Privacy Policy

1. Who we are

After Clinical Workspace ("After", "we", "our", or "us") operates the platform available at https://www.getafter.cc and the companion mobile application. After is a clinical documentation tool designed exclusively for licensed mental-health professionals. We are a Business Associate under HIPAA and handle Protected Health Information ("PHI") only on behalf of the healthcare providers who use our service.

2. Information we collect

3. How we use your information

• Provide, maintain, and improve the After platform and AI pipeline (transcription, speaker attribution, clinical note generation).
• Authenticate your account and enforce security controls.
• Process payments and manage your subscription.
• Send transactional emails (session status, billing receipts, security alerts). You cannot opt out of transactional messages while your account is active.
• Send product update and marketing emails — you may unsubscribe at any time via the link in each email.
• Comply with our legal obligations, including HIPAA, and respond to lawful requests from authorities.
• Aggregate and anonymise data for internal research to improve model accuracy. We never use individually identifiable PHI to train third-party AI models.

4. HIPAA and Protected Health Information

After operates as a HIPAA Business Associate. Clinical content (audio, transcripts, notes) constitutes PHI and is treated with the highest level of protection:

• All PHI is encrypted at rest (AES-256-GCM) and in transit (TLS 1.2+).
• Access to PHI is restricted to authenticated requests from the treating provider's account.
• We maintain audit logs of all access to PHI.
• We do not sell, license, or share PHI with advertising networks, including Meta, Google, or any other ad platform.
• Sub-processors that handle PHI (Supabase for storage, OpenAI for transcription, Anthropic for note generation) operate under data processing agreements that meet HIPAA requirements.
• In the event of a breach affecting PHI, we will notify affected providers within 60 days as required by HIPAA.

4b. Billing data and payment processing

Payments are processed by Paddle.com, our Merchant of Record. Paddle collects and processes payment card data, billing address, and tax information directly. We do not store payment card numbers on our servers.

• No PHI is transmitted to Paddle. Billing interactions are limited to your email address, a generated customer identifier, and subscription/payment status.
• We store your Paddle customer ID and subscription status in our database to enforce plan limits and display billing information in the dashboard.
• Billing records are retained for 7 years as required by applicable tax law.

For details on how Paddle handles your payment data, see Paddle's Privacy Policy.

4c. Client portal links and assignment content

The Service enables clinicians to share private, token-gated portal links with clients. Through these links, clients can view assignments and submit responses. You should be aware of the following:

• Portal access is token-gated. Each portal link contains a cryptographically random token. Anyone with the link can access that client's portal. You are responsible for distributing links securely and deactivating them when no longer needed.
• Client responses are stored as PHI. Any text a client enters through the portal (mood ratings, free-text responses) is stored in our HIPAA-compliant infrastructure and is accessible only to the treating provider's account.
• Assignment content (questions and instructions) is created by you. We do not review it. You are responsible for ensuring it is clinically appropriate and complies with applicable ethics codes.
• We do not contact your clients by email or any other channel through the portal without your explicit action (e.g., you choosing to send a link). Client email addresses are not collected by After through the portal.

5. How we share your information

We do not sell your personal data. We share information only in the following circumstances:

• Service providers — sub-processors that help us deliver the platform (cloud infrastructure, payment processing, email delivery). Each is bound by a data processing agreement.
• Legal requirements — when required by applicable law, court order, or governmental authority.
• Business transfers — in connection with a merger, acquisition, or sale of all or substantially all of our assets, under confidentiality obligations.
• With your consent — in any other case, only with your explicit written consent.

6. Meta Platforms and advertising

We may use the Meta Pixel (Facebook Pixel) on our public marketing pages (not within the authenticated dashboard) to measure the effectiveness of our advertising campaigns. When active, the Meta Pixel may collect:

• Page views and button clicks on marketing pages.
• Standard event data such as registrations and purchases (no PHI is transmitted).
• Browser identifiers and hashed email addresses used for audience matching, when you have given consent.

The Meta Pixel is never loaded inside the authenticated dashboard or on any page that could display PHI.

Meta processes this data in accordance with its own Data Policy. You can manage your Meta ad preferences at facebook.com/ads/preferences.

To opt out of Meta tracking entirely, you can use the Digital Advertising Alliance opt-out tool or enable the "Do Not Track" signal in your browser.

7. Cookies

You can delete or block cookies through your browser settings. Blocking required cookies will prevent you from signing in.

8. Data retention

• Active accounts — we retain your data for as long as your account is active.
• After account closure — non-PHI account data is deleted within 30 days. PHI is deleted within 30 days unless a longer retention period is required by applicable law or your own regulatory obligations as a provider.
• Backups — encrypted backups may persist for up to 90 days after deletion.
• Billing records — retained for 7 years as required by tax law.

9. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request that inaccurate data be corrected.
• Deletion — request deletion of your personal data, subject to our legal retention obligations.
• Portability — receive your data in a structured, machine-readable format.
• Objection / restriction — object to or restrict certain processing activities.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@getafter.cc. We will respond within 30 days.

10. Children's privacy

After is intended exclusively for licensed adult healthcare professionals. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us data, contact us immediately at privacy@getafter.cc.

11. International data transfers

After is headquartered in the United States. Your data is stored on servers located in the United States. If you access After from outside the United States, your data will be transferred to and processed in the United States under the protections described in this policy. For users in the European Economic Area, transfers are made under Standard Contractual Clauses approved by the European Commission.

12. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data we handle, including encryption at rest and in transit, role-based access controls, audit logging, and regular security reviews. No system is perfectly secure; if you discover a vulnerability, please report it responsibly to privacy@getafter.cc.

13. Changes to this policy

We may update this policy from time to time. When we make material changes we will notify you by email and update the effective date at the top of this page. Your continued use of After after the effective date constitutes acceptance of the revised policy.

14. Contact us

For privacy inquiries, data requests, or to report a concern: