Privacy Policy

Account & User Information

• Name and email address (used for authentication and communication)
• Organization name, role (Admin, Manager, Tutor, Billing, Auditor)
• Login timestamps and session activity
• Device and browser type (captured at authentication and consent events for security monitoring and consent audit trail)
• Preferred interface mode (mobile or desktop) stored as a user preference setting
• First-login setup completion status
• Platform type (web browser, iOS, Android, or desktop application via Empowered Sessions desktop app for Windows, Mac, or Linux)

Client & Student Information You Enter

This is data you and your organization submit about the individuals you serve. It may include:

• Full names, contact information, and identification numbers (e.g., DDD ID, serial codes)
• Date of birth, age, grade level, and school or program affiliation
• Agency names, support coordinator names and contact details
• Funding source information (e.g., DDD, Regional Center, Medicaid, private pay)
• Service authorization records (SDRs) including authorized hours and date ranges
• Session attendance records, session notes, and activity logs
• Service goals and progress data
• Uploaded documents including IEPs, ISPs, 504 Plans, evaluation reports, and medical records
• Diagnoses, medications, and medical conditions that may be referenced within uploaded documents (e.g., ISPs, incident reports) — these are stored only as part of the uploaded document content, not as discrete structured database fields
• Meeting recordings (MP4 video files up to 50GB) and meeting transcripts
• Screenshots from cognitive training and external activity tracking tools (e.g., BrainHQ, JigsawPlanet)
• Progress data received from external learning platforms (e.g., Quest of the Mind, BrainHQ)
• External platform identifiers (IDs used to link students across integrated apps)

Operational & Billing Data

• Timesheet records and hourly rates (including per-student rate assignments)
• Invoice history and billing submission records
• Approval workflow activity and timestamps
• Quarterly and progress reports
• AI-generated draft content (goals, progress reports, session summaries) and the underlying inputs

Integration & Technical Data

• Zoom API credentials (OAuth access tokens and refresh tokens) if Zoom integration is enabled
• Meeting history and participant attendance records synced from Zoom
• Stripe customer and subscription identifiers (not credit card numbers)
• Webhook payloads received from external platforms (progress data, roster updates)

Encryption

• In Transit: All data transmitted between your browser/device and our servers uses TLS 1.2+ (HTTPS). Data is never transmitted unencrypted.
• At Rest: All data stored in our database and file storage is encrypted at rest using AES-256 encryption, managed by Supabase (built on AWS infrastructure). This includes all database records, uploaded files, recordings, and documents.
• Storage Buckets: All document and recording storage buckets are private by default. Files are never publicly accessible without explicit, authenticated authorization.

Authentication & Access Control

• JWT Authentication: Every request to our servers requires a valid, signed JSON Web Token (JWT) issued by Supabase Auth. Tokens expire and are refreshed securely.
• Row-Level Security (RLS): Every database table enforces row-level security policies at the database engine level. This means that even if a query were constructed incorrectly, the database itself would block access to data belonging to another organization or user. RLS is non-bypassable from the application layer.
• Role-Based Access: Within each organization, distinct roles govern what data can be seen and modified: Admin, Manager, Tutor, Billing Specialist, and Auditor. Tutors can only access their own assigned students. Managers can view all students within the organization. Admins have full configuration and data access within their own organization only. See the "Platform Administrator Access" section below for information about cross-organization access by Empowered Applications staff.
• Organization Isolation: Every piece of data — clients, students, sessions, documents, recordings, invoices — is tagged with your organization's unique ID. Database policies enforce that users can only access data within their own organization. Organization names and join codes are visible to authenticated users to support the organization selection and onboarding flow; all substantive client and session data is strictly org-scoped.

Audit Logging

Empowered Sessions maintains audit logs for significant data operations across core tables:

• Create, update, and delete actions on client, student, session, invoice, billing revenue, document, and recording records are logged
• Logs capture who performed the action, when, and what changed (before and after state)
• Recording access is separately logged, including who viewed or downloaded a recording
• Invoice status changes are tracked with full history
• Audit log records cannot be modified or deleted through the application layer. Direct database access by Empowered Applications staff is subject to internal access controls.
• Audit logs are accessible to Admin, Manager, and Auditor roles within your organization

Platform Administrator Access

Empowered Applications LLC employs a designated Platform Administrator (internally referred to as "App Developer") who holds an elevated role across all organizations on the platform. This role is necessary for the operation, maintenance, and support of the Empowered Sessions platform.

