Privacy Policy

Last updated: 16 June 2026

HJachi builds software for psychologists and clinical counsellors. Protecting the information of practitioners and the people they support is foundational to how the product is designed - not an afterthought. This policy explains what we collect, why, and the choices you have.

1. Who this policy covers

This policy applies to hjachi.com and the HJachi applications (the Provider app at heal.hjachi.com, the Client space at haven.hjachi.com, and our iOS and Android apps).

For practitioners, HJachi is the data controller of your account information. For clinical records about the people you support, the practice is the controller and HJachi acts as a processor / business associate on your behalf, under a separate agreement.

2. Information we collect

Information you provide

Account details - name, email, professional title, licence number, practice name.
The clinical information you enter - caseload records, scheduling, consent records, session notes and outcome measures.
Early-access enquiries - if you join our early-access list, we store the email address you submit and basic attribution (such as the page that referred you).

Information collected automatically

Basic device and usage data needed to operate and secure the service (for example, IP address, browser/user-agent, and timestamps).
We do not use third-party advertising trackers on our applications.

3. On-device audio & transcription

When a Session is recorded, the audio never leaves the Provider's device. Speech-to-text runs locally (Apple Speech on iOS, whisper.cpp on Android). Only the resulting text transcript is uploaded, and only after the Provider confirms it. The audio recording is deleted once the transcript is verified. We never send session audio to any third-party transcription vendor.

4. How we use information

To provide, maintain, and secure the platform.
To generate draft clinical Notes from confirmed transcripts, for the Provider to review and sign.
To send service communications (and, where you've asked, early-access updates).
To meet legal, regulatory, and security obligations.

We do not sell personal information, and we do not use clinical content to train third-party AI models.

5. Protected health information (PHI)

HJachi is built to align with the major health-privacy regimes - HIPAA (US), PIPEDA and provincial law (Canada), India's DPDP Act, and GDPR (EU/EEA). The service is initially offered in Canada, the United States, and India, with broader availability over time. Clinical content is treated as protected health information and handled under a Business Associate Agreement with each practice. Push notifications never contain PHI - they carry opaque identifiers that are resolved inside the authenticated app.

We share information only with infrastructure providers required to run the service, under contract and confidentiality obligations:

Amazon Web Services - hosting, database, authentication, and encrypted storage (under a BAA).
Real-time media provider - for encrypted telehealth sessions (under a BAA).
Stripe - subscription billing for practices (billing contact details only; no clinical content).
Google Firebase Cloud Messaging - push notification delivery (device push token only; no PHI in notification content).
AWS Bedrock - drafting clinical notes and reports from a confirmed text transcript (processed under our AWS agreement; not used to train models).

We disclose information when required by law, or to protect the rights and safety of users and the public.

7. How we protect information

Encryption in transit (HTTPS / WSS) and at rest - the database (AWS RDS, encrypted with a dedicated, rotated KMS key) and file storage (S3 SSE-KMS).
Consent is enforced at three levels - the app's session state machine, the API, and the UI.
Signed clinical notes are immutable; amendments are tracked as separate records.
Access controls, audit logging, and least-privilege practices across our infrastructure.

8. Data retention

Clinical records are retained according to the practice's configured retention policy and applicable professional/legal requirements. Account data is kept while your account is active. Early-access emails are kept until you ask us to remove them or the programme ends.

9. Your rights & choices

Depending on your location, you may have rights to access, correct, export, or delete your personal information. Practitioners can manage and export practice data from the app. For requests about clinical records, the practice (as controller) is the first point of contact. To exercise any right, contact us below.

Deleting your account

You can request deletion of your account at any time, either from within the app (Account → Delete account) or by visiting hjachi.com/delete-account or emailing privacy@hjachi.com - no app install required. When you request deletion, we revoke access to your account and schedule your data for removal after a 30-day grace period, during which you can cancel the request by signing back in. After the grace period we permanently delete the personal information associated with your account.

One exception: where HJachi holds clinical records on behalf of a practice, that practice is legally required to retain those records for a period set by professional and legal rules in its region. In that case we retain the minimum information required, isolate it from active use, and permanently delete it once the retention period ends. We will tell you what is being retained and why.

10. Children & minors

A provider may deliver care to a minor through HJachi. Where a client is a minor, the account is established and supervised with the involvement and consent of a parent or legal guardian, in line with the provider's clinical and legal obligations and applicable law in the client's region. A parent or guardian may exercise the rights described above on the minor's behalf, including access and deletion, by contacting the provider or us. We do not knowingly use a minor's information for any purpose beyond delivering and supporting their care, and never for advertising.

11. Contact us

Questions about this policy or your data? Email privacy@hjachi.com. We update this policy as the product evolves; material changes will be posted here with a new "last updated" date.

This document is provided as a clear-language summary and should be reviewed by your legal counsel before commercial launch.