Worth Living Pro | DBT Coaching Platform

Introduction

Worth Living ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy complies with HIPAA, GDPR, and LGPD requirements.

1. Information We Collect

1.1 Personal Information

When you register, we collect:

Name and email address
Professional credentials (for coaches)
Organization/practice information
Payment information (processed securely by our payment provider)

1.2 Health Information

Clients may enter health-related data including:

Diary card entries (emotions, urges, behaviors)
Worksheet responses
Skills tracking data
Notes and journal entries

This information is Protected Health Information (PHI) under HIPAA and is subject to strict security and privacy protections.

1.3 Usage Data

We automatically collect:

Device information (browser type, operating system)
IP address and location data
Usage patterns and feature interactions
Performance and error logs

2. How We Use Your Information

2.1 Service Delivery

Provide and maintain the Service
Enable communication between coaches and clients
Generate progress reports and analytics
Send service notifications and reminders

2.2 AI-Powered Analysis

For coaches, we use AI to analyze patterns in client data. This analysis:

Only processes de-identified numerical data
Never includes names, dates, or free-text notes
Removes all 18 HIPAA identifiers before processing
Generates aggregate insights, not individual profiles

2.3 Service Improvement

Improve features and user experience
Develop new functionality
Monitor and analyze usage trends
Ensure security and prevent fraud

3. Data Security

3.1 Encryption

In Transit: TLS 1.3 encryption for all data transmission
At Rest: AES-256-GCM encryption for stored data
Client-Side: IndexedDB encryption using Web Crypto API
Backups: Encrypted with separate keys

3.2 Access Controls

Multi-factor authentication (MFA) available
Role-based access control (RBAC)
Audit logging of all PHI access
Regular security assessments and penetration testing

3.3 Infrastructure

HIPAA-compliant cloud hosting
Redundant backups with 30-day retention
DDoS protection and intrusion detection
24/7 security monitoring

4. Data Sharing and Disclosure

4.1 We Never Sell Your Data

We do not sell, rent, or share your personal or health information with third parties for marketing purposes. Ever.

4.2 Service Providers

We share data only with vetted service providers who help us operate the Service:

Cloud hosting (AWS/Google Cloud with BAA)
Payment processing (Stripe with PCI-DSS compliance)
Email delivery (SendGrid with BAA)
Analytics (de-identified data only)

All service providers sign Business Associate Agreements (BAA) and are contractually bound to protect your data.

4.3 Legal Requirements

We may disclose information if required by law or in good faith belief that such action is necessary to:

Comply with legal obligations or court orders
Protect our rights, property, or safety
Prevent fraud or security threats
Respond to government requests

5. Your Rights

5.1 GDPR Rights (EU Residents)

Access: Request a copy of your data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data
Portability: Export your data in a machine-readable format
Restriction: Limit how we process your data
Objection: Object to data processing

5.2 LGPD Rights (Brazil Residents)

Confirmation of data processing
Access to your data
Correction of incomplete or inaccurate data
Anonymization, blocking, or deletion
Data portability
Information about data sharing

5.3 HIPAA Rights (US Healthcare)

Access your Protected Health Information
Request amendments to your PHI
Accounting of disclosures
Request restrictions on use/disclosure
Confidential communications

To exercise any of these rights, contact us at privacy@worthliving.pro. We will respond within 30 days.

6. Data Retention

We retain your data:

Active Accounts: For the duration of your subscription
Closed Accounts: 30 days after closure (for recovery)
Legal Requirements: As required by law (typically 7 years for healthcare records)
Anonymized Data: May be retained indefinitely for research

You may request immediate deletion of your data at any time.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure adequate protection through:

EU-US Data Privacy Framework participation
Standard Contractual Clauses (SCCs) for EU data
Adequate safeguards for all international transfers

8. Cookies and Tracking

We use cookies for:

Essential: Authentication and security
Functional: Preferences and settings
Analytics: Usage patterns (anonymized)

See our Cookie Policy for details. You can control cookies through your browser settings. Cookie Policy for details. You can control cookies through your browser settings.

9. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately at privacy@worthliving.pro.

10. Breach Notification

In the event of a data breach affecting your PHI, we will:

Notify you within 72 hours (GDPR) or 60 days (HIPAA)
Describe the breach and affected data
Explain mitigation steps taken
Provide guidance on protective measures
Notify relevant authorities as required by law

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@worthliving.pro
Data Protection Officer: dpo@worthliving.pro
Address: 123 Mental Health Way, Suite 400, San Francisco, CA 94105

EU Representative: [EU Representative Details]
Brazil LGPD Contact: lgpd@worthliving.pro