What the Platform Administrator Can Access

• All data within every organization, including client and student records, session notes, attendance logs, uploaded documents (IEPs, ISPs, SDRs, medical records), service authorization records, billing data, invoices, timesheets, payroll records, and session recordings (MP4 files).
• User account information: names, email addresses, assigned roles, login timestamps, and activity logs.
• Organization settings, membership rosters, subscription status, and integration configurations.
• Audit logs and system health data across all organizations.

Permitted Purposes (Minimum Necessary Standard)

Under HIPAA's minimum necessary standard (45 CFR § 164.502(b)), Platform Administrator access is limited to the following purposes:

• Technical support: Diagnosing and resolving issues reported by organizations, including missing data, synchronization failures, permission errors, and upload problems.
• Platform maintenance: Performing data integrity checks, applying security patches, running database migrations, and ensuring correct operation of all platform features.
• Compliance and security monitoring: Detecting unauthorized access attempts, investigating security incidents, and monitoring for data anomalies as part of Empowered Sessions's BAA obligations.
• Onboarding assistance: Helping new organizations configure settings, verify proper setup, and import initial data.

Safeguards

• The Platform Administrator role is assigned only to authorized Empowered Applications LLC personnel. As of this policy version, one individual holds this role.
• Platform Administrator access is scoped per organization using the same database-level Row-Level Security (RLS) policies that govern all users. When the administrator accesses an organization, they see only that organization's data. There is no mechanism that allows viewing data from multiple organizations simultaneously.
• Mandatory justification logging: Every time the Platform Administrator accesses an organization, the platform requires them to: (1) select a reason category (Technical Support, Platform Maintenance, Compliance/Security Monitoring, Onboarding Assistance, Data Integrity Check, or Other); and (2) provide a written justification describing specifically what they need to do and why. The platform enforces a minimum detail requirement (10+ characters). Access to the organization cannot proceed until this justification is submitted. These access justification records are immutable — they cannot be edited or deleted after creation.
• Organization admin visibility: Your organization's administrators have direct, real-time access to the Platform Administrator Access Log through Organization Settings. Each log entry shows the date, time, reason category, written justification, and session duration. No request to Empowered Applications LLC is needed to view these records.
• All actions are audit-logged: In addition to the access justification log, every data access, modification, or configuration change performed by the Platform Administrator while inside your organization is recorded in the main audit log with the administrator's user identity, timestamp, affected entity, and the nature of the action.
• The Platform Administrator is bound by Empowered Applications LLC's internal data handling policies and is subject to the same BAA obligations (breach notification, prohibition on unauthorized use or disclosure, minimum necessary access) as all other platform roles.
• Platform Administrator access is never used for: marketing, sales, sharing data between organizations, data mining, or any purpose unrelated to platform operation and support.

Your Rights

• You may request an audit log of all Platform Administrator actions within your organization by contacting security@empoweredsessions.app.
• You may request that Platform Administrator access to your organization be restricted to emergency-only situations by contacting legal@empoweredsessions.app. Note: this may limit the ability to provide proactive support.
• If the identity or number of Platform Administrators changes, Empowered Sessions will update the consent version and notify all organizations.

File & Recording Security

• All uploaded files (PDFs, documents, images, MP4 recordings) are stored in private, encrypted storage buckets. Direct URL access without authentication is not possible.
• Storage paths are scoped by organization ID — your files are stored under your organization's namespace and cannot be accessed by other organizations.
• Recording retention policies are configurable per organization (default: 365 days). When auto-deletion is enabled (the default for new organizations), expired recordings are permanently deleted by an automated enforcement job. Organizations may disable auto-deletion, in which case expired recordings are flagged for manual review.
• MP4 recordings support files up to 50GB. All other documents support up to 50MB.

Infrastructure Security

• Supabase Platform: Empowered Sessions's database and storage infrastructure is hosted on Supabase, which is built on top of AWS (Amazon Web Services). Supabase is SOC 2 Type 2 compliant and undergoes regular security audits. Data is hosted in the United States.
• No Direct Database Access: Application users access data only through our authenticated API layer. There is no direct database connection available to end users.
• Service Role Separation: Backend functions use a privileged service role key that is never exposed to the browser. Frontend clients use a restricted anonymous key whose access is further limited by RLS policies.
• Google Fonts (Font Delivery): The platform loads the Manrope typeface from Google Fonts CDN (fonts.googleapis.com, fonts.gstatic.com). This results in your browser making a request to Google's servers, which may log your IP address per Google's own privacy policy. No PHI or PII is transmitted in this request. Organizations with strict data minimization requirements should be aware of this font delivery mechanism.

