Privacy Policy

At Buddhist Therapy, privacy is not an afterthought — it is a foundational principle of our platform. We believe that meaningful healing requires a space of absolute trust and confidentiality. This Privacy Policy explains exactly what data we collect, how we use it, and what we do not do with your information.

By using Buddhist Therapy (the "Service"), you agree to the practices described in this Privacy Policy. This policy is incorporated into and forms part of our Terms of Service.

1. Our Core Privacy Commitment

This is not a policy decision that could be reversed — it is an architectural decision embedded in how our platform is built. Specifically:

• No conversation content is stored in any database, file system, cache, or persistent storage medium at any time
• No conversation data is logged — not in application logs, server logs, error logs, or any other logging system
• No conversation data is recorded or monitored — we do not listen to, read, review, or audit the content of your sessions
• No conversation data is transmitted to third parties — your words are not shared with, sold to, or disclosed to anyone outside the active session
• No conversation data is used for training, analytics, research, or any secondary purpose
• We cannot retrieve past conversations even if you request them, even under legal process — they simply do not exist

When your session ends, your conversation vanishes completely and permanently. This is by design.

2. Information We Collect

We collect only the minimum information necessary to operate the Service. Here is a complete and transparent accounting of every category of data we collect:

2.1 Account Information

• Email address — provided by you at registration, used solely for authentication (magic link login) and essential transactional communications (booking confirmations, session reminders)

That is the only piece of personal identifying information we require. We do not collect your name, phone number, physical address, date of birth, or any demographic information unless you voluntarily provide it.

2.2 Booking Information

• Therapist selection — which therapist you have booked a session with
• Date and time — the scheduled date and time of your session
• Session status — whether a session is upcoming, completed, or cancelled

This information is necessary for scheduling and is stored in our database. It contains no information about the content of any conversation.

2.3 Payment Information

• Payment status — whether payment has been completed, pending, or refunded
• Subscription status — whether you hold an active subscription and its renewal date
• Transaction references — identifiers linking to your Stripe payment records

We never see, access, or store your full credit card number, debit card number, CVV, or bank account details. All payment data is processed and stored exclusively by Stripe, our payment processor, in accordance with PCI DSS Level 1 standards — the highest level of payment security certification.

2.4 Basic Usage Data

• Page views — which pages of our website you visit
• Session counts — how many sessions you have completed (not their content)
• Device type and browser — basic technical information needed to deliver the Service properly

This data is collected in aggregate and is never linked to conversation content, because no conversation content exists to link it to.

3. How We Use Your Information

We use the information we collect for the following purposes and no others:

• Authentication — sending magic link emails so you can securely access your account
• Session scheduling — confirming bookings, sending reminders, and providing session access links
• Payment processing — facilitating transactions and managing subscription billing through Stripe
• Service operation — maintaining, protecting, and improving the Service
• Communication — sending essential transactional emails related to your account and sessions
• Legal compliance — responding to legal obligations when required by law

We do not sell, rent, trade, or otherwise share your personal data with third parties for their marketing purposes. We do not engage in data brokering. We do not monetize your information in any way beyond providing you the Service you have paid for.

4. Technical Security Measures

We employ multiple layers of security to protect your data:

4.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) / SSL encryption. This means that even if data were intercepted during transmission, it would be unreadable to any third party.

4.2 Infrastructure Security

Buddhist Therapy is hosted on Cloudflare's global network, which provides enterprise-grade security including DDoS protection, Web Application Firewall (WAF), and global load balancing. Cloudflare maintains SOC 2 Type II, ISO 27001, and PCI DSS compliance.

4.3 Database Encryption

Account and booking data stored in our database (Cloudflare D1) is encrypted at rest. Access to the database is restricted to authenticated, authorized application processes only.

4.4 Passwordless Authentication

We use magic link authentication, which means no passwords are ever created, transmitted, or stored. Each login generates a unique, time-limited, single-use authentication link sent to your verified email address. This eliminates entire categories of security vulnerabilities associated with password-based systems, including password reuse, credential stuffing, and brute-force attacks.

4.5 Session Tokens

Authenticated sessions use JWT (JSON Web Token) session tokens with automatic expiry. Tokens are stored as secure, httpOnly cookies that cannot be accessed by client-side scripts, mitigating cross-site scripting (XSS) risks.

5. Third-Party Services

We work with a small number of carefully selected third-party service providers. Each is used for a specific, limited purpose. We do not use advertising networks, tracking pixels, social media trackers, or any third-party analytics platforms that track individual user behavior.

5.1 Stripe (Payment Processing)

Stripe processes all financial transactions. When you make a payment, your payment information is sent directly to Stripe and is governed by Stripe's Privacy Policy. We receive only confirmation of payment status and a transaction reference — never your full card details.

5.2 Resend (Email Delivery)

Resend delivers our transactional emails, including magic link login emails, booking confirmations, and session reminders. Resend processes only the email address and message content necessary for delivery. We do not use Resend for marketing emails or newsletters unless you have explicitly opted in.

5.3 Cloudflare (Hosting and Security)

Cloudflare provides our hosting infrastructure, content delivery, and security services. Cloudflare may process standard web request data (IP addresses, request headers) as part of its security and delivery services, governed by Cloudflare's Privacy Policy.

That is the complete list. We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising technology.

6. Data Retention

6.1 Conversation Data

Retention period: Zero. Conversation data is never stored and therefore has no retention period. It exists only in volatile memory during an active session and is destroyed when the session ends.

6.2 Account Data

Your email address and account information are retained for as long as your account remains active. Upon account deletion (which you may request at any time), your account data is permanently deleted from our systems.

6.3 Booking Records

Booking records (therapist, date, time, session status) are retained for twelve (12) months after the session date for billing and accounting purposes. After this period, booking records are permanently deleted. Booking records never contain conversation content.

6.4 Payment Records

Payment transaction references are retained in accordance with applicable tax and financial reporting requirements. Full payment details are held by Stripe and subject to Stripe's data retention policies.

7. Your Rights

We respect your rights over your personal data. Regardless of where you are located, you have the following rights:

7.1 Right to Access

You may request a copy of the personal data we hold about you. This will include your email address, booking history, and payment status. It will not include conversation content, because we do not have any.

7.2 Right to Deletion

You may request the deletion of your account and all associated personal data at any time. Upon receiving a verified deletion request, we will permanently delete your account data, email address, and all booking records from our systems within thirty (30) days. Please note that we cannot delete data held by Stripe — you must contact Stripe directly for payment data deletion.

7.3 Right to Correction

You may request correction of any inaccurate personal data we hold about you by contacting us.

7.4 Right to Opt Out

You may opt out of non-essential communications at any time. Essential transactional emails (login links, booking confirmations, session reminders) cannot be opted out of while your account is active, as they are necessary for the operation of the Service.

7.5 Right to Data Portability

You may request your personal data in a structured, commonly used, machine-readable format.

To exercise any of these rights, please contact us at the address provided in Section 11.

8. GDPR Compliance (European Economic Area Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis for processing: We process your personal data based on (a) your consent when you create an account, (b) contractual necessity to provide the Service, and (c) legitimate interest in operating and improving the Service
• Right to restrict processing: You may request that we restrict the processing of your personal data under certain circumstances
• Right to object: You may object to processing based on legitimate interests
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority
• Data transfers: Your data may be transferred to and processed in the United States, where our service infrastructure is managed. Such transfers are protected by appropriate safeguards, including Cloudflare's and Stripe's compliance with applicable data transfer frameworks

9. CCPA Compliance (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to opt out of sale: We do not sell your personal information to third parties. We have never sold personal information and have no plans to do so
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers (email address), commercial information (payment and booking records), and internet activity information (basic usage data). We have not sold any personal information. We have disclosed personal information to service providers (Stripe, Resend, Cloudflare) solely for the business purposes described in Section 5.

10. Children's Privacy

Buddhist Therapy is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will take prompt steps to delete that information. If you believe we have inadvertently collected information from a minor, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email at least thirty (30) days before the changes take effect. We encourage you to review this page periodically. The "Last Updated" date at the top of this page indicates when the most recent revisions were made.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your information is handled, please contact us:

We aim to respond to all privacy-related inquiries within thirty (30) days.