Privacy Policy
TranqBay (we, our, or us) is committed to protecting the privacy of our users across all jurisdictions. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mental health platform
Last Updated Date: October 30, 2025
Regulatory Compliance
This policy complies with multiple international data protection regulations including:
- •European Union: General Data Protection Regulation (GDPR)
- •United States: Health Insurance Portability and Accountability Act (HIPAA)
- •Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws
- •Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
- •Nigeria: Nigeria Data Protection Regulation (NDPR)
- •United Kingdom: UK GDPR and Data Protection Act 2018
Information We Collect
Personal Information
- •Name and contact details
- •Date of birth and demographic information
- •Professional credentials (for therapists)
- •Payment information
- •Emergency contact information
- •Medical history (where relevant)
- •Government-issued identification (for verification)
- •Insurance information (where applicable)
Platform Usage Data
- •IP address and device information
- •Browser type and settings
- •Access times and duration
- •Pages visited and features used
- •Geographic location (as permitted by law)
- •Technical error logs
- •Platform interaction data
- •Third-party calendar metadata (for providers who enable calendar sync)
Session Information
- •Appointment schedules
- •Session metadata
- •Chat logs (if applicable)
- •Treatment plans (as documented by therapists)
- •Crisis intervention records (where applicable)
Data Processing Purposes
We process your data to:
- •Provide and improve our services
- •Match clients with therapists
- •Process payments and maintain records
- •Manage appointment scheduling and prevent double bookings (for providers using calendar sync)
- •Ensure platform security
- •Comply with legal obligations
- •Respond to emergencies
- •Conduct quality assurance
- •Send service-related communications
Regional Data Protection Rights
European Union & UK Users
- •Right to access
- •Right to rectification
- •Right to erasure
- •Right to restrict processing
- •Right to data portability
- •Right to object
- •Right to withdraw consent
United States Users - HIPAA Rights
- •Right to access PHI
- •Right to amend records
- •Right to receive accounting of disclosures
- •Right to request restrictions
- •Right to confidential communications
California Residents - CCPA/CPRA Rights
- •Right to know what personal information is collected
- •Right to delete personal information
- •Right to opt-out of the sale or sharing of personal information
- •Right to non-discrimination for exercising privacy rights
- •Right to correct inaccurate personal information
- •Right to limit use and disclosure of sensitive personal information
- •Right to data portability
Other US State Residents
- •Virginia residents: Rights under VCDPA including access, deletion, and opt-out
- •Colorado residents: Rights under CPA including access, correction, deletion, and opt-out
- •Connecticut residents: Rights under CTDPA including access, correction, deletion, and opt-out
- •Utah residents: Rights under UCPA including access, deletion, and opt-out
- •Additional state-specific rights as applicable under state law
Canadian Users
- •Right to access personal information
- •Right to challenge accuracy and completeness
- •Right to know how information is used and disclosed
- •Right to withdraw consent
- •Right to file complaints with Privacy Commissioner
- •Right to request correction of errors
- •Provincial health information rights where applicable
Australian Users
- •Right to access personal information
- •Right to correction of personal information
- •Right to request anonymity or pseudonymity where lawful
- •Right to opt-out of direct marketing
- •Right to complain to the Office of the Australian Information Commissioner
- •Right to know if data is disclosed overseas
- •Right to request deletion in certain circumstances
Nigerian Users
- •Right to data access
- •Right to data portability
- •Right to erasure
- •Right to object to processing
- •Right to lodge complaints
Data Security
We implement robust security measures including:
- •End-to-end encryption for sessions
- •AES-256 encryption for stored data
- •Regular security audits
- •Access controls and monitoring
- •Incident response procedures
Data Retention
We retain data according to regulatory requirements:
- •Session metadata: 30 days
- •Medical records: As required by local law
- •Payment records: As required for tax purposes
- •Platform usage data: 24 months
International Data Transfers
For international data transfers, we ensure:
- •Appropriate safeguards are in place
- •Standard contractual clauses are implemented
- •Regional data protection requirements are met
- •Data localization laws are followed
Third-Party Sharing
We may share data with:
- •Service therapists (with appropriate safeguards)
- •Law enforcement (when legally required)
- •Emergency services (in crisis situations)