What Is — and Is Not — Sent to Anthropic

Purpose & Limitations

The AI writing tools are intended solely to help providers communicate more effectively in their documentation. They are not clinical decision-support tools and do not provide medical, therapeutic, or educational recommendations. All AI-generated content is presented as a draft that the provider must review, edit, and take professional responsibility for before use.

Empowered Sessions uses Anthropic's API under its standard commercial terms. API submissions are not used to train Anthropic's models. Anthropic's data handling is governed by their privacy policy and terms of service.

AI is Optional

No AI processing occurs unless a user explicitly initiates it (e.g., clicks a "Draft" or "Polish" action). The platform is fully functional without using any AI features. AI features can be disabled organization-wide by an administrator.

HIPAA (Health Insurance Portability and Accountability Act)

If your organization uses Empowered Sessions to track, document, or bill for health-related services, and you store Protected Health Information (PHI), HIPAA applies to your use of this platform.

• A Business Associate Agreement (BAA) is available to organizations that require one. You must execute a BAA before storing PHI. Contact legal@empoweredsessions.app to request a BAA.
• Empowered Sessions's technical safeguards (encryption, access control, audit logging) are aligned with HIPAA's required Technical Safeguards under 45 CFR § 164.312.
• Your organization remains the HIPAA Covered Entity and is responsible for workforce training, policies, and breach notification procedures.
• Minimum Necessary access is enforced through role-based permissions — staff members see only the data required for their job function.
• AI Writing Assistance & HIPAA: The AI writing assistance tools are designed to operate on de-identified content only. Student names, dates of birth, identification numbers, and other direct identifiers are automatically scrubbed before any content is processed by AI. Narrative content such as session descriptions and goal language — stripped of identifiers — may be processed to assist with documentation drafting. This design ensures the AI tools do not handle PHI as defined under HIPAA. See Section 3 for complete details.
• Zoom Integration & HIPAA: If Zoom is integrated, meeting data and participant information is synced. Ensure your organization's Zoom account and related data handling comply with HIPAA requirements.
• Security Incidents: If we become aware of a security incident affecting your data, we will notify you without unreasonable delay and no later than 60 days after discovery, as required to support your breach notification obligations under 45 CFR § 164.410. For breaches affecting fewer than 500 individuals, notification will occur within the timeframe required by applicable law.

FERPA (Family Educational Rights and Privacy Act)

Organizations serving K-12 students and storing educational records must comply with FERPA.

• Empowered Sessions stores IEPs, 504 Plans, and related educational records only as uploaded by your authorized staff. Access is limited to authenticated members of your organization.
• Student data is not shared with third parties in identifiable form. When AI writing assistance features are used, content is de-identified before processing — student names and identifiers are removed before any text is sent for AI drafting. See Section 3 for full details.
• Your organization, as the educational agency, controls and is responsible for educational records stored in the platform.

State Regulations (DDD, Regional Center, Medicaid, etc.)

Many Empowered Sessions users operate under state developmental disabilities programs (e.g., DDD, Regional Center, Medicaid waiver programs). Empowered Sessions's documentation features — service delivery records, approval calendars, billing timesheets — are designed to support your compliance documentation workflows. However, your organization is responsible for ensuring that data entry, authorization tracking, and billing submissions meet your specific state agency's requirements. Empowered Sessions does not verify submissions against any payer's billing rules.

Empowered Sessions is currently piloted with organizations in New Jersey. Organizations in other states should contact us at legal@empoweredsessions.app to confirm the platform meets state-specific requirements before use.

Data Location

Empowered Sessions's database and file storage infrastructure is hosted on Supabase, operating on AWS infrastructure located in the United States. We do not intentionally transfer your data outside the United States. When AI features are used, document content is sent to Anthropic's API, which may process data on servers in the United States or other jurisdictions per Anthropic's infrastructure policies.

