Privacy Policy

Last updated: 2026-05-26

This Privacy Policy describes how IntakeFlow ("we," "us," or "the Service") collects, uses, shares, and protects personal information. IntakeFlow is operated by EMHNJ, based in New Jersey, USA. Protected Health Information (PHI) is additionally governed by your HIPAA Business Associate Agreement — see the BAA.

Who we are

IntakeFlow is a B2B SaaS that helps licensed psychotherapy practices screen the prospective-client emails they receive. We act as a Business Associate (under HIPAA) to the therapists who subscribe. We are not a healthcare provider; we do not provide clinical services. We are not a marketing platform; we do not run ads, build profiles, or sell data.

Information we collect

From therapists (our customers)

  • Account info: email address, name, practice name, sign-in timestamps.
  • Billing info: name, billing address, last 4 digits of payment card, and a Stripe customer ID. Full card numbers are never stored on our servers — they live with Stripe (see Subprocessors).
  • Authentication state: hashed sign-in tokens, TOTP secret (encrypted at rest with a global key).
  • Operational metadata: IP address, user agent, session activity (for audit logging and abuse detection).

From prospective clients (the inbox you connect)

  • Inbound email body — encrypted at rest with a per-tenant data-encryption key (DEK) wrapped by a KMS-managed master key.
  • Structured extraction — insurance carrier, availability, presenting concerns, modality preference, parsed out of the email body and stored encrypted alongside the body.
  • Crisis flag and rationale — a boolean plus a short, non-PHI explanation if our system detected acute-risk language.
  • Salted hash of the sender's email address — used for cross-tenant duplicate detection without storing the raw address in plaintext.

Prospective-client data is PHI under HIPAA. It is held under the Business Associate Agreement between us and the therapist whose inbox it arrived at. It belongs to the therapist's practice; we have no independent right to use it.

How we use information

  • To run the screening pipeline (extract structured fields, route crisis cases, send acknowledgments and the daily digest to the therapist).
  • To bill subscriptions through Stripe and provide customer support.
  • To detect fraud, abuse, and security incidents.
  • To comply with legal obligations and respond to lawful requests.

What we do not do: We do not sell or rent personal information. We do not use PHI to train AI models, ours or any third party's. We do not load third-party advertising or behavioral-analytics trackers on authenticated (logged-in) pages. We do not share PHI with our payment processor.

Legal bases

For customers in the United States, we process information to perform our contract with you (Terms of Service + BAA), to comply with HIPAA and other applicable law, and where you provide consent (e.g. connecting your mailbox by OAuth). We do not knowingly process information of EU/UK residents in a way that triggers GDPR/UK-GDPR; if you are an EU/UK practitioner, please contact us before signing up.

Subprocessors

We use a small set of vendors to operate the Service. Vendors that touch PHI sign a HIPAA Business Associate Agreement; vendors that don't touch PHI are still bound by data-processing terms. Full list with roles and BAA status at /legal/subprocessors. Key categories:

  • Cloud infrastructure — Amazon Web Services (BAA, hosts encrypted PHI and KMS keys), Vercel (BAA, hosts the application), Neon (BAA, Postgres database).
  • AI extraction — Anthropic (Zero Data Retention enterprise tier; no training on customer data).
  • Email delivery — Amazon SES (under AWS BAA).
  • Billing & payments — Stripe, Inc. We send Stripe only non-PHI billing fields: your business email, plan ID, billing address, and (when you check out) the payment card you enter into Stripe's own iframe — those card details go straight from your browser to Stripe and never transit our servers.

Cookies & trackers

On the public marketing site we may use first-party, privacy-friendly analytics (no cookies, no cross-site tracking, no fingerprinting). On authenticated pages we use only the cookies necessary for authentication and CSRF protection. We do not use Google Analytics, Meta Pixel, or other third-party advertising trackers.

Retention

  • Encrypted intakes & extracted fields: retained until you delete them, your subscription ends and you ask us to crypto-shred your tenant key, or you delete your account.
  • Audit logs: six (6) years, the HIPAA Security Rule retention period. Audit logs contain only non-PHI metadata (action, timestamp, hashed identifiers).
  • Billing records: seven (7) years, to comply with tax law.
  • Encrypted backups: 35 days, then destroyed.
  • Marketing-page logs: 90 days.

Security

  • Per-tenant envelope encryption (KMS-wrapped DEK) for all PHI at rest.
  • TLS 1.2+ for all data in transit.
  • Row-level security in the database, in addition to application-level tenant scoping.
  • Mandatory 2FA (TOTP) for all admin and therapist accounts.
  • Audit log of every PHI access, retained 6 years.
  • Breach-notification procedures documented in our internal runbook and reflected in the BAA.

Your rights as a therapist customer

  • Access: view your tenant's data anytime in the dashboard.
  • Export: download an export of all your tenant's data (Settings → Export). The export is JSON, decrypted, and includes intakes, audit log, and metadata.
  • Correction: edit extracted fields directly on each intake.
  • Deletion: delete your account (Settings → Delete account). This crypto-shreds your tenant key, rendering encrypted PHI unrecoverable. Audit logs remain (HIPAA-required).
  • Portability: the Export is in a standard JSON shape so you can re-import elsewhere.

Prospective clients (your patients-to-be)

If you contacted a therapist's practice and want to know what we store about you, please contact the therapist directly — they are the HIPAA Covered Entity and the owner of any PHI. We will work with them to fulfill valid HIPAA access, correction, or deletion requests under the BAA.

State privacy rights (US)

Residents of states with comprehensive privacy laws (e.g. California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA) have the right to access, correct, and delete personal information we hold about them, and the right to opt out of "sale" or "sharing" of personal information. We do not "sell" or "share" personal information as those terms are defined under any US state privacy law. Requests: privacy@emhnj.com.

Children

The Service is not directed at children under 13. If a prospective-client email is from a minor, the therapist is responsible for any parental-consent obligations under HIPAA, COPPA where applicable, and state law.

International transfers

Our servers are located in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US.

Changes

We'll email account owners at least 30 days before material changes. The current version is always at this URL.

Contact

Mailing address available on written request to privacy@emhnj.com.