Get Clarity on Your Privacy
Designed around privacy. Built for trust.
Here is an explanation of Feelpath Privacy from A–Z
What privacy means for therapy
Mental health data is some of the most sensitive data there is, because therapy is very personal. We keep it that way by limiting what we save to what's essential, to get helpful insights for you to learn, grow, and reflect.
How our privacy system works
What we save
Session metadata
Start/end times, participants, and BAA agreements.
Session transcript
Who said what when, plus saved sharing/consent state.
Session insights
AI observations, analytics you turn on, and therapy notes.
Privacy means control; the confidence to speak freely in therapy. Clear settings sit next to what they control: sharing, downloads, deletions, and AI. Therapists can see what they're responsible for; clients can see what they've shared and with whom. Both sides can review access logs, set safer defaults, and use expiring links when sharing is needed.
Our Privacy Values-in-Practice
Our values for Feelpath privacy are tied to the values of mental health and therapy: Honesty, Clarity, Confidentiality, and Consent. Here's what that means for you.
1) Honesty
We think therapy deserves honesty, and so we want to have a real conversation with you about privacy. Our goal with this page is to be upfront and straightforward about what we're doing and why. We'll be real with you about what our privacy systems can and cannot do. We'll be clear about what we consider “data,” why it's needed, and in which cases it's needed. The exact choices you have—security, sharing, and protection—are available as configurable settings. When something important changes, we'll tell you ahead of time and log it publicly.
2) Clarity
We aim to make our views on privacy clear and understandable. We use everyday language and visual diagrams to show where information lives and how it moves. We work hard on the design so that privacy controls are easy to find and use. We simplify where we can and highlight every control. We won't hide controls or bury choices.
3) Confidentiality
We want you to see Feelpath as we see Feelpath, as a protected space—private by default. Your information is protected with strong encryption while it's sent from your computer to our servers and while it's stored. Our server and database run in the U.S. on a private network with no public inbound access; data lives in our controlled storage and encrypted backups. Access is limited, logged, and reviewable.
We don't trade, sell, share, or use your information for advertising. We use your data only to run Feelpath and provide value back to you. If the law requires us to keep something, we'll say what it is and for how long we'll have it.
4) Consent
Feelpath is designed around your consent. Your choices matter—and you can change your consent at any time. You can turn sharing and AI features on or off with clear buttons. You can opt out of AI features altogether. You can download your information or delete your account yourself; we'll confirm deletion.
Where does your privacy start?
How your data flows:
BAAs
“BAA” stands for Business Associate Agreement. It's a HIPAA contract that says we will protect health information and use it only to run the service. Therapists who use Feelpath sign a BAA with us so we are both operating under HIPAA. This is where privacy starts with Feelpath: before any data is shared, we put a clear, binding agreement in place about how it's protected, who can access it, and how it can be used.
Description: Therapists can sign our BAA from their profile
Consent
Informed Consent means people understand what is being collected, why, and how it will be used before they consent. Release of Information (ROI) is requested at the beginning of each video session via the consent checkboxes on the call setup page from both therapist and patient, ensuring transparency and consent.
Description: Everyone joining a call is prompted for a "Release of Information (ROI)"
Saving transcript
Saving the transcript gives you a private, accurate record of the session so you can reflect, generate notes, and track progress over time. It lives in your account, encrypted, and you decide if and with whom to share it. You can download it, delete it, or keep it just for yourself.
Description: Session transcripts are saved to your secure dashboard for later review
AI usage
For AI features, we follow three rules:
- Send only the minimum necessary data from our sever to the LLM provider (OpenAI)
- De-identify when possible
- Require zero-data-retention with our AI LLM provider (OpenAI)
What this means is your content is stored by us, and NOT stored by the AI LLM provider (OpenAI). It is used only briefly by the LLM provider (OpenAI) to produce the AI results and then immediately deleted from memory, adhering to Zero-Data-Retention (ZDR). See table below for more details.
Use OpenAI's powerful GPT models with our enterprise HIPAA agreement already in place. Your data is processed securely under strict medical privacy standards, with no training on your information.
| Data | What Feelpath Stores | What LLM Provider (OpenAI) Stores |
|---|---|---|
| Session transcripts (if saved by you) | Yes (encrypted in your account) | No (nothing stored) |
| AI-generated results (insights, notes, summaries) | Yes (encrypted in your account) | No (nothing stored) |
| Used to train provider LLM models | No (never used for training) | No (never used for training) |
We use OpenAI Zero-Data-Retention (ZDR). Your content is not stored by the provider.
Your information, your choices
Individuals can control access to their transcripts post-session with revocable consent. If a transcript was previously shared with a therapist, the ability to revoke consent is always available to the individual.
Download your session transcripts in text format anytime. Keep your own records of your therapy journey for personal reflection and tracking over time.
If you decide to leave Feelpath, we delete your data from active systems and let encrypted backups expire automatically. Certain non-content items (for example, billing receipts and security logs) may be retained briefly as required by law or policy, then deleted or de-identified on schedule.
HIPAA in Practice
We take a comprehensive HIPAA-compliant approach to protecting your most sensitive information. Here's what it means for you:
Encryption at Rest
Your data is encrypted when stored on our servers using AES-256 encryption—the same standard used by banks and government agencies. Even if someone gained physical access to our servers, your data would be unreadable.
Encryption in Transit
Every bit of data traveling between your device and our servers is protected with TLS 1.3 encryption. It's like sending your information in an armored vehicle that only you and your therapist can unlock.
Auditable Compliance Logs
Every access to your data is logged and auditable. We monitor who accessed what, when, and why—creating a transparent trail that ensures accountability.
Running a HIPAA-Compliant Business
Our entire company operates under HIPAA guidelines. From employee training to physical security, every aspect of our business is designed to protect your privacy.
Your privacy isn't just important to us—it's fundamental to everything we do. We built Feelpath because we believe our technology can enhance therapy while respecting its sacred, confidential nature.
We promise to always be transparent about our practices, give you control over your data, and continuously work to earn and maintain your trust.
If you ever have questions about your privacy or want to understand more about how we protect your data, please reach out to us at support@feelpath.com. We're here to help you feel completely reassured about your security.
Frequently Asked Privacy Questions
PHI is Protected Health Information—anything that identifies you and relates to your health or care. On Feelpath this means name, email, session start/end times, session transcripts, BAA agreements, and technical identifiers tied to your account. Fully de-identified data is not PHI.
HIPAA is a U.S. law governing how health information is used, shared, and protected. Key parts that impact you: Privacy Rule, Security Rule, and Breach Notification Rule. We operate under BAAs and follow HIPAA requirements throughout all our systems and processes. HITECH Act, or Health Information Technology for Economic and Clinical Health Act, is a U.S. law that strengthens the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA)
'Data' means anything created or saved when you use Feelpath: profile info, session content and transcripts, messages, files, settings, timestamps, and certain technical details tied to your account. We treat anything that identifies you and relates to your care or payment as PHI. De-identified data and server application logs with identifiers removed are not PHI, but when in doubt, we treat data like PHI.
Our product uses AI models to make additional observations on your transcript text and output what we call Session Insights, such as summaries, self-talk analysis, emotional clarity, and more. We believe in the value of diving deeper into your session and your growth, so we're using AI to help you get the most out of your session.
Yes—so long as you keep your account with us, we keep only what's needed to provide our services to you. If you decide to leave, we can certify your data was deleted.
No one can promise zero risk, but we reduce it by design: we protect sensitive by using Zero-Data-Retention (ZDR) AI, apply strong security practices, operate a private cloud network (VPC) with no public inbound access, enforce industry-trusted methods for sercurity, and maintain comprehensive logging and review.
Confidentiality means only the right people can see your information, and only for the right purpose. Confidentiality is different from anonymity or de-identification. If a session is transcribed, it's linked to an individual's profile so that only the clinician and the individual can access it—and only them by default. In the case of Feelpath, who can see your data? It is confidential between you and your therapist (assuming you consent to give them access). The content is encrypted, and access is consent-dependent, system-limited, and fully logged. Our promise of confidentiality means our team keeps all information private. In rare and unique circumstances where our software is not working as expected, we follow HIPAA-enforced protocols and use de-identification to fix the service—while maintaining confidentiality and restricted access. All fixes and access roles are logged.
Our approach: purpose limitation (use data only to deliver the service), data minimization (only collect the minimum necessary data), transparency, and honesty. These principles guide our product design and data operations.
Using data responsibly—treating our Feelpath customers fairly, keeping data secure and minimal, explaining how AI works and its limits, and ensuring our customers stay in the loop for consequential decisions.
Zero-Data-Retention (ZDR) means that our AI providers have agreed that any information (PHI or otherwise) sent to them for AI processing is (1) not written to disk, (2) not logged for human review, and (3) lives only briefly in memory to fulfill the request.
Yes. We have a dedicated HIPAA-compliant workflow with our AI model provider (OpenAI) that follows ZDR: data sent for processing is not logged for human review, not written to disk, and not stored in the cloud; only used transiently in memory to produce the result and then discarded.
Zero-Data-Retention is contractual in our legal agreement with OpenAI, with federal oversight. OpenAI is audited on their BAA contracts by HHS (U.S. Department of Health and Human Services), including their code and logs.
No, definitely not. Data sent to our model provider (OpenAI) is sent through our HIPAA-compliant workflow and follows ZDR so that it isn't stored. Our agreement with OpenAI ensures that they do not use your data to train models.
Yes. You can disable AI features entirely by declining ROI at the beginning of each session.
HIPAA (a federal law) doesn't set a nationwide medical-record retention period—states do. When you work with a therapist on Feelpath, they're the custodian of your clinical record and may have to keep a copy under their state's rules. When you delete your Feelpath account, we delete your data from our active systems; any encrypted backups auto-expire and aren't used for anything. We also keep a few HIPAA-required documents (policies, notices, certain authorizations—not your session content or PHI) for six years, as required by law.
Lawful requests can be received by any company. If served with a subpoena about you or your data, we will (1) notify you (the covered entity) immediately and (2) only disclose as required by law. We neither submit data to insurers nor invoke Tarasoff duty-to-warn reporting; our role is strictly that of an educational technology platform, not a healthcare provider. Information is released only when legally compelled.
The data is stored in our private cloud network (VPC) in the U.S., either in Northern Virginia or Oregon. We use a private network with no public inbound access.
No. We do not submit data to insurers nor invoke Tarasoff duty-to-warn reporting; our role is strictly that of an educational technology platform, not a healthcare provider. Information is released only when legally compelled.
At the end of a therapy session, we begin processing the transcript. The energy use is roughly equivalent to running a microwave for 30-60 seconds. There is a link below if you want to read more about how this is calculated. At Feelpath, we use one of the most energy-efficient and cost-efficient models available, and we process only the minimum amount of data needed to provide our service.
Read the analysis by Epoch AI