Security Incidents & Breach Notification

In the event we discover or are notified of a security incident that affects your organization's data, we will: (1) investigate and contain the incident promptly; (2) notify affected organizations without unreasonable delay and no later than 60 calendar days after discovery, consistent with 45 CFR § 164.410; (3) provide information about the nature of the incident, categories of data involved, and steps taken. If you are subject to HIPAA breach notification obligations (45 CFR §§ 164.400–414), our notification will include the information required to support your own notification obligations to HHS and affected individuals. To report a suspected security incident, contact security@empoweredsessions.app immediately.

Recordings

Meeting recordings are subject to a configurable retention period, defaulting to 365 days from the recording date. Organizations can adjust this setting under Organization Settings. When auto-deletion is enabled (the default for new organizations), an automated enforcement job permanently deletes recordings once their retention period expires. Organizations may disable auto-deletion, in which case expired recordings are flagged for manual review but are not automatically removed. Advance notifications are sent as recordings approach expiration.

Client & Session Records

Client records, session documentation, and uploaded documents are retained for as long as your organization account is active. To request deletion of specific records, submit a Data Deletion request through Settings > Data Rights, or contact privacy@empoweredsessions.app. We will respond within 30 days.

Audit Logs

Audit logs are retained while your account is active to support compliance review, dispute resolution, and regulatory requirements. Following account termination, data is retained during the grace period and then scheduled for deletion, except where legal retention requirements apply.

Integration Credentials & Tokens

Zoom OAuth tokens, external platform identifiers, and integration credentials are retained for as long as the integration is active. When you disconnect an integration or terminate your account, these credentials are deleted. Stripe customer and subscription identifiers are retained for as long as your subscription is active for billing and audit purposes.

Account Termination & Data Export

You may submit a data export request at any time through Settings > Data Rights. Upon account termination, a 30-day grace period applies before data deletion is initiated. Data required for legal compliance obligations may be retained beyond that period as required by law. All data requests are fulfilled within 30 days of submission.

What We Use

• Authentication Tokens (Essential): Supabase Auth stores a JWT session token in your browser's local storage to maintain your login session. This is required for the platform to function and cannot be disabled.
• User Preferences (Functional): Local storage may retain your UI preferences (e.g., selected organization, interface mode). These are not transmitted to third parties.
• Google Fonts (Third-Party): The platform loads the Manrope typeface from Google Fonts CDN. This causes your browser to make a request to Google's servers, which may result in Google logging your IP address per Google's own privacy policy. No PHI or account data is transmitted in this request.

What We Do Not Use

• No advertising or marketing cookies
• No behavioral tracking or cross-site tracking pixels
• No analytics cookies (e.g., Google Analytics, Mixpanel, Hotjar)
• No social media tracking pixels

Legal Basis for Processing (GDPR — EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases as applicable under the GDPR:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Empowered Sessions platform to your organization under your subscription agreement — including authentication, session tracking, invoicing, and storage of records you enter.
• Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, audit logging, and platform integrity operations that are necessary for the safe operation of the platform and that do not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c)): Retention of records required by applicable law (e.g., billing records, breach notification obligations).
• Consent (Art. 6(1)(a)): Optional features such as AI writing assistance are initiated only by explicit user action. Special category data (Art. 9) relating to health or educational records is processed under Art. 9(2)(h) (healthcare/social protection) and/or Art. 9(2)(j) (scientific research/public interest purposes) where applicable, and under your organization's explicit instructions as controller.

Empowered Sessions acts as a Data Processor for the personal data of individuals your organization enters into the platform. Your organization acts as the Data Controller. Empowered Applications LLC acts as Data Controller for account-holder data (name, email, role) used to provide and manage the service. To exercise GDPR rights, contact privacy@empoweredsessions.app.

California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which it was collected.
• Right to Delete: You may request deletion of personal information we hold about you, subject to certain exceptions (e.g., legal obligations, fraud prevention).
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising purposes. No opt-out action is required, but you may confirm this at any time by contacting us.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, use Settings > Data Rights within the platform or contact privacy@empoweredsessions.app. We will respond within 45 days as required by the CCPA, with one possible 45-day extension where reasonably necessary.

Data Processing Agreements

Organizations that require a Data Processing Agreement (DPA) — for example, to comply with GDPR Article 28 or CCPA service provider requirements — may request one by contacting legal@empoweredsessions.app. A DPA formalizes the roles of Data Controller (your organization) and Data Processor (Empowered Applications LLC) and specifies the purposes, scope, and security obligations applicable to your data.