, education, profession, languages, cultural background.
d) Clinical data: presenting complaints, psychiatric history, previous therapy, medical history, family history, trauma history, substance use, therapist notes, session records, therapeutic goals, test results, assessment scales.
The following table shows exactly what data is stored where and what reaches the AI service provider:
| Data Category | User's Browser | MySQL Server | Sent to AI (OpenAI) |
|---|---|---|---|
| Real name (first, last) | ✓ Stored | ✓ Stored | ✗ Never |
| Pseudonym (nickname) | ✓ Stored | ✓ Stored | ✓ Sent |
| Phone, email, address | ✓ Stored | ✓ Stored | ✗ Never |
| Date of birth | ✓ Stored | ✓ Stored | ✗ Never* |
| Age (integer) | Derived at runtime | — | ✓ Sent |
| Emergency contact | ✓ Stored | ✓ Stored | ✗ Never |
| Clinical context (de-identified) | ✓ Stored | ✓ Stored | ✓ Sent** |
| Session history (de-identified) | ✓ Stored | ✓ Stored | ✓ Sent** |
* Date of birth is converted to age (integer) before AI
transmission. Ages 90+ are aggregated as "90+" per HIPAA Safe Harbor (45 CFR §164.514(b)(2)(i)(C)).
** All text
fields are automatically scrubbed for residual PII patterns (emails, phone numbers) before transmission.
AITACS CRM implements the HIPAA Safe Harbor method of de-identification (45 CFR §164.514(b)), which requires the removal of all 18 categories of identifiers. Our implementation:
3.1. Client-side filter — a JavaScript function
(deidentifyForAI) runs in the User's browser before any data leaves the application. It removes
direct identifiers and converts dates of birth to age integers.
3.2. Server-side filter — an independent PHP
function (deidentifyServerSide) runs on the API proxy server before forwarding any data to OpenAI.
This provides defense-in-depth: even if the client-side filter is bypassed or modified, PII will not reach the AI
provider.
3.3. Pattern scrubbing — both filters scan all
free-text fields for residual PII patterns (email addresses, phone numbers, social security numbers) and replace
them with [REDACTED].
3.4. Audit marker — each de-identified data
object is tagged with _deidentified: true, a timestamp (_deidentifiedAt), and the method
used (HIPAA Safe Harbor 45 CFR §164.514(b)).
3.5. Zero-retention at OpenAI — data transmitted to OpenAI is processed under a zero-retention policy: API inputs and outputs are not stored by OpenAI after processing is complete and are not used for model training (per OpenAI API Data Usage Policy, effective March 2023). See Subprocessor List — OpenAI for full details.
Data transmitted to the AI provider qualifies as de-identified under HIPAA and is therefore no longer classified as Protected Health Information (PHI). The Provider has no reasonable basis to believe the transmitted information can be used to identify any individual.
4.1. Service delivery: storing and synchronizing client records, calendar events, and session notes across the User's devices.
4.2. AI-assisted analysis: processing de-identified clinical context through the AI assistant to provide session insights, technique recommendations, and progress summaries.
4.3. Service improvement: aggregated, anonymized usage statistics to improve Platform features and performance.
4.4. Opting out of AI processing: The User may disable AI-assisted analysis for any individual End Client at any time through the client profile settings within the Platform. When AI analysis is disabled for a specific client, no data for that client is transmitted to OpenAI. The User retains full, per-client control over AI processing. This mechanism satisfies the data subject's right to object to automated processing under GDPR Article 21. Disabling AI analysis does not affect data storage or any other Platform functionality.
Sell personal data or clinical data to any third party. Use data for advertising or marketing purposes. Share identifiable data with third parties without explicit consent. Use clinical data for AI model training. Profile End Clients or make automated decisions about them.
5.1. Contractual necessity (Art. 6(1)(b) GDPR) — processing User account data is necessary to provide the Service under the subscription agreement.
5.2. Legitimate interest (Art. 6(1)(f) GDPR) — aggregated usage analytics for service improvement, where the User's privacy interests are not overridden.
5.3. Consent (Art. 6(1)(a) GDPR) — for any processing activity not covered by contractual necessity or legitimate interest, explicit consent will be obtained.
5.4. For processing of End Client data (special category data under Art. 9 GDPR), the User — as Data Controller — is responsible for obtaining the appropriate legal basis (typically explicit consent of the End Client).
Request a copy of all personal data we hold about you. (Art. 15)
Request correction of inaccurate or incomplete data. (Art. 16)
Request deletion of your data ("right to be forgotten"). (Art. 17)
Receive your data in a structured, machine-readable format. (Art. 20)
Request limitation of how your data is processed. (Art. 18)
Object to AI-assisted processing for a specific End Client via the per-client AI opt-out in profile settings. Object to processing based on legitimate interest. (Art. 21)
To exercise any of these rights, contact: aitacs@skillbuilder.club. We will respond within 30 days of receiving your request.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
7.1. Encryption in transit: all data transmitted between the User's browser, our servers, and third-party services uses TLS 1.2 or higher.
