Galenie Galenie
Start Free
Menu
Sign in Start Free

Privacy Policy

Last updated: March 23, 2026

This Privacy Policy describes how Galenie ("we", "us", or "our") collects, uses, and protects your personal information in compliance with the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).

1. Data Controller Information

Galenie acts as:

  • Data Controller for therapist account information
  • Data Processor for client health information (PHI/PII) entered by therapists

2. Information We Collect

2.1 Therapist Account Information

  • Name and professional credentials
  • Email address
  • Password (encrypted)
  • Timezone and language preferences
  • Billing and payment information (processed by Stripe)

2.2 Client Information (Entered by Therapists)

  • Name, date of birth, contact information
  • Clinical notes and session records
  • Consent records
  • Audio recordings (if enabled and consented)
  • AI-generated summaries

2.3 Technical Information

  • IP address and browser information
  • Device type and operating system
  • Usage data and feature interactions
  • Audit logs for security purposes

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract Performance: To provide the Service you subscribed to
  • Legitimate Interests: For security, fraud prevention, and service improvement
  • Legal Compliance: To meet regulatory and legal obligations
  • Consent: For optional features like marketing communications

4. HIPAA Compliance

For U.S. healthcare providers, we comply with HIPAA requirements:

  • We sign Business Associate Agreements (BAA) with covered entities
  • Protected Health Information (PHI) is encrypted at rest and in transit
  • Access to PHI is logged and auditable
  • We implement administrative, physical, and technical safeguards
  • Breach notification procedures are in place

5. Data Security

We implement industry-standard security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Multi-factor authentication available
  • Regular security audits and penetration testing
  • Automatic session timeouts
  • Role-based access controls

6. Data Retention

  • Account data: Retained while your account is active, plus 90 days after deletion
  • Client records: Retained according to your configured retention policy and applicable regulations
  • Audit logs: Retained for 7 years for compliance purposes
  • Audio recordings: Automatically deleted after transcription (within 24 hours) unless configured otherwise

7. Your Rights (GDPR)

As a data subject, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Export your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain types of processing

To exercise these rights, use the Data Export feature in Settings or contact us at [email protected].

8. Third-Party Services

We use the following third-party services:

  • Stripe: Payment processing (PCI-DSS compliant)
  • OpenAI: AI features (data processing agreement in place)
  • Google Calendar: Calendar sync (optional, user-authorized)
  • Sentry: Error tracking (no PHI transmitted)

9. International Data Transfers

If you are in the EU/EEA and your data is transferred outside, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Data processing agreements with all sub-processors
  • Encryption of data in transit and at rest

10. Cookies and Tracking

We use essential cookies for:

  • Session management and authentication
  • Security (CSRF protection)
  • Language and timezone preferences

We do not use advertising cookies or third-party tracking. See our Cookie Policy for details.

11. Children's Privacy

Our Service is intended for adult healthcare professionals. We do not knowingly collect data from children under 16. Therapists who work with minors are responsible for obtaining appropriate consent from guardians.

12. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

  • Notify affected users within 72 hours (as required by GDPR)
  • Report to relevant supervisory authorities
  • Follow HIPAA breach notification requirements where applicable
  • Provide guidance on protective measures

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Service. The updated policy will be effective upon posting.

14. Contact Us

For privacy-related inquiries:

You also have the right to lodge a complaint with your local data protection authority.

Back to home
Modal

Loading…