- •Insurance therapists (with consent)
- •Other healthcare therapists (with explicit consent)
Third-Party Service Integrations
Google Calendar Integration (For Providers Only)
- •Purpose: We integrate with Google Calendar to help therapists and counselors prevent double bookings and manage their availability
- •What We Access: We access read-only information about calendar names and event times (start/end times) on calendars you choose to sync
- •Scopes Used: calendar.calendars.readonly (to view your calendar list) and calendar.events.readonly (to view event times for availability checking)
- •What We DO NOT Access: We do not read event descriptions, attendees, locations, attachments, or other detailed event content
- •How We Use It: Calendar busy times are used solely to block unavailable time slots from client bookings and prevent scheduling conflicts
- •Data Storage: We store only minimal calendar metadata (calendar IDs, event start/end times) necessary for scheduling purposes
- •Data Retention: Calendar sync data is refreshed regularly and not permanently stored beyond operational needs
- •Your Control: Providers can disconnect their calendar integration at any time from their account settings
- •Provider-Only Feature: Only therapists and counselors can connect their calendars; client data is never accessed through this integration
- •No Data Sharing: Calendar data is never shared with third parties or used for any purpose other than preventing double bookings
Google User Data Policy Compliance
- •TranqBay's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements
- •We limit our use of Google user data to providing and improving our scheduling and availability features
- •We do not transfer Google user data to third parties except as necessary to provide scheduling services to our users
- •We do not use Google user data for serving advertisements or any advertising purposes
- •We do not allow humans to read Google calendar data unless required for security purposes, compliance with applicable law, or with explicit user permission for support purposes
Other Third-Party Service Integrations
- •Payment processors (Stripe, PayPal) for secure payment processing - we share only necessary transaction information
- •Video conferencing services for therapy sessions - session data is encrypted and not permanently stored by third parties
- •Cloud storage providers (AWS, Google Cloud) for secure data backup with encryption at rest and in transit
- •Communication services for appointment reminders and platform notifications
- •All third-party services are carefully selected for HIPAA compliance, data security standards, and privacy protection
- •We maintain data processing agreements with all third-party service providers
- •Third-party access is limited to the minimum necessary to provide the specific service
Sale of Personal Information (US Residents)
Your Rights Regarding Data Sales:
- •We DO NOT sell personal information as defined under CCPA/CPRA
- •We DO NOT share personal information for cross-context behavioral advertising
- •You have the right to opt-out of any future sale or sharing
- •To exercise your opt-out right, email: [email protected]
- •We DO NOT sell or share sensitive personal information
- •We DO NOT sell or share information of minors under 16
Categories of Information We DO NOT Sell:
- •Health information or medical records
- •Biometric information
- •Financial account information
- •Government identifiers
- •Sensitive personal information as defined by CPRA
- •Information about minors
Children's Privacy
For users under 18:
- •Parental consent required
- •Enhanced privacy protections
- •Special data handling procedures
- • Age-appropriate privacy notices
- •Parental access controls
Updates to Privacy Policy
We may update this policy:
- •With notice via email or platform
- •With clear communication of changes
- •Maintaining version history
- •Requesting renewed consent when needed
Data Breach Notification
In the event of a data breach, we will:
- •Notify affected users within 72 hours of discovery (as required by GDPR/UK GDPR)
- •Report to relevant supervisory authorities within required timeframes
- •For Canadian users: Notify Privacy Commissioner and affected individuals as per PIPEDA requirements
- •For Australian users: Notify OAIC and affected individuals for eligible data breaches under the Notifiable Data Breaches scheme
- •For US users: Comply with state-specific breach notification laws
- •Provide details of the breach, potential impact, and mitigation measures
- •Offer appropriate support and remediation to affected users
Our incident response includes:
- •Immediate containment and assessment
- •Forensic investigation to determine scope
- •Risk assessment for affected individuals
- •Implementation of additional security measures
- •Documentation and reporting to authorities
- •Post-incident review and improvement
Contact Information
Contact Information
Website:TranqBay.health
Email:[email protected]