Trust & Compliance

Three acronyms, one promise.

You may have noticed “HIPAA · GDPR · PCI DSS compliant” at the bottom of every page. Here is what each of those standards actually is, and what it means for you — in plain language, no legal degree required.

Seeking support takes courage, and it should never cost you your privacy. These three standards cover the three kinds of trust you place in us: your health information (HIPAA), your personal data (GDPR), and your payments (PCI DSS).

HIPAA

Health Insurance Portability and Accountability Act

United States federal law · enacted 1996

HIPAA sets the national standard in the United States for protecting sensitive health information. It governs how organizations that handle health data must store it, who may access it, and when it can be shared. For a mental health platform, this covers some of the most personal information there is — what you discuss, who you talk to, and why.

What it means for you

  • What you share with a therapist — session content, notes, and health details — is treated as protected health information.
  • Access is restricted to the people who need it to provide your care. Support staff cannot browse your records.
  • Your health information is never sold, and never shared with third parties without your explicit consent.
  • Data is encrypted both while stored and while traveling between you and the platform.

GDPR

General Data Protection Regulation

European Union regulation · in force since 2018

GDPR is the European Union’s data privacy law, widely considered the strictest in the world. It gives individuals ownership of their personal data: organizations must have a lawful reason to collect it, explain what they do with it in plain language, and honor a set of personal rights on request. We extend these rights to all our members, wherever they live.

What it means for you

  • Right to access — ask us for a copy of the personal data we hold about you.
  • Right to rectification — have inaccurate information corrected.
  • Right to erasure — request that your data be deleted (the “right to be forgotten”).
  • Right to portability — take your data with you in a machine-readable format.
  • Consent that is specific and revocable — we ask before processing your data, and you can withdraw permission at any time.

PCI DSS

Payment Card Industry Data Security Standard

Global standard set by the major card networks

PCI DSS is the security standard created by Visa, Mastercard, American Express, and the other card networks for anyone who accepts card payments. It dictates how card numbers must be handled, transmitted, and protected against theft or fraud.

What it means for you

  • Your card details are handled by certified payment processors — Stripe and PayPal — that are independently audited against this standard.
  • Full card numbers never touch or sit on our own servers.
  • Every transaction travels over an encrypted connection.
  • Subscription and session payments are processed through the same protected pipeline.
🔒

Underneath all three standards sits 256-bit encryption — the same grade used in online banking — protecting your conversations and data in transit and at rest. And if you prefer, you can use the platform completely anonymously.

Want the full details? Read our Privacy Policy and Terms & Conditions, or contact us with any question — we answer in plain language there as well.