We collect:

• Account data: email, role, password hash, locale/timezone, profile fields you provide.
• Content data: journal entries, template answers, submissions, therapist comments (if you use these features).
• Assessment data: self-reported questionnaire responses (e.g., PHQ-9, GAD-7, WHO-5) and calculated scores.
• Encrypted content: session notes and private therapist notes, stored with AES-256-GCM encryption.
• Technical data: basic logs needed to operate the service (e.g., request time, IP for security, error logs).

We use data to:

• Provide and operate the service (authentication, storing entries, sharing between therapist and client when linked).
• Schedule assessment retakes and calendar reminders.
• Improve reliability and security (debugging, preventing abuse).
• Provide support (respond to your requests).

We process data on the following bases: contract performance (to provide the service), legitimate interest (security, debugging, service improvement), and consent (where required, e.g., optional data you provide).

Assessment results may constitute health-related data under GDPR Article 9. Legal basis: explicit consent (you voluntarily complete each questionnaire). Data is self-reported and does not constitute clinical diagnosis.

We do not sell your personal data. We may share data with service providers needed to run Reframio (hosting, databases, email delivery via Resend) under appropriate safeguards. When linked, therapists can see client submissions, assessments, and timeline; session notes and private notes are not visible to clients. Therapist–client sharing occurs only when you are linked in the app.

We use essential cookies for authentication and store your language preference in local storage. We do not use tracking or advertising cookies.

We keep your data while your account is active or as needed to provide the service. You may request deletion of your account and associated data, subject to legal obligations.

We use reasonable technical measures to protect data (access controls, encryption in transit, hashed passwords, AES-256-GCM encryption for session notes and private therapist notes). No method of storage is 100% secure.

Depending on applicable law, you may have the right to: access your data, rectify inaccurate data, request erasure, restrict processing, data portability, object to processing, and lodge a complaint with a supervisory authority. You can update profile fields in the app and request export or deletion of your data by contacting us.

Reframio is not intended for anyone under 18 years of age. We do not knowingly collect data from minors.

Depending on hosting providers, your data may be processed in different countries. We take steps to protect data consistent with applicable law.

In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

We maintain audit logs of user actions (not content) for security and debugging. Logs are retained for a limited period and do not include journal text or note content.

We may update this Privacy Policy from time to time. We will update the "Last updated" date and may notify you of material changes.

Contact: support@reframio.app