OpenMind

Privacy Policy

Last updated: July 3, 2026

OpenMind ("we", "us") operates a platform that connects people with licensed clinicians for group and individual therapy sessions, on the web and through our iOS and Android apps. This policy explains what we collect, why, who we share it with, and the choices you have. Because OpenMind handles health-related information, we hold ourselves to the standards of the U.S. Health Insurance Portability and Accountability Act (HIPAA) where it applies.

Information we collect

  • Account information — name, email address, password (stored only as a hash by our authentication provider), age, and ZIP code. Clinicians additionally provide license number and licensure type for vetting.
  • Health-related information — the therapy sessions you browse, book, and attend; interest areas (for example, anxiety or stress); attendance check-ins; feedback you submit; and the content of support or dispute conversations.
  • Payment information — processed by Stripe. We never see or store your card or bank numbers; we keep transaction records (amounts, dates, status) for your purchases.
  • Location — with your permission, the mobile app uses your device location only to show nearby in-person sessions. We geocode session venue addresses and ZIP codes; we do not track your movements.
  • Technical and security data — IP address, device/browser type, and security-relevant events (sign-ins, permission denials, record access) kept in a tamper-evident audit log to protect your account and meet our compliance obligations.

How we use it

  • Provide the service: match, book, remind, and check you into sessions.
  • Process payments and prevent fraud.
  • Send transactional email (booking confirmations, reminders, consent requests).
  • Vet clinicians and resolve disputes.
  • Secure the platform and keep legally required audit records.

We do not sell your personal information, and we do not use your health information for advertising.

Who we share it with

Only service providers that operate the platform, bound by contract:

  • Supabase — database, authentication, and file storage.
  • Stripe — payment processing.
  • Brevo — transactional email delivery.
  • Google Maps — geocoding of session venue addresses and ZIP codes only (no identity attached).
  • Apple / Google Wallet — only if you add an optional check-in pass to your wallet.

Your clinician sees the information needed to run the sessions you register for. Guardians of minors receive consent requests. We disclose information if required by law.

Minors

Users aged 13–17 may register only with verifiable guardian consent; the account stays inactive until the guardian approves. We do not knowingly collect data from children under 13.

Security

All traffic is encrypted in transit (TLS) and data is encrypted at rest. Access is restricted by row-level security, staff access to records is logged, two-factor authentication is available on all accounts (and enforced for administrators), and mobile sessions are stored in the device's secure enclave/keystore. Sessions time out after 15 minutes of inactivity.

Retention

Account and health-related data are kept while your account is active. When you delete your account, your profile is anonymized; payment and security-audit records are retained as required by law (financial-records and HIPAA audit-trail requirements) but are unlinked from your deleted identity.

Your choices and rights

  • Access and update your profile in the app at any time.
  • Delete your account in Settings, or see Delete Your Account.
  • Decline location and camera permissions — related features simply stay off.
  • Contact support@openmind.com for any privacy request or question.

Changes

We will post any material change to this policy here and update the date above. Continued use after a change means you accept the updated policy.