Privacy Policy

Rorshack ("we," "us," or "our") is a communication coaching platform built for licensed therapists and coaches. This Privacy Policy explains how we handle information collected through rorshack.com and the therapist portal. Our architecture is designed from the ground up to minimise data collection and protect client privacy.

1. Our Core Privacy Principle

Client session content never reaches our servers. All coaching conversations generated by a client's personalised HTML file are stored exclusively in that client's browser localStorage. We do not receive, store, or process the content of any coaching session.

2. Information We Collect — Therapist Accounts

When you register as a therapist or coach, we collect:

• Name and email address
• Professional credentials and licence type (for verification)
• Billing information, processed by our payment provider (Stripe)
• Client first names you add to your portal (no surnames, contact details, or clinical notes)
• Usage data: login events, file generation timestamps, deactivation actions

3. What We Do Not Collect

• Client session transcripts or coaching conversation content
• Client email addresses, phone numbers, or any contact details
• Client health information, diagnoses, or treatment records
• Any personally identifiable information about clients beyond a first name

4. How Client Files Work

Each personalised HTML file contains a restricted API token unique to that client. When a client uses the file, conversation text passes through an edge function to our AI provider. No names, dates, or identifiers accompany that request — only the conversation content itself. Session data is saved to the client's browser only. When you deactivate a client file, the token invalidates within seconds.

5. Cookies and Analytics

We use essential session cookies to keep you logged into the therapist portal. We may use privacy-respecting analytics (no cross-site tracking) to understand how the portal is used. We do not use advertising cookies. See our Cookie Policy for details.

6. HIPAA Considerations

Rorshack's architecture is designed to be HIPAA-friendly: client PHI is not transmitted to or stored on our servers. A Business Associate Agreement (BAA) is available for practices requiring formal HIPAA documentation. To request a BAA, contact hello@rorshack.com. We recommend therapists consult their compliance officer regarding their specific obligations.

7. Data Sharing

We do not sell your data. We share limited information only with:

• Stripe — payment processing (governed by Stripe's Privacy Policy)
• Anthropic — AI inference for client coaching sessions (conversation text only, no PII)
• Legal authorities, only where required by law or to prevent imminent harm

8. Data Retention

Therapist account data is retained for the duration of your subscription plus 90 days following cancellation, then securely deleted. Client first names in your portal are deleted when you remove the client or close your account. Client session data exists only on the client's device and is outside our control.

9. Your Rights

You may access, correct, export, or delete your account data at any time from your portal settings. To exercise data rights or request deletion, contact hello@rorshack.com. We respond within 30 days.

10. Security

We use TLS encryption in transit, token-scoped API access, and regular security reviews. Therapist portals are protected by authenticated sessions. No system is perfectly secure — please use strong, unique passwords.

11. Children

Our therapist portal is for licensed professionals aged 18 and over. The client-side HTML files may be used with minor clients at the discretion of the supervising therapist, who is responsible for obtaining appropriate parental consent.

12. Changes to This Policy

We will post updates here and notify registered therapists by email of material changes. Continued use of the Services after changes constitutes acceptance.

13. Contact

Privacy questions or requests: hello@rorshack.com