Privacy Policy
1. Introduction
BusyBook Ltd. Co. ("BusyBook," "we," "us," or "our") operates the BusyBook practice management platform for massage therapists and related wellness professionals. This Privacy Policy describes how we collect, use, disclose, and safeguard information — including Protected Health Information ("PHI") — when you use our platform, website (busybook.co), mobile applications, and related services (collectively, the "Services").
BusyBook operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C). We also comply with applicable state laws, including the Texas Medical Records Privacy Act (Health & Safety Code Chapter 181), the Texas Data Privacy and Security Act (Business & Commerce Code Chapter 541), and the Texas Data Breach Notification Act (Business & Commerce Code Section 521.053).
Legal Entity: BusyBook Ltd. Co.
1209 Mountain Road PL NE, Ste R, Albuquerque, NM 87110, USA
Privacy Contact: [email protected]
2. Information We Collect
2.1 Therapist Account Information
When you create a BusyBook account, we collect:
- Identity information: Full name, email address, phone number
- Business information: Practice name, business address, business phone
- Professional credentials: State license number, license type, licensing authority
- Financial information: Tax identification number, payment method details (tokenized — we do not store raw card numbers)
- Brand preferences: Logo, brand colors, fonts, tone of voice settings
- Operational data: Business hours, service menu (services, durations, pricing), scheduling preferences
2.2 Client Health Information (PHI) — Managed by You
As a Business Associate, we process PHI that you (the therapist, acting as the Covered Entity) enter into the platform on behalf of your clients. This includes:
- Client demographics: Names, contact information, date of birth, emergency contacts
- Medical history and intake: Health history questionnaires, intake forms, contraindications, allergies, medications, prior injuries
- Appointment records: Dates, times, services rendered, appointment status, cancellation history
- Session and treatment records: SOAP notes, session duration, treatment protocols, therapist observations, progress notes
- Billing and payment records: Session charges, payment history, outstanding balances, insurance information, expense records
- Communications: Messages exchanged between therapist and client via the platform
- Relationship data: Visit frequency, retention status, referral source
You, the therapist, are the Covered Entity under HIPAA and are responsible for obtaining all necessary client consents and authorizations before entering PHI into BusyBook.
2.3 AI-Processed Data
When you use BusyBook's AI features (therapy protocol generation, SOAP note assistance, session summaries), session context is transmitted to our AI inference providers under strict contractual PHI protections:
- Prompts: Session context, client presentation details, treatment parameters (as entered by you)
- Responses: AI-generated therapy protocols, SOAP note suggestions, session summaries
AI processing operates under a privacy-preserving architecture: providers are contractually prohibited from retaining, training on, or using any session data for purposes beyond delivering the inference response. Client-identifying information is removed or generalized before transmission. AI-generated content that you save becomes part of the session record and is retained as PHI.
2.4 Information Collected Automatically
- Usage analytics: Pages visited, features used, click patterns, session duration (no PHI included)
- Device information: IP address, browser type and version, operating system, device type
- Log data: Server access logs, error logs, API request metadata
- Cookies and similar technologies: See our Cookie Policy
2.5 Website Visitor Information
- Lead and waitlist data: Name, email, practice information (if voluntarily submitted)
- Website analytics: Page views, referral sources, engagement metrics (anonymized)
- Marketing interaction data: Email opens, link clicks, campaign responses
3. How We Use Your Information
| Purpose | Legal Basis | Data Types |
|---|---|---|
| Provide the platform | Contract performance; BAA | Account info, PHI, operational data |
| Process payments and billing | Contract performance | Financial information, billing records |
| Send transactional notifications | Contract performance; legitimate interest | Contact info, appointment data |
| Generate AI-assisted content | Contract performance | Session context, treatment parameters |
| Improve the platform | Legitimate interest | Anonymized usage analytics (no PHI) |
| Ensure security and prevent fraud | Legal obligation; legitimate interest | Access logs, authentication data |
| Comply with legal obligations | Legal obligation (HIPAA, state law) | Audit logs, compliance records |
| Marketing communications | Consent (opt-in) | Email address (therapist only) |
We do not use client PHI for marketing, advertising, analytics, product improvement, or AI model training.
4. PHI Handling Under the HIPAA Privacy Rule
4.1 Our Role
BusyBook is a Business Associate as defined in 45 CFR §160.103. You (the therapist) are the Covered Entity. We handle PHI only as permitted by our Business Associate Agreement and the HIPAA Privacy Rule.
4.2 Permitted Uses and Disclosures
- Treatment, Payment, and Healthcare Operations (TPO): We process PHI to enable you to provide treatment, process payments, and conduct healthcare operations.
- As directed by you: We follow your written instructions regarding PHI use and disclosure.
- As required by law: We disclose PHI when required by federal, state, or local law.
- For platform operation: Our workforce accesses PHI only as minimally necessary (Minimum Necessary Standard).
4.3 Prohibited Uses
We do not:
- Sell PHI
- Use PHI for marketing without your written authorization
- Use PHI for underwriting purposes
- Use PHI to train AI models
- Re-identify de-identified data
- Disclose PHI to any unauthorized party
4.4 Minimum Necessary Standard
We apply the HIPAA Minimum Necessary Standard (45 CFR §164.502(b)) to all internal uses of PHI. Role-based access controls and row-level security enforce this at the database level.
4.5 De-Identification
If we de-identify health information, we do so in accordance with the Safe Harbor method (45 CFR §164.514(b)) or the Expert Determination method. De-identified data is no longer PHI.
