Privacy Policy

Effective Date: June 13, 2026 | Last Updated: June 13, 2026

This Privacy Policy describes how Passenger Post LLC, doing business as TheraPeers (“TheraPeers,” “we,” “us,” or “our”), collects, uses, and protects information when you use our platform, including our mobile application and website at therapeers.com (collectively, the “Platform”).

Please read this policy carefully. By using the Platform, you agree to the practices described here.

Questions? Contact us at privacy@therapeers.com.

1. Who This Policy Covers

This policy applies to all users of the Platform, including:

• Licensed therapists who create profiles, publish content, and connect with peers (“Therapists”)
• Unauthenticated visitors who read public therapist profiles and content without creating an account

Important: TheraPeers is not a HIPAA-covered entity. We do not provide clinical services, facilitate therapy sessions, or store protected health information (PHI). TheraPeers is a professional network for licensed therapists — a place to publish work, consult with peers, and build a professional following. Our regulatory obligations are governed by the FTC Act and applicable state privacy laws, not HIPAA.

2. What Is Public, Private, and Anonymous

TheraPeers is a professional network where therapists take part under their real, verified professional identity. Some activity is public by design; some is private; and the people who read your public content without an account are never identified to you.

Public and attributed to you (other Therapists and the public can see them):

• Your professional profile, published posts, comments, and the resources you recommend.
• Endorsements you give and receive, and the peers you follow and who follow you. Peer relationships on TheraPeers are professional and public.

Private (visible only to you, or to the peers you choose):

• Direct messages between you and another Therapist are visible only to the participants of that conversation.
• Consultation group content is visible only to the members of that group.
• Posts and resources you save into lists are private to you and are never shown to anyone else.
• Your email address, notification preferences, and account settings.

Anonymous (you see aggregate counts only — never identities):

• View and save counts: We show you how many times your content has been viewed or saved as aggregate numbers only. We never reveal the identity of someone who anonymously views or saves your public content.
• Anonymous browsing: No account is required to read Therapist profiles or content. Unauthenticated visits are not linked to any user identity.

3. Information We Collect

3a. Therapist Accounts

• Email address and hashed password
• Professional profile information: display name, biographical information, headline, photo, license type, license number, license state, specialties, modalities, location (city/state), website and contact URLs
• Content you publish: articles, videos, book recommendations, and resource links
• Peer activity: comments, endorsements you give and receive, the peers you follow, and direct messages and consultation-group messages you send and receive
• Aggregate analytics about your own content: view counts, follower counts, save counts (numbers only — no identity data)
• License verification records: the result of automated or manual verification of your professional license

3b. All Users

• IP address (retained briefly in server logs for security purposes)
• Device type and operating system (standard server logs)
• App version

3c. What We Do Not Collect

• Session notes, clinical records, diagnoses, or treatment information of any kind
• Protected health information about anyone you treat in your own practice
• The identity of people who anonymously view or save your public content
• Advertising identifiers or behavioral tracking data

4. How We Use Information

We use the information we collect solely to operate and improve the Platform:

• To authenticate users and maintain account security
• To display Therapist profiles and published content to peers and the public
• To verify Therapist professional licenses via automated API and manual review
• To deliver direct and consultation-group messages between Therapists
• To deliver push notifications and transactional email you have requested
• To generate aggregate, anonymized analytics for Therapists about their own content
• To provide Therapists a public web presence indexed by search engines
• To detect and prevent fraud, abuse, and violations of our Terms of Service

5. Third-Party Services

We share limited data with the following service providers, strictly to operate the Platform. All are bound by data processing agreements.

• Railway (infrastructure hosting): hosts our API, database, and cache servers. Processes all Platform data as part of infrastructure operations.
• Vercel (web hosting): hosts the therapeers.com website and therapist dashboard.
• Resend (transactional email): sends account verification, password reset, and notification emails. Receives your email address and the content of transactional messages only.
• Cloudflare R2 (file storage and delivery): stores and serves profile photos and uploaded images. Files are kept in a private bucket and delivered via signed URLs.
• Mux (video processing and delivery): processes and hosts video posts published by Therapists. Receives video files uploaded by Therapists only.
• Expo (push notifications): delivers push notifications to mobile devices. Receives your device push token for notification delivery only.
• Professional license verification services: we use third-party license verification providers to confirm Therapist credentials with state licensing boards. These providers receive Therapist license number, license state, and license type only.
• Plausible Analytics (self-hosted): provides aggregate web and app analytics. Plausible is self-hosted on our own infrastructure — no data is sent to Plausible’s servers. Plausible does not use cookies and does not collect personal data.