7.2. Encryption at rest: AES-256 encryption is recommended for local data storage when using the desktop version. Server-side database encryption follows hosting provider standards.
7.3. Authentication: Firebase Authentication with support for email/password and OAuth providers. Two-factor authentication (2FA) is strongly recommended.
7.4. De-identification: dual-layer (client-side + server-side) automatic removal of all 18 HIPAA identifier categories before AI transmission, as described in Section 3.
7.5. Access control: each User's data is isolated by their unique Firebase UID. Users cannot access other Users' data.
7.6. Backup: regular database backups with encrypted storage.
We share data with the following third-party subprocessors, each performing a specific and limited function:
| Subprocessor | Country | Function | Data Shared |
|---|---|---|---|
| OpenAI, LLC | USA | AI processing of session analysis requests | Pseudonym + de-identified clinical context only. No PHI. |
| Hetzner Online GmbH | Germany | MySQL database hosting | All CRM data (encrypted in transit) |
| Google Firebase | USA | User authentication | Email address, UID |
| Daily.co (Daily.co, Inc.) | USA | WebRTC video conferencing infrastructure for therapy sessions | Audio and video streams during live sessions (real-time only; not stored by Daily.co). BAA in place. |
| OpenAI, LLC (Whisper API) | USA | Speech-to-text transcription of session audio recordings | Audio file (temporary; deleted from our servers immediately after transcription). Subject to OpenAI zero-retention policy. |
The User will be notified at least 14 days in advance of any new subprocessor being added. A complete and current subprocessor list is maintained at Subprocessor List.
9.1. Data may be transferred to and processed in the United States (OpenAI, hosting provider, Firebase). For Users in the EU/EEA, such transfers rely on the following safeguards: OpenAI — OpenAI's Data Processing Addendum, which incorporates EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914); Google Firebase — Google Cloud Data Processing Terms (includes SCCs); Hosting provider — hosting provider's Data Processing Agreement incorporating EU SCCs.
9.2. Data transmitted to OpenAI is de-identified per Section 3 and is therefore not classified as personal data under GDPR Article 4(1), further reducing transfer risk.
10.1. Active subscription: all data is retained for the duration of the subscription.
10.2. After cancellation: data is retained for 90 days to allow the User to export their records. After 90 days, all data is permanently deleted from our servers.
10.3. Immediate deletion: the User may request immediate deletion of all their data at any time by contacting aitacs@skillbuilder.club. The request will be fulfilled within 30 days.
10.4. Backup retention: encrypted backups may persist for up to 30 additional days after deletion from the primary database, after which they are purged.
10.5. AI request logs: the Provider does not retain logs of AI requests or responses. Data transmitted to OpenAI is subject to OpenAI's zero-retention policy (retention: 0 days). No AI request content is stored on Provider servers after transmission.
10.6. Audio recordings: raw audio files recorded during video sessions are processed exclusively for speech-to-text transcription via OpenAI Whisper and are permanently deleted from Provider servers immediately upon completion of transcription — or upon any error — whichever occurs first. Audio files are never archived or stored long-term.
10.7. Session transcripts and AI-generated clinical notes: text transcripts and AI-generated follow-up notes produced from session recordings are retained for a maximum of 7 years from the date of creation, in accordance with HIPAA minimum retention requirements (45 CFR §164.530(j): 6 years) and applicable US state regulations for mental health records (typically 7 years for adult patients). After this period, records are automatically and permanently purged from the database. The User may request earlier deletion at any time under clause 10.3.
11.1. The Platform uses only essential cookies required for authentication and session management. No advertising, analytics, or tracking cookies are used.
11.2. Local storage (localStorage, IndexedDB) is used for client-side data caching and offline functionality. This data remains on the User's device and is not transmitted to third parties.
The Platform is intended for use by licensed professionals only. When the User (therapist) works with End Clients under the age of 16, parental or guardian consent for data processing — including AI-assisted analysis — is required under GDPR Article 8. The Informed Consent Template includes a dedicated parent/guardian signature block for this purpose. The User is solely responsible for obtaining and verifying such consent before entering any minor's data into the Platform.
The Platform itself is not directed at individuals under the age of 18 as account holders. We do not knowingly collect account data from minors. If we become aware that an account has been created by a minor without appropriate consent, we will promptly delete the account and associated data.
13.1.1. Applicable legislation. Canadian Users are protected by the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) at the federal level. Therapists practising in Ontario are additionally subject to the Personal Health Information Protection Act, 2004 (PHIPA, S.O. 2004, c. 3); in Alberta to the Health Information Act (HIA, RSA 2000, c. H-5); in British Columbia to the Personal Information Protection Act (PIPA, SBC 2003, c. 63). The Provider processes personal information in accordance with all applicable Canadian federal and provincial privacy legislation.
13.1.2. Consent and purpose limitation. Personal information is collected, used, and disclosed only for the purposes identified at the time of collection or as subsequently authorised by the individual. Collection of health information about End Clients requires the therapist (Custodian) to hold a valid consent from the individual or to have a lawful basis under the applicable provincial health privacy statute.
