Privacy Policy

Last updated: 2026-03-16

1. What Data We Collect

PR-TOP collects only the data necessary to provide its therapist assistant services. We distinguish between the following categories:

Personal Information

When you register, we collect your email address, name, and chosen password (stored as a cryptographic hash). Therapists may also provide a practice name and professional credentials.

Clinical & Session Data

Clients may submit diary entries (text, voice messages, video messages), exercise responses, and SOS alerts through Telegram. Therapists may upload session recordings, write private notes, and create AI-assisted summaries. All clinical data is classified as Class A sensitive data and encrypted at the application layer.

Usage Data

We collect anonymized usage analytics through Umami, a privacy-first analytics platform that uses no cookies and stores no personal identifiers. This includes page views, traffic sources, and device types — but never individual user behavior.

2. How We Use Your Data

Your data is used exclusively to provide and improve the PR-TOP therapeutic assistant service:

  • Providing therapist-client workflows: diary access, session management, exercise delivery, SOS alerts
  • AI-powered features: speech-to-text transcription, session summarization, semantic search, natural language queries
  • Account management: authentication, subscription billing, email notifications
  • Service improvement: anonymized aggregate analytics to understand feature usage patterns

We never use your data for advertising, user profiling, or model training purposes.

3. Data Storage & Encryption

PR-TOP employs multiple layers of protection to safeguard your data:

Class A Data (Highly Sensitive)

Diary entries, session transcripts, therapist notes, AI summaries, SOS content, and exercise responses are encrypted at the application layer using AES-256 before being stored in the database. Even database administrators cannot read this data without the application encryption keys.

Class B Data (Metadata)

Timestamps, user role information, subscription status, and scheduling metadata are access-controlled but may remain as plaintext in the database. Payment data is handled entirely by Stripe and never touches our servers.

All data in transit is protected with TLS 1.3 encryption. We enforce HSTS headers with a two-year duration to prevent connection downgrades.

4. Third-Party Services

PR-TOP integrates with the following third-party services to provide its features:

  • Stripe — Payment processing for subscriptions. Stripe handles all payment card data in compliance with PCI DSS standards. We never store card numbers on our servers.
  • AI Providers — Transcription and summarization services (e.g., OpenAI, Anthropic, Google). Only the minimum necessary content is sent for processing, and AI providers do not retain your data after processing is complete.
  • Telegram — Client-facing messaging interface. Telegram delivers messages between clients and the bot; message content is encrypted in our database upon receipt.

We never sell, rent, or trade your personal or clinical data to any third party, for any reason.

5. Data Retention & Deletion

We retain your data only for as long as you maintain an active account and have an ongoing therapeutic relationship that requires it.

You may request complete deletion of your account and all associated data at any time. Upon receiving a deletion request, we permanently and irreversibly remove all personal information, clinical data, session recordings, transcripts, notes, and AI-generated content from our active database.

Encrypted backups are rotated on a scheduled basis. Deleted data will be purged from backup storage within the backup retention window (typically 30 days).

6. Cookies & Tracking

PR-TOP is designed with a privacy-first approach to analytics and tracking.

We use Umami for web analytics — a self-hosted, open-source analytics platform that is fully GDPR-compliant. Umami does not use cookies, does not track individual users, and does not collect personal data. All analytics data is aggregated and anonymized.

We use only essential browser storage (localStorage) for authentication tokens and language preferences. No third-party tracking cookies, advertising pixels, or fingerprinting technologies are used.

7. Children's Privacy

PR-TOP is a professional tool designed for licensed therapists and their adult clients. Our service is intended for users aged 18 and older. We do not knowingly collect personal information from children under 18. If you believe a minor has provided us with personal data, please contact us immediately so we can delete it.

8. Contact Information

If you have any questions about this Privacy Policy, your data, or wish to exercise your rights (access, correction, deletion, data portability), please contact us at:

[email protected]

9. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page indicates when the policy was last revised.

For material changes, we will notify registered users via email and/or an in-app notification at least 14 days before the changes take effect. Continued use of PR-TOP after the effective date constitutes acceptance of the updated policy.