Feelpath Logo

Get Clarity on Your Privacy

Designed around privacy. Built for trust.

Here is an explanation of Feelpath Privacy from A–Z

What privacy means for therapy

Mental health data is some of the most sensitive data there is, because therapy is very personal. We keep it that way by limiting what we save to what's essential to get helpful insights for you to learn, grow, and reflect.

How our privacy system works

Diagram of Feelpath's privacy system showing encryption, de-identification, and zero-data-retention across your device, our servers, and AI processing

What we save

Session metadata

Start/end times, participants, and BAA agreements.

Session transcript

Who said what when, plus saved sharing/consent state.

Session insights

AI observations, analytics you turn on, and therapy notes.

Privacy means control you can actually use, and the confidence to speak freely in therapy—clear settings sit next to what they control: sharing, downloads, deletions, and AI. Therapists can see what they're responsible for; clients can see what they've shared and with whom. Both sides can review access logs, set safer defaults, and use expiring links when sharing is needed.

Our Privacy Values-in-Practice

Our values for Feelpath privacy are tied to the values of mental health and therapy: Honesty, Clarity, Confidentiality, and Consent. Here's what that means for you.

1) Honesty

We think therapy deserves honesty, and so we want to have a real conversation with you about privacy. Our goal with this page is to be upfront and straightforward about what we're doing and why. We'll be real with you about what our privacy systems can and cannot do. We'll be clear about what we consider “data,” why it's needed, and in which cases it's needed. The exact choices you have—security, sharing, and protection—are available as configurable settings. When something important changes, we'll tell you ahead of time and log it publicly.

2) Clarity

We aim to make this clear and understandable. We use everyday language and visual diagrams to show where information lives and how it moves. We work hard on the design so privacy controls are easy to find and use. We simplify where we can and highlight every control. We won't hide controls or bury choices.

3) Confidentiality

We want you to see Feelpath as we see Feelpath, as a protected space—private by default. Your information is protected while it's sent and while it's stored with strong encryption. Our systems run in the U.S. on a private network with no public inbound access; data lives in our controlled storage and encrypted backups. Access is limited, logged, and reviewable.

We don't trade, sell, share, or use your information for advertising. We use your data only to run the service and provide value back to you (like insights you turn on). If the law requires us to keep something, we'll say what it is and for how long.

4) Consent

Feelpath is designed around your consent. Your choices matter—and you can change your consent at any time. You can turn sharing and AI features on or off with clear buttons. You can opt out of AI features altogether. You can download your information or delete your account yourself; we'll confirm deletion.

Where does your privacy start?

How your data flows:

1

BAAs

“BAA” stands for Business Associate Agreement. It's a HIPAA contract that says we will protect health information and use it only to run the service. Therapists who use Feelpath sign a BAA with us so we are both operating under HIPAA. This is where privacy starts with Feelpath: before any data is shared, we put a clear, binding agreement in place about how it's protected, who can access it, and how it can be used.

BAA signing on iPhone

Description: Therapists can sign our BAA from their profile

2

Consent

Informed Consent means people understand what is being collected, why, and how it will be used before they agree. Release of Information (ROI) is requested at the beginning of each video session for both therapist and patient, ensuring transparency and consent.

Consent example UI showing join screen with transcript options

Description: Everyone joining a call is prompted for a "Release of Information (ROI)"

3

Saving transcript

Saving the transcript gives you a private, accurate record of the session so you can reflect, generate notes, and track progress over time. It lives in your account, encrypted, and you decide if and with whom to share it. You can download it, delete it, or keep it just for yourself.

Saved session transcript in the Feelpath dashboard

Description: Session transcripts are saved to your secure dashboard for later review

4

AI usage

For AI features, we follow three rules:

  1. Send only the minimum necessary
  2. De-identify when possible
  3. Require zero-data-retention with our model provider


    4. What this means is your content isn't stored, isn't logged for human review, isn't written to disk, and isn't used to train models. It is used only briefly in memory to produce the results.

HIPAA Protection with our partner OpenAI

Use OpenAI's powerful GPT models with our enterprise HIPAA agreement already in place. Your data is processed securely under strict medical privacy standards, with no training on your information.

Zero-Data-Retention (ZDR)
No training on your data
Regular security audits
State-of-the-art AI capabilities

Your information, your choices

Consent Management

Control who sees your transcripts with revocable consent. You can grant or revoke viewing permissions for yourself and other session participants at any time.

Transcript Downloads

Download your session transcripts in text format anytime. Keep your own records of your therapy journey for personal reflection or continuity of care.

Right to be Forgotten

If you decide to leave Feelpath, we delete your data from active systems and let encrypted backups expire automatically. Certain non-content items (for example, billing receipts and security logs) may be retained briefly as required by law or policy, then deleted or de-identified on schedule.

HIPAA in Practice

We take a comprehensive HIPAA-compliant approach to protecting your most sensitive information. Here's what it means for you:

Encryption at Rest

Your data is encrypted when stored on our servers using AES-256 encryption—the same standard used by banks and government agencies. Even if someone gained physical access to our servers, your data would be unreadable.

Encryption in Transit

Every bit of data traveling between your device and our servers is protected with TLS 1.3 encryption. It's like sending your information in an armored vehicle that only you and your therapist can unlock.

Auditable Compliance Logs

Every access to your data is logged and auditable. We monitor who accessed what, when, and why—creating a transparent trail that ensures accountability.

Business Associate Agreements (BAAs)

We sign BAAs with the providers that power our video and infrastructure. This legally binds them to the same strict privacy standards we follow.

Running a HIPAA-Compliant Business

Our entire company operates under HIPAA guidelines. From employee training to physical security, every aspect of our business is designed to protect your privacy.

Our Commitment to You

Your privacy isn't just important to us—it's fundamental to everything we do. We built Feelpath because we believe our technology can enhance therapy while respecting its sacred, confidential nature.

We promise to always be transparent about our practices, give you control over your data, and continuously work to earn and maintain your trust.

If you ever have questions about your privacy or want to understand more about how we protect your data, please reach out to us at support@feelpath.com. We're here to help you feel completely reassured about your security.

Get Started

Frequently Asked Privacy Questions

PHI is Protected Health Information—anything that identifies you and relates to your health or care. On Feelpath this means name, email, session start/end times, session transcripts, BAA agreements, and technical identifiers tied to your account. Fully de-identified data is not PHI.

HIPAA is a U.S. law governing how health information is used, shared, and protected. Key parts you'll feel: Privacy Rule, Security Rule, and Breach Notification Rule. We operate under BAAs and follow HIPAA requirements across our systems and processes. HITECH Act, or Health Information Technology for Economic and Clinical Health Act, is a U.S. law that strengthens the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA)

'Data' means anything created or saved when you use Feelpath: profile info, session media and transcripts, messages, files, settings, timestamps, and certain technical details tied to your account. We treat as PHI anything that identifies you and relates to care or payment. De-identified, aggregated metrics and logs with identifiers removed are not PHI; when in doubt, we treat data like PHI.

Our product uses AI models to make additional observations on your transcript text and output what we call Session Insights, such as summaries, self-talk analysis, emotional clarity, and more. We believe in the value of getting extra attention for you and your session, and your growth, so we're using AI to help you get the most out of your session.

Yes—so long as you keep your account with us, we keep only what's needed to provide our services to you. If you decide to leave, we can certify your data was deleted.

No one can promise zero risk, but we reduce it by design: we route sensitive data through ZDR, apply strong security practices, operate a private cloud network (VPC) with no public inbound access, enforce least-privilege access, and maintain comprehensive logging and review.

Confidentiality means only the right people can see your information, only for the right purpose, and under controls that are provable. Confidentiality is different from anonymity or de-identification. If a session is transcribed, it's linked to an individual's profile so that only the clinician and the individual can access it—and only them by default. In this case, who can see your data? It is confidential between you and your therapist (assuming you consent to give them access). The content is encrypted, and access is role-limited and fully logged. Identified data doesn't make the data non-confidential. The confidentiality comes from who can access your data and under what rules, not from stripping identity.

Our approach: purpose limitation (use data only to deliver the service), data minimization, transparency, and honesty. These principles guide our product design and data operations.

Using data responsibly—treating our Feelpath customers fairly, keeping data secure and minimal, explaining how AI works and its limits, and ensuring our customers stay in the loop for consequential decisions.

Zero-Data-Retention (ZDR) means that our AI providers have agreed that any information (PHI or otherwise) sent to them for AI processing (1) is not written to disk, (2) is not logged for human review, and (3) lives only briefly in memory to fulfill the request.

Yes. We have a dedicated HIPAA workflow with our model provider (OpenAI) that follows ZDR: data sent for processing is not logged for human review, not written to disk, and not stored in the cloud, and only used transiently in memory to produce the result and then discarded.

Zero-Data-Retention is contractual in our legal agreement with OpenAI, with federal oversight. OpenAI is audited by HHS (U.S. Department of Health and Human Services) on their BAA contracts, including their code and logs.

No, definitely not. Data sent to our model provider (OpenAI) is sent through our HIPAA workflow and follows ZDR so it isn't stored. OpenAI's HIPAA APIs do not use customer data to train models.

Yes. You can disable AI features entirely by declining ROI at the beginning of each session.

HIPAA (a federal law) doesn't set a nationwide medical-record retention period—states do. When you work with a therapist on Feelpath, they're the custodian of your clinical record and may have to keep a copy under their state's rules. When you delete your Feelpath account, we delete your data from our active systems; any encrypted backups auto-expire and aren't used for anything. We also keep a few HIPAA-required documents (policies, notices, certain authorizations—not your session content or PHI) for six years, as required by law.

Lawful requests can be received by any company. If served with a subpoena about you or your data, we will (1) notify you (the covered entity) immediately and (2) only disclose as required by law. We neither submit data to insurers nor invoke Tarasoff duty-to-warn reporting; our role is strictly that of an educational technology platform, not a healthcare provider. Information is released only when legally compelled.

The data is stored in our private cloud network (VPC) in the U.S., either in Northern Virginia or Oregon. We use a private network with no public inbound access.

No. We do not submit data to insurers nor invoke Tarasoff duty-to-warn reporting; our role is strictly that of an educational technology platform, not a healthcare provider. Information is released only when legally compelled.

At the end of a therapy session, we kick off processing the transcript. The energy use is roughly equivalent to running a microwave for 30 seconds to 1 minute. There is a link below if you want to read more about how this is calculated. At Feelpath, we use one of the most energy- and cost-efficient models available today, and we process only the minimum amount of data needed to provide our service.

Read the analysis by Epoch AI
View all frequently asked questions