4.6 Your Obligations as Covered Entity
- Providing a Notice of Privacy Practices to your clients
- Obtaining client consent and authorizations for data collection and storage
- Executing a Business Associate Agreement with BusyBook before entering PHI
- Maintaining your own HIPAA compliance program
- Reporting suspected security incidents to [email protected] immediately
5. Business Associate Agreements
5.1 BusyBook ↔ Therapist
Before any PHI is processed, we require execution of a Business Associate Agreement ("BAA"). Contact [email protected] for details.
5.2 Subprocessors
| Subprocessor | Purpose | PHI Access | BAA Status |
|---|---|---|---|
| Supabase | Database, authentication, storage | Yes — all ePHI stored here | BAA in place |
| AI Inference Provider | AI inference | Yes — de-identified session context only; contractually prohibited from retention or secondary use | BAA in place |
5.3 AI Vendor Safeguards
- No model training: Provider may not use prompts or PHI to train, fine-tune, or improve AI models
- No retention: Provider may not retain session data beyond the scope of delivering the inference response
- Termination certification: Provider must certify destruction of all data upon contract termination
- No secondary use: Provider may not use PHI for any purpose other than providing the contracted inference service
- De-identification: Client-identifying information is removed or generalized before transmission where technically feasible
6. User Rights
6.1 Therapist Rights
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of all personal information we hold | Email [email protected] |
| Correction | Update or correct inaccurate information | Account settings or email |
| Deletion | Request deletion of your account and data | Email [email protected] |
| Data Portability | Export data in JSON or CSV format | Account settings or email |
| Opt-out | Unsubscribe from marketing communications | Unsubscribe link or account settings |
| Restrict Processing | Request limits on how we use your data | Email [email protected] |
Response timeline: We respond to all rights requests within 30 days.
6.2 Client Rights (Exercised Through You)
Your clients' rights under HIPAA are exercised through you as the Covered Entity, including right of access to their PHI, right to request amendment, right to an accounting of disclosures, and right to request restrictions. BusyBook provides the technical capability for you to fulfill these rights.
6.3 Texas Data Privacy and Security Act (TDPSA) Rights
For data outside HIPAA's scope, Texas residents have additional rights under the TDPSA including access, correction, deletion, portability, and the right to opt out of targeted advertising. We honor Global Privacy Control (GPC) browser signals. Contact [email protected] to exercise TDPSA rights. We respond within 45 days.
7. Security Measures
We implement comprehensive safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
| Layer | Standard |
|---|---|
| Data in transit | TLS 1.3 enforced; HSTS enabled |
| Data at rest | AES-256 encryption for all database storage and backups |
| Key management | Secure key management with restricted access |
| Backup encryption | All backups encrypted at rest |
For full details, see our Security Practices page.
8. Breach Notification
8.1 HIPAA Breach Notification
- Notify affected therapist: Within 24 hours of confirmed breach
- Notify affected individuals: Within 60 days of discovery
- Notify HHS: Within 60 days if 500+ individuals affected; annually for fewer
8.2 Texas Breach Notification
- Notify affected individuals: Within 60 days
- Notify Texas Attorney General: Within 30 days if 250+ Texas residents affected
8.3 Your Role
If you suspect unauthorized access: immediately change your password, contact [email protected], document what you observed, and do not delete any data.
9. Data Retention and Deletion
| Data Category | Retention Period | Basis |
|---|---|---|
| Client PHI | Active account + 90 days | HIPAA; state law |
| Financial and billing records | 7 years | IRS requirements |
| HIPAA audit logs | 6 years | 45 CFR §164.530(j) |
| AI prompts/responses | Not retained beyond inference lifecycle; strict data minimization controls enforced contractually | Data minimization; BAA |
| Application error logs | 90 days | Operational |
| Database backups | 30 days (rolling) | Disaster recovery |
Account Closure Process
- Day 0: Initiate closure via account settings or email [email protected]
- Days 0–7: Confirmation email; data export option offered
- Days 7–30: Grace period — account suspended, data preserved
- Days 30–90: All PHI permanently deleted from production databases
- Day 90: Final backup rotation completes; deletion confirmation sent
10. Infrastructure and Data Residency
BusyBook operates on secure, managed infrastructure in the United States with strong data isolation, encryption controls, and physical security. All ePHI is processed and stored within BusyBook-controlled infrastructure and does not leave the United States.
BusyBook's architecture also supports therapists who wish to self-host their own instance. Contact [email protected] for information about self-hosted deployment options.
11. Information Sharing and Disclosure
We do not sell, rent, or trade your personal information or your clients' PHI to any third party.
We may disclose information when required by law, including court orders, subpoenas, law enforcement requests, public health authorities, health oversight agencies, or to protect the rights, safety, or property of BusyBook, our users, or others.
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.
12. Cookies and Tracking Technologies
We use cookies and similar technologies. See our Cookie Policy for full details. We honor Global Privacy Control (GPC) browser signals. We do not use third-party advertising cookies.
13. International Data Transfers
All data is processed and stored on servers located in the United States. We do not currently transfer data outside the United States.
14. Children's Privacy
BusyBook is not intended for use by individuals under 18. If you are a therapist who treats minors, you are responsible for obtaining parental or guardian consent before entering minor client information into the platform.
15. Changes to This Privacy Policy
We will notify you via email and/or in-platform notification at least 30 days before material changes take effect. Your continued use after changes constitutes acceptance.
16. Contact Us
Privacy Inquiries: [email protected]
Security Issues: [email protected]
General Support: [email protected]
Mailing Address: BusyBook Ltd. Co., 1209 Mountain Road PL NE, Ste R, Albuquerque, NM 87110, USA
This Privacy Policy is provided for informational purposes. BusyBook recommends that therapists consult their own legal counsel regarding their individual HIPAA and state privacy law obligations. This document does not constitute legal advice.