Privacy Notice — Serenity Spaces

Section 01

Who is the Data Controller?

The data controller for Serenity Spaces is the organisation or individual who operates this instance of the platform. If you are unsure who this is, contact the practitioner who referred you to this platform or reach out via the contact details below.

This platform is self-hosted software. The operator — not the software developers — is the data controller responsible for all processing described in this notice.

Data Controller Contact
For data protection enquiries, requests to exercise your rights, or to obtain the identity of the controller, contact the platform operator directly. If this platform is Serenity Spaces at https://www.serenityspaces.app, you may use the contact method available on the About page or via any existing correspondence with your practitioner.

Section 02

What Personal Data We Process

Category	Data elements	Who it relates to
Account data	Email address, display name, hashed password, avatar image	Practitioners, registered clients
Booking data	Name, email, date of birth, gender, sexuality, location (all encrypted at rest)	Clients booking sessions
Session content	Chat messages, practitioner clinical notes, client private reflection notes, session highlights, file attachments, voice notes — chat messages and all notes encrypted at rest	Session participants
Intake form responses	Responses to pre-session questionnaires set by the practitioner (may include health history, goals, or other clinical information provided before a session)	Clients completing intake forms
Goal and progress data	Goals set by the practitioner per client, milestones, and progress update notes	Clients with active goals
Referral data	Clinical context snapshot shared when a practitioner refers a client to another practitioner on this platform — may include goals, intake summary, session themes, or session notes depending on the sharing permissions set by the referring practitioner. Referral notes are encrypted at rest.	Clients who are the subject of a practitioner-to-practitioner referral
Technical data	IP address, browser/device info, session tokens, audit log entries	All users
Financial data	Session payment amounts, currency, payment method type (no card data stored on-platform)	Clients paying for sessions
Communication data	Messages sent via the in-platform messaging system	Practitioners and registered clients

Sensitive personal data: Some booking information — specifically gender, sexuality, and in some contexts date of birth — constitutes sensitive personal data under HIPAA (where US infrastructure is used) and special category data under GDPR Art. 9 (where EU infrastructure is used). This data is collected only where explicitly provided by the client, processed under explicit informed consent, and encrypted at rest. You may decline to provide any of this information.

Section 03

Why We Process Your Data and Our Lawful Basis

Purpose	Legal basis	Data involved
Providing the session booking and scheduling service	Treatment / Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs)	Booking data, account data
Enabling practitioners to run therapeutic sessions	Treatment / Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs)	Session content, account data
Processing sensitive booking fields (gender, sexuality)	Explicit informed consent (HIPAA Authorization; GDPR Art. 9(2)(a); PIPEDA express consent; APP 3.3)	Gender, sexuality, date of birth
Security, fraud prevention, and audit logging	HIPAA Security Rule — required safeguard; Legitimate interests (GDPR Art. 6(1)(f)); Security purpose (PIPEDA / APPs)	Technical data, IP addresses, audit log
Processing payments	Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs)	Payment amount/status data
Complying with legal obligations	Legal obligation (HIPAA; GDPR Art. 6(1)(c); applicable national law)	Data subject requests, audit records
Client-initiated datacenter transfer	Explicit informed consent (HIPAA Authorization; GDPR Art. 49(1)(a); PIPEDA / APP express consent)	All data associated with your account

Jurisdiction-specific details of legal bases — including full GDPR Article 6 and 9 breakdowns, HIPAA treatment/operations/payment categories, and the applicable basis under PIPEDA and the Australian Privacy Principles — are set out in the jurisdiction supplements below.

Section 04

How Long We Keep Your Data

Session records — including messages, clinical notes, intake responses, and voice notes — are retained for 7 years from the date of your last session. This meets or exceeds the HIPAA minimum retention requirement of 6 years and aligns with professional therapeutic record-keeping guidelines published by the American Counseling Association (ACA) and the National Association of Social Workers (NASW). It also meets or exceeds retention requirements under applicable data protection law in each supported jurisdiction. Retention of these records supports continuity of care if you return, and practitioner accountability obligations.