13.1.3. Rights of Canadian Users. Canadian individuals may: (a) request access to their personal information held by the Provider; (b) request correction of inaccurate information; (c) withdraw consent at any time (subject to legal or contractual restrictions); (d) file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or with the applicable provincial commissioner.
13.1.4. Cross-border transfers. Personal information may be transferred to the United States for processing by OpenAI (de-identified) and Google Firebase (authentication data). The Provider takes contractual and technical measures equivalent to PIPEDA Principle 7 (Safeguards) to protect information during and after any such transfer. Canadian Users acknowledge that transferred data may be accessible to law-enforcement agencies in the receiving jurisdiction.
13.2.1. Applicability. California residents are afforded rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA, Cal. Civ. Code §§ 1798.100 et seq.). This section supplements the general Privacy Policy and applies solely to California residents.
13.2.2. Categories of personal information collected. In the preceding 12 months the Provider has collected: identifiers (name, email, Firebase UID); professional information (licence number, practice name); internet/network activity (log-in events, IP address); and, where Users utilise the session-recording feature, audio/text records of therapy sessions (sensitive personal information). The Provider does not collect Social Security numbers, financial account numbers, or biometric data.
13.2.3. No sale or sharing. The Provider does not sell and does not share personal information (as those terms are defined in CCPA/CPRA §§ 1798.140(ad), (ah)) with any third party for monetary or other valuable consideration, or for cross-context behavioural advertising.
13.2.4. California consumer rights. California residents have the right to: (a) know — request disclosure of the categories and specific pieces of personal information collected, used, disclosed, and sold; (b) delete — request deletion of personal information, subject to statutory exceptions; (c) correct — request correction of inaccurate personal information; (d) limit use of sensitive PI — direct the Provider to limit use and disclosure of sensitive personal information to purposes specified in §1798.121; (e) non-discrimination — the Provider shall not discriminate against a consumer for exercising any CCPA right.
13.2.5. How to submit a request. California residents may submit verifiable consumer requests by emailing aitacs@skillbuilder.club with the subject line "CCPA Request". Authorised agent submissions are accepted with written authorisation from the consumer. The Provider will respond within 45 days (extendable by 45 additional days with notice).
13.3.1. Applicable legislation. The Provider processes personal data of Israeli residents in accordance with the Privacy Protection Law 5741-1981 and the Privacy Protection Regulations (Data Security) 5777-2017 promulgated thereunder.
13.3.2. EU–Israel adequacy. The State of Israel has been recognised as providing an adequate level of data protection by the European Commission (Decision 2011/61/EU). Accordingly, transfers of personal data from the EU/EEA to Israel do not require additional safeguards such as SCCs, provided that processing occurs within the scope of the adequacy decision.
13.3.3. Database registration. The Provider maintains a database of personal information as defined in the Privacy Protection Law. The Provider has assessed its registration obligations under the Law and complies with applicable registration requirements of the Israeli Registrar of Databases.
13.3.4. Rights of Israeli residents. Individuals whose data is processed by the Provider may: (a) request access to information held about them; (b) request correction of inaccurate, incomplete, or outdated information pursuant to Section 14 of the Law; (c) object to processing for direct-marketing purposes. Requests should be addressed to aitacs@skillbuilder.club.
13.4.1. Applicable legislation. Personal data of Ukrainian residents is processed in accordance with the Law of Ukraine "On Personal Data Protection" (Law No. 2297-VI of 1 June 2010, as amended). Health data constitutes a special category of personal data under Article 7 of the Law and is processed only on the basis of the explicit written consent of the data subject or as otherwise permitted by law.
13.4.2. Consent. Where the Provider processes health-related information of End Clients at the direction of a Ukrainian therapist (User), the User is responsible for obtaining and documenting the End Client's explicit written consent for such processing in accordance with Article 8 of the Law. The Provider's Informed Consent Template is designed to satisfy this requirement.
13.4.3. Rights of Ukrainian data subjects. Individuals have the right to: (a) know the composition and content of their personal data; (b) access their personal data; (c) receive a response within 30 calendar days; (d) request correction, deletion, or restriction of processing; (e) object to processing; (f) lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Uповноважений Верховної Ради України з прав людини) or seek judicial protection.
13.4.4. Cross-border transfers. Personal data may be transferred to countries that ensure an adequate level of protection (EU/EEA, Israel). Transfers to the United States (OpenAI, Google Firebase) are carried out on the basis of standard contractual clauses and the Provider's data-processing agreements with those subprocessors, constituting appropriate safeguards under Article 29 of the Law.
14.1. We may update this Privacy Policy from time to time. Material changes will be communicated at least 14 days in advance via email or in-app notification.
14.2. The "Effective Date" at the top of this document reflects the date of the most recent revision.
For questions, data access requests, or privacy concerns:
Artem Chukov — Data Protection Contact
Email: aitacs@skillbuilder.club
Web: skillbuilder.club
Terms of Service · Data Processing Agreement (DPA) · Business Associate Agreement (BAA) · Subprocessor List · User Security Requirements · Informed Consent Template · Incident Response Policy