We do not use Google Analytics, Meta Pixel, or any third-party advertising or tracking scripts. This is a permanent architectural decision, not a configurable setting.

We do not sell, rent, or trade your personal information to any third party.

6. Analytics

TheraPeers uses self-hosted Plausible Analytics. Plausible is a privacy-first analytics tool that does not use cookies, does not collect personal data, and does not track individuals across sessions or sites. The aggregate data it provides (page views, general geographic region, device type) is used only to understand how the Platform is used and to improve it.

No Google Analytics. No Meta Pixel. No advertising trackers. No exceptions.

7. Cookies and Tracking

On the web platform (therapeers.com), we set the following cookies:

• Authentication cookies: httpOnly, Secure, and SameSite=Strict cookies that store your session tokens. These are strictly necessary for logged-in functionality and are never accessible to browser JavaScript.

We do not set advertising cookies. We do not set analytics cookies. We do not allow third-party cookies on the Platform.

On the mobile app, authentication tokens are stored in the device’s encrypted secure storage (iOS Keychain / Android Keystore). They are never stored in unencrypted locations.

8. Data Security

We take security seriously and have implemented the following measures:

• All passwords are hashed using bcrypt before storage. Plaintext passwords are never stored.
• Authentication tokens are stored in encrypted device storage on mobile and httpOnly cookies on web — never in browser localStorage.
• All data is transmitted over HTTPS. HTTP is not accepted.
• File storage uses private Cloudflare R2 buckets with signed URLs. Files are not publicly accessible by direct URL.
• Access to production systems is restricted to authorized personnel with a documented need.
• Dependencies are audited regularly for known vulnerabilities.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to industry-standard protections and to notifying you promptly if a breach occurs.

9. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users by email within 30 days of discovering the breach
• Describe the nature of the data involved and the steps we are taking
• Comply with applicable FTC Health Breach Notification Rule requirements if health-related personal data is involved
• Comply with applicable state breach notification laws

To report a suspected security vulnerability, please contact security@therapeers.com.

10. Data Retention

We retain your information only as long as necessary:

• Active accounts: data is retained for the life of your account.
• Deleted accounts: upon account deletion, your personal information is purged from our systems within 14 days. Published Therapist content may be retained for 14 days to allow for abuse investigation before deletion.
• Server logs: IP address logs are retained for 30 days for security purposes, then deleted.
• License verification records: retained for 5 years as required for professional licensing compliance.

11. Your Rights and Choices

11a. All Users

• Access: you may request a copy of the personal data we hold about you.
• Correction: you may update your account information at any time from your account settings.
• Deletion: you may delete your account from within the app or from your dashboard settings. Account deletion is available in-app as required by Apple App Store and Google Play policies.
• Notifications: you may adjust or disable push notifications at any time from app settings or device settings.

11b. California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights. To exercise your rights, contact us at privacy@therapeers.com.

11c. Other U.S. State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights. Contact us at privacy@therapeers.com to exercise your rights under applicable law.

11d. Submitting a Request

To exercise any of the above rights, email privacy@therapeers.com with the subject line “Privacy Request.” We will respond within 30 days. We may need to verify your identity before processing your request.

12. Children’s Privacy

TheraPeers is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe we have inadvertently collected information from a minor, please contact us at privacy@therapeers.com.

13. Therapist License Verification

As part of the registration process, Therapists are required to provide their professional license information. We verify this information through third-party professional license verification providers for supported states, and through manual administrative review for other states. License information is used solely to confirm that only licensed professionals publish content on the Platform. It is not shared with other users or the public, and is not used for any other purpose.

14. Links to Third-Party Websites

Therapist profiles may include a link to the Therapist’s own external website. The Platform also uses an in-app browser to open these links. We are not responsible for the privacy practices of any third-party website. Clicking an external link means you are leaving our Platform and the third party’s privacy policy applies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Sending an email to the address associated with your account, and/or
• Displaying a prominent notice within the app or on the website

The “Last Updated” date at the top of this policy reflects the most recent revision. We encourage you to review this policy periodically. Continued use of the Platform after a material change constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions, requests, or concerns:

Email: privacy@therapeers.com

Security issues: security@therapeers.com

We take privacy seriously and will respond to all inquiries within 30 days.