You have the right to request deletion of your personal data at any time (see Section 06 — Your Rights). Where records are subject to a professional retention obligation, we will explain any applicable limits on deletion at the time of your request.

Data type	Retention period
Session messages and clinical notes	7 years from last session (HIPAA minimum: 6 years; ACA/NASW professional standard: 7 years).
Voice notes recorded during sessions	7 years from last session. Deleted upon verified erasure request.
File attachments uploaded during sessions	Removed from server storage after session export. Text records of file names are retained as part of the session record.
Intake form responses	7 years from last session, as part of the clinical record.
Goal and progress data	7 years from last session. Deleted upon verified erasure request.
Booking records	7 years from last session (professional accountability and potential legal obligation).
Account data (practitioners)	Retained while the account is active. Deleted within 30 days of account closure request.
Account data (registered clients)	Retained while the account is active. Deleted within 30 days of account closure request, subject to any applicable professional retention obligations.
Audit logs	Retained for a minimum of 12 months for security and compliance purposes (HIPAA Security Rule requires 6 years for HIPAA-related security documentation).
Consent records	Retained for as long as the associated booking or account exists, plus 3 years thereafter (legal accountability).
IP addresses and technical session data	Retained for up to 90 days for security purposes, then deleted.

Section 05

Who We Share Your Data With

This platform does not sell, rent, or share personal data with third parties for marketing or advertising purposes.

Data may be shared with or accessible to:

The practitioner you book with — they can see your booking information, session content, and notes as necessary to provide the service.
Another practitioner on this platform (referral only) — if your practitioner refers you to another practitioner on this platform for a different kind of support, a snapshot of your clinical context may be shared with the receiving practitioner. The scope of information shared is set by your referring practitioner and may include your goals, intake summary, session themes, or session notes. The referring practitioner can only make referrals where they have an existing booking relationship with you. You may ask your practitioner what data was shared as part of any referral.
The datacenter hosting provider — the infrastructure on which this platform runs. This platform supports regional datacenters; your data is stored in the region you selected. Each datacenter operates under the privacy framework applicable to its location. Hosting providers are bound by a Business Associate Agreement (BAA) for US infrastructure and a Data Processing Agreement (DPA) for EU/UK infrastructure.
Payment processors — if you pay for a session via PayPal, Stripe, Square, or a BTCPay Server instance, payment processing is handled by those services under their own privacy policies. This platform does not store card numbers or payment credentials. Practitioners are required to hold a signed BAA (US) or DPA (EU/UK) with their chosen payment processor before accepting payments. BTCPay Server is typically operator-self-hosted; the operator is responsible for the privacy and security of their BTCPay instance.
Email delivery providers — if email notifications are enabled, messages are routed through the configured SMTP provider. An appropriate data processing agreement is required with the SMTP provider before any personal data is transmitted.
AI service providers (conditional) — if your practitioner has enabled an AI assistant and you have granted consent, session content may be sent to their AI vendor (OpenAI, Anthropic, Google, or Cohere). Practitioners are required to hold a signed BAA or DPA with their AI vendor before enabling AI features. You are informed of which AI vendor is in use during the consent flow at booking.

Any transfer of data to third-party processors is subject to appropriate agreement requirements. Practitioners are responsible for ensuring their chosen processors maintain safeguards consistent with the applicable regulatory framework.

Optional Media Recommendation Services

Practitioners may enable an optional media recommendation feature that surfaces book, film, and music suggestions during sessions. When this feature is active, practitioner-entered search queries are sent to the following external services to retrieve cover images and metadata:

The Movie Database (TMDB) — image.tmdb.org — film and TV recommendations.
Open Library — covers.openlibrary.org — book cover images.
Google Books — books.google.com — book metadata and cover images.
Internet Archive — archive.org — supplementary media metadata.

