The data controller for Serenity Spaces is the organisation or individual who operates this instance of the platform. If you are unsure who this is, contact the practitioner who referred you to this platform or reach out via the contact details below.
This platform is self-hosted software. The operator — not the software developers — is the data controller responsible for all processing described in this notice.
Data Controller Contact
For data protection enquiries, requests to exercise your rights, or to obtain the identity of the controller, contact the platform operator directly. If this platform is Serenity Spaces at https://mail.serenityspaces.app, you may use the contact method available on the About page or via any existing correspondence with your practitioner.
| Category | Data elements | Who it relates to |
|---|---|---|
| Account data | Email address, display name, hashed password, avatar image | Practitioners, registered clients |
| Booking data | Name, email, date of birth, gender, sexuality, location (all encrypted at rest) | Clients booking sessions |
| Session content | Chat messages, practitioner clinical notes, client private reflection notes, session highlights, file attachments, voice notes — chat messages and all notes encrypted at rest | Session participants |
| Intake form responses | Responses to pre-session questionnaires set by the practitioner (may include health history, goals, or other clinical information provided before a session) | Clients completing intake forms |
| Goal and progress data | Goals set by the practitioner per client, milestones, and progress update notes | Clients with active goals |
| Referral data | Clinical context snapshot shared when a practitioner refers a client to another practitioner on this platform — may include goals, intake summary, session themes, or session notes depending on the sharing permissions set by the referring practitioner. Referral notes are encrypted at rest. | Clients who are the subject of a practitioner-to-practitioner referral |
| Technical data | IP address, browser/device info, session tokens, audit log entries | All users |
| Financial data | Session payment amounts, currency, payment method type (no card data stored on-platform) | Clients paying for sessions |
| Communication data | Messages sent via the in-platform messaging system | Practitioners and registered clients |
| Purpose | Legal basis | Data involved |
|---|---|---|
| Providing the session booking and scheduling service | Treatment / Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs) | Booking data, account data |
| Enabling practitioners to run therapeutic sessions | Treatment / Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs) | Session content, account data |
| Processing sensitive booking fields (gender, sexuality) | Explicit informed consent (HIPAA Authorization; GDPR Art. 9(2)(a); PIPEDA express consent; APP 3.3) | Gender, sexuality, date of birth |
| Security, fraud prevention, and audit logging | HIPAA Security Rule — required safeguard; Legitimate interests (GDPR Art. 6(1)(f)); Security purpose (PIPEDA / APPs) | Technical data, IP addresses, audit log |
| Processing payments | Healthcare operations (HIPAA); Contractual necessity (GDPR Art. 6(1)(b)); Necessary for service (PIPEDA / APPs) | Payment amount/status data |
| Complying with legal obligations | Legal obligation (HIPAA; GDPR Art. 6(1)(c); applicable national law) | Data subject requests, audit records |
| Client-initiated datacenter transfer | Explicit informed consent (HIPAA Authorization; GDPR Art. 49(1)(a); PIPEDA / APP express consent) | All data associated with your account |
Jurisdiction-specific details of legal bases — including full GDPR Article 6 and 9 breakdowns, HIPAA treatment/operations/payment categories, and the applicable basis under PIPEDA and the Australian Privacy Principles — are set out in the jurisdiction supplements below.
Session records — including messages, clinical notes, intake responses, and voice notes — are retained for 7 years from the date of your last session. This meets or exceeds the HIPAA minimum retention requirement of 6 years and aligns with professional therapeutic record-keeping guidelines published by the American Counseling Association (ACA) and the National Association of Social Workers (NASW). It also meets or exceeds retention requirements under applicable data protection law in each supported jurisdiction. Retention of these records supports continuity of care if you return, and practitioner accountability obligations.
You have the right to request deletion of your personal data at any time (see Section 06 — Your Rights). Where records are subject to a professional retention obligation, we will explain any applicable limits on deletion at the time of your request.
| Data type | Retention period |
|---|---|
| Session messages and clinical notes | 7 years from last session (HIPAA minimum: 6 years; ACA/NASW professional standard: 7 years). |
| Voice notes recorded during sessions | 7 years from last session. Deleted upon verified erasure request. |
| File attachments uploaded during sessions | Removed from server storage after session export. Text records of file names are retained as part of the session record. |
| Intake form responses | 7 years from last session, as part of the clinical record. |
| Goal and progress data | 7 years from last session. Deleted upon verified erasure request. |
| Booking records | 7 years from last session (professional accountability and potential legal obligation). |
| Account data (practitioners) | Retained while the account is active. Deleted within 30 days of account closure request. |
| Account data (registered clients) | Retained while the account is active. Deleted within 30 days of account closure request, subject to any applicable professional retention obligations. |
| Audit logs | Retained for a minimum of 12 months for security and compliance purposes (HIPAA Security Rule requires 6 years for HIPAA-related security documentation). |
| Consent records | Retained for as long as the associated booking or account exists, plus 3 years thereafter (legal accountability). |
| IP addresses and technical session data | Retained for up to 90 days for security purposes, then deleted. |
This platform does not sell, rent, or share personal data with third parties for marketing or advertising purposes.
