Privacy Policy

Last Updated: March 18, 2026

1. Introduction

Enlighten Labs, Inc. ("Enlighten Labs," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and protect information through our application, Attuned Growth (the "Service").

Our goal is to ensure that therapists and supervisors using Attuned Growth understand how their data and their clients' data is handled with the highest standards of transparency.

This policy applies to all users of the Attuned Growth platform. We are deeply committed to protecting Protected Health Information (PHI) as defined by HIPAA and Personal Data as defined by the GDPR.

2. Information We Collect

We collect various types of information to provide and improve our services, some of which may constitute PHI or Personal Data.

2.1. Information You Provide to Us
  • Account & Profile Information: Your name, email address, password, role (Therapist, Supervisor), chosen timezone, and professional details.
  • Client Information (ePHI/Personal Data): Information about your clients, such as their names or pseudonyms, age, gender, unique client identifiers, and any presenting problems or diagnoses you provide.
  • Session Data (ePHI/Personal Data):
    • Audio recordings of therapy sessions uploaded by therapists.
    • Automatically generated text transcripts of these audio recordings, including speaker diarization.
    • AI-generated analysis reports, including therapist skill scores, qualitative feedback, SOAP notes, and therapy assessments.
    • Therapist and Supervisor comments, as well as personal notes related to sessions.
  • Communications: Records of your correspondence with us, including support requests and feedback.
2.2. Information We Collect Automatically
  • Usage Data: Information about how you access and use the service, such as your IP address, browser type, operating system, pages visited, features used, session duration, and referral sources.
  • Analytics Data: Data collected through business analytics tools to monitor application usage patterns, feature adoption, and overall service performance. We use optional analytics cookies only with your consent.
  • Technical Data: Server logs, error reports, and system performance metrics used for troubleshooting and service improvement.
2.3. Information from Third Parties
  • Stripe: We receive confirmation of your subscription status and billing event notifications (e.g., successful payments, cancellations) from our payment processor, Stripe. We do not store your full payment card details on our servers.

3. How We Use Your Information

We use the information we collect for specific, explicit, and legitimate purposes related to providing, improving, and securing our services.

  • To Provide and Maintain the Service: To create and manage your account; to process therapy sessions, including transcription, AI-driven analysis, and generation of clinical reports; to enable practice mode for skill development; to facilitate collaboration between therapists and supervisors; and to manage subscriptions and billing.
  • To Improve and Develop the Service: To monitor and analyze usage patterns to enhance the application; to perform internal research using de-identified or aggregated data; and to analyze system performance.
  • For Security and Compliance: To detect, prevent, and respond to fraud, unauthorized access, and security incidents; to ensure compliance with HIPAA and GDPR; and to maintain audit trails.
  • For Communication: To send you service-related notifications, updates, and important announcements regarding your account.
Legal Basis for Processing (GDPR)
  • Contractual Necessity: To provide services to you under our Terms of Service.
  • Legal Obligation: To comply with applicable laws (e.g., HIPAA) and regulations.
  • Legitimate Interests: For our legitimate business interests (e.g., improving services, security), where these interests are not overridden by your data protection rights.
  • Consent: Where required, we obtain your explicit consent for specific processing activities (e.g., analytics cookies).

4. How We Protect Your Information

We employ robust security measures designed to protect your Personal Data and ePHI from unauthorized access, alteration, disclosure, or destruction.

  • Encryption: All ePHI and sensitive data is encrypted both at rest (AWS RDS encryption, S3 server-side encryption with KMS) and in transit (HTTPS/TLS for all communications).
  • Access Controls: Strict role-based and owner-based access controls ensure that access to ePHI is limited to authorized users. Multi-factor authentication (MFA) is available for all accounts.
  • PII Redaction: Automated PII redaction of sensitive identifiers (e.g., names, locations, dates of birth, medical conditions) occurs within session transcripts.
  • Audit Logging: Comprehensive logging and monitoring of all system activity, including access to ePHI, is maintained.
  • Business Associate Agreements: We enter into BAAs with all third-party service providers that handle ePHI on our behalf.

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously review and update our security practices.

5. How We Share and Disclose Information

We do not sell, rent, or lease your personal information or your clients' information to any third parties for any purpose.

  • With Your Consent: We may share your information if you provide explicit consent for specific disclosures.
  • With Service Providers: We engage trusted third-party service providers to perform functions on our behalf, such as cloud hosting, transcription, AI analysis, analytics, and payment processing. These parties are contractually bound by confidentiality and data protection obligations, including BAAs where ePHI is involved.
  • Therapist-Supervisor Collaboration: If you invite a supervisor, designated information (e.g., client list, session summaries, reports, comments) will be accessible to your supervisor within the application.
  • For Legal Reasons: We may disclose information if legally required by applicable law, regulation, legal process, or governmental request.
  • De-identified or Aggregated Data: We may share de-identified or aggregated data that cannot reasonably be used to identify you or your clients.

6. Data Retention and Deletion

We retain your information for as long as necessary to provide our services, fulfill the purposes outlined in this Privacy Policy, and comply with legal obligations.

  • Account Information: Your account information is retained as long as your account is active, and for a limited period thereafter to allow for account recovery or to meet legal obligations.
  • Client Profiles & Skill Scores: These are retained until you, as the therapist, request their deletion.
  • Session Audio Files: Raw audio files are automatically and permanently deleted immediately after successful transcription is confirmed. Unredacted transcripts are discarded once PII redaction is completed.
  • Session Transcripts: PII-redacted transcripts are automatically and permanently deleted 120 days after the session creation date. AI-generated analysis reports (skill scores, feedback, clinical notes) are retained as long as the associated client profile exists.
  • Deleted Records: When you delete a client or session, the data enters a 30-day soft-delete grace period during which it can be recovered. After 30 days, the data is permanently and irrecoverably deleted.
  • Data Exports: Requested data export archives are available for download for 48 hours, after which they are automatically deleted from our servers.

As a therapist, you can delete individual sessions or entire client profiles at any time. Deleting a client permanently deletes all associated sessions, transcripts, and analysis data (after the soft-delete grace period). You can permanently delete your entire account from your profile page. Account deletion permanently removes your account and associated application data without undue delay, except for limited records we must retain for security, fraud prevention, billing, audit, or other legal compliance purposes.

7. Your Rights Regarding Your Information

If you are located in a jurisdiction with applicable privacy laws, you have specific rights regarding your Personal Data:

  • Right to Access: You may request a copy of your Personal Data. You can generate a data export from your profile page at any time.
  • Right to Rectification: You may request correction of inaccurate or incomplete Personal Data. You can edit your profile and client data directly in the application.
  • Right to Erasure: You may request deletion of your Personal Data. You can delete individual clients and sessions from within the application (subject to the 30-day soft-delete grace period described in Section 6). You can also permanently delete your entire account and all associated application data from your profile page. Account deletion is immediate and irreversible, except for limited records we must retain for security, fraud prevention, billing, audit, or other legal compliance purposes.
  • Right to Restriction of Processing: You may request that we limit processing of your Personal Data under certain conditions.
  • Right to Object: You may object to certain types of processing of your Personal Data.
  • Right to Data Portability: You may request your data in a structured, machine-readable format. The data export tool provides this in JSON format.
  • Right to Withdraw Consent: Where we rely on consent to process your data (e.g., analytics cookies), you may withdraw consent at any time via the Cookie Settings panel.

To exercise any of these rights, please contact us using the details in Section 10 below. We will not discriminate against you for exercising your privacy rights.

8. Children's Privacy

Attuned Growth is not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without parental consent, we will take steps to delete that information. If you believe a child under 18 has provided us with Personal Data, please contact us.

9. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have questions or comments about this Privacy Policy or our data practices, please contact us at: support@attunedgrowth.com

If you are in the EEA or UK, you have the right to lodge a complaint with your relevant data protection supervisory authority if you believe your rights have been infringed.