No client personal data is transmitted to these services. Only practitioner-initiated search terms are sent. This feature is practitioner-configured and disabled by default. Clients are not aware of search queries made by practitioners using this feature.

Data Residency and Regional Datacenters

This platform operates regional datacenters that allow you to choose where your data is stored. Your chosen datacenter determines which privacy framework primarily governs the processing of your data:

United States (Virginia) — HIPAA-compliant infrastructure (OVH Public Cloud). Processing governed by HIPAA Privacy, Security, and Breach Notification Rules.
European Union (France) — GDPR-compliant infrastructure (OVH Public Cloud). Processing governed by EU GDPR. Coming soon.

You may request transfer of your data to a different regional datacenter at any time. Cross-region transfers require your explicit informed consent, are carried out securely using encrypted transfer, and are recorded in the audit log. Consent for a cross-region transfer may be withdrawn before the transfer completes; it cannot be undone after completion.

Section 06

Your Privacy Rights

You have the following rights in relation to your personal data. The specific rights available to you depend on the jurisdiction in which you are located; full details are in the jurisdiction supplements below.

Right of access

Request a copy of the personal data held about you.

Right to rectification

Ask us to correct inaccurate data or complete incomplete data.

Right to erasure

Request deletion of your personal data where there is no compelling reason to continue processing. Available directly from your client portal.

Right to restrict processing

Ask us to limit how we use your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to certain uses of your data, including uses based on legitimate interests.

Withdraw consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Rights re: automated decisions

We do not make solely automated decisions that significantly affect you.

To exercise any of these rights, contact the data controller using the details in Section 01. For HIPAA-related concerns, contact the HHS Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint. For California privacy rights concerns, contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

Section 07

Cookies and Session Data

This platform uses the following cookies and local storage items. All are strictly necessary for the operation of the service. No non-essential cookies are set.

PHP session cookie (PHPSESSID) — essential for authentication and CSRF protection. No tracking purpose.
Reconnect cookie (ss_reconnect_*) — stores a token to allow re-entry to an active session if your browser disconnects. Expires when the session ends.
Local storage (ss_tour_*) — remembers whether you have completed the onboarding tour. Not transmitted to the server.
Cookie (ss_cookie_consent) — records that you have acknowledged the cookie notice on the login or landing page. Expires after 12 months. You may withdraw acknowledgment at any time by clearing this cookie via your browser's cookie settings.

No third-party analytics, advertising, or cross-site tracking cookies are set by this platform. A cookie notice rather than a full consent banner is appropriate as all cookies are strictly essential to the service.

Section 08

How We Protect Your Data

Booking PII fields (name, email, date of birth, gender, sexuality, location) are encrypted at rest using AES-256-GCM with context-authenticated encryption.
Session chat messages, practitioner clinical notes, session recap summaries, and client private reflection notes are encrypted at rest using AES-256-GCM with context binding — each record's encryption is bound to its session context, making cross-record tampering cryptographically detectable.
Intake form responses are stored in the database encrypted at rest using AES-256-GCM with context-bound AAD, using the same encryption infrastructure as messages and clinical notes.
Passwords are hashed using bcrypt with a work factor appropriate to current hardware.
CSRF tokens protect all state-changing actions.
Login and registration endpoints are rate-limited and IP-blocked after repeated failures.
Sessions are subject to automatic inactivity timeout: 15 minutes for practitioner accounts (which have access to PHI), 30 minutes for client accounts. Both practitioner and client accounts support optional TOTP two-factor authentication (Google Authenticator compatible).
HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy) are enforced when the platform is operating in production mode.
An audit log records sensitive data access and modification events including session joins, note writes, file uploads, session exports, and data deletion events. Each log entry includes a tamper-evident HMAC chain hash.
TLS/HTTPS is enforced at the server level for all transmissions when the platform is in production mode. WebRTC video/audio is encrypted in transit using DTLS-SRTP as enforced by the browser.

Section 09

Changes to This Notice

This privacy notice may be updated from time to time. The version number and date at the top of this page reflect the current version. Material changes affecting your rights will be communicated to registered users by email or platform notification where possible.

United States — HIPAA Notice of Privacy Practices & CCPA/CPRA

US Privacy Supplementary Notice

This section constitutes the HIPAA Notice of Privacy Practices (NPP) required under 45 CFR § 164.520. It applies to protected health information (PHI) processed by Serenity Spaces on US infrastructure. A supplementary California Consumer Privacy Act (CCPA/CPRA) notice follows for California residents.

YOUR RIGHTS UNDER HIPAA: This Notice describes how medical and mental health information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

How We May Use and Disclose Your PHI

Use / Disclosure	Basis	Authorisation Required?
Treatment — Providing, coordinating, or managing your healthcare and related services. This includes sharing information with practitioners involved in your care.	HIPAA Treatment Operations	No
Healthcare Operations — Activities necessary to run the platform: quality assessment, training, business planning, and compliance.	HIPAA Healthcare Operations	No
Payment — Processing or facilitating payment for your sessions.	HIPAA Payment Operations	No
As Required by Law — Disclosures required by applicable federal or state law, including disclosures to public health authorities, law enforcement under specific conditions, or judicial orders.	Legal obligation	No
Serious Threat to Health or Safety — Disclosure to prevent or lessen a serious and imminent threat to you or others, where disclosure is to a person reasonably able to prevent the threat.	HIPAA § 164.512(j)	No
All Other Disclosures — Any disclosure of your PHI not covered above, including to family members, employers, or for marketing purposes.	Your prior written HIPAA Authorization	Yes

Your HIPAA Rights

Right of Access

Inspect and obtain a copy of your PHI held in our designated record set. Requests responded to within 30 days (extendable once by 30 days with notice).

Right to Amend

Request amendment of PHI you believe is incorrect or incomplete. We may deny the request in certain circumstances and will explain why.

Right to an Accounting of Disclosures

Request a list of disclosures of your PHI made in the six years prior to your request, other than for treatment, payment, and operations.

Right to Request Restrictions

Request restrictions on certain uses and disclosures. We are not required to agree, except for disclosures to your health plan for items you paid out-of-pocket in full.

Right to Confidential Communications

Request that we communicate with you about your PHI by alternative means or at alternative locations.

Right to a Paper Copy

Request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.

Breach Notification

In the event of a breach of unsecured PHI, Serenity Spaces will notify affected individuals without unreasonable delay and within 60 days of discovery, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Large breaches affecting 500 or more individuals in a state are also notified to HHS and prominent media outlets in that state within 60 days.

Filing a Complaint

If you believe your HIPAA privacy rights have been violated, you may file a complaint with the controller (contact details above) or with the HHS Office for Civil Rights (OCR):

HHS Office for Civil Rights
200 Independence Avenue, S.W., Washington, D.C. 20201
Toll-free: 1-800-368-1019 · TDD: 1-800-537-7697
Web: hhs.gov/hipaa/filing-a-complaint

You will not be penalised for filing a complaint.

California Residents — CCPA/CPRA Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights in relation to your personal information:

Right to Know

Know what personal information we collect about you, why we collect it, and who we share it with. You may request up to two disclosures in any 12-month period.

Right to Delete

Request deletion of personal information we have collected from you, subject to certain exceptions (e.g. legal retention obligations).

Right to Correct

Request correction of inaccurate personal information we maintain about you.

Right to Opt-Out of Sale/Sharing

We do not sell or share your personal information for cross-context behavioural advertising. No opt-out mechanism is required.

Right to Limit Sensitive PI Use

Limit the use and disclosure of sensitive personal information to purposes necessary to provide services to you.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA/CPRA rights, contact the controller using the details in this notice. We will respond within 45 days (extendable by a further 45 days with notice). Requests are free of charge, up to twice per 12-month period.

To submit a complaint regarding our handling of your California privacy rights, contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.