Data may be shared with or accessible to:
Any transfer of data to third-party processors is subject to appropriate agreement requirements. Practitioners are responsible for ensuring their chosen processors maintain safeguards consistent with the applicable regulatory framework.
Practitioners may enable an optional media recommendation feature that surfaces book, film, and music suggestions during sessions. When this feature is active, practitioner-entered search queries are sent to the following external services to retrieve cover images and metadata:
image.tmdb.org — film and TV recommendations.covers.openlibrary.org — book cover images.books.google.com — book metadata and cover images.archive.org — supplementary media metadata.No client personal data is transmitted to these services. Only practitioner-initiated search terms are sent. This feature is practitioner-configured and disabled by default. Clients are not aware of search queries made by practitioners using this feature.
This platform operates regional datacenters that allow you to choose where your data is stored. Your chosen datacenter determines which privacy framework primarily governs the processing of your data:
You may request transfer of your data to a different regional datacenter at any time. Cross-region transfers require your explicit informed consent, are carried out securely using encrypted transfer, and are recorded in the audit log. Consent for a cross-region transfer may be withdrawn before the transfer completes; it cannot be undone after completion.
You have the following rights in relation to your personal data. The specific rights available to you depend on the jurisdiction in which you are located; full details are in the jurisdiction supplements below.
Request a copy of the personal data held about you.
Ask us to correct inaccurate data or complete incomplete data.
Request deletion of your personal data where there is no compelling reason to continue processing. Available directly from your client portal.
Ask us to limit how we use your data in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to certain uses of your data, including uses based on legitimate interests.
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We do not make solely automated decisions that significantly affect you.
To exercise any of these rights, contact the data controller using the details in Section 01. For HIPAA-related concerns, contact the HHS Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint. For California privacy rights concerns, contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
This platform uses the following cookies and local storage items. All are strictly necessary for the operation of the service. No non-essential cookies are set.
No third-party analytics, advertising, or cross-site tracking cookies are set by this platform. A cookie notice rather than a full consent banner is appropriate as all cookies are strictly essential to the service.
This privacy notice may be updated from time to time. The version number and date at the top of this page reflect the current version. Material changes affecting your rights will be communicated to registered users by email or platform notification where possible.
This section constitutes the HIPAA Notice of Privacy Practices (NPP) required under 45 CFR § 164.520. It applies to protected health information (PHI) processed by Serenity Spaces on US infrastructure. A supplementary California Consumer Privacy Act (CCPA/CPRA) notice follows for California residents.
| Use / Disclosure | Basis | Authorisation Required? |
|---|---|---|
| Treatment — Providing, coordinating, or managing your healthcare and related services. This includes sharing information with practitioners involved in your care. | HIPAA Treatment Operations | No |
| Healthcare Operations — Activities necessary to run the platform: quality assessment, training, business planning, and compliance. | HIPAA Healthcare Operations | No |
| Payment — Processing or facilitating payment for your sessions. | HIPAA Payment Operations | No |
| As Required by Law — Disclosures required by applicable federal or state law, including disclosures to public health authorities, law enforcement under specific conditions, or judicial orders. | Legal obligation | No |
| Serious Threat to Health or Safety — Disclosure to prevent or lessen a serious and imminent threat to you or others, where disclosure is to a person reasonably able to prevent the threat. | HIPAA § 164.512(j) | No |
| All Other Disclosures — Any disclosure of your PHI not covered above, including to family members, employers, or for marketing purposes. | Your prior written HIPAA Authorization | Yes |
Inspect and obtain a copy of your PHI held in our designated record set. Requests responded to within 30 days (extendable once by 30 days with notice).
Request amendment of PHI you believe is incorrect or incomplete. We may deny the request in certain circumstances and will explain why.
Request a list of disclosures of your PHI made in the six years prior to your request, other than for treatment, payment, and operations.
Request restrictions on certain uses and disclosures. We are not required to agree, except for disclosures to your health plan for items you paid out-of-pocket in full.
Request that we communicate with you about your PHI by alternative means or at alternative locations.
Request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.
In the event of a breach of unsecured PHI, Serenity Spaces will notify affected individuals without unreasonable delay and within 60 days of discovery, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Large breaches affecting 500 or more individuals in a state are also notified to HHS and prominent media outlets in that state within 60 days.
If you believe your HIPAA privacy rights have been violated, you may file a complaint with the controller (contact details above) or with the HHS Office for Civil Rights (OCR):
HHS Office for Civil Rights
200 Independence Avenue, S.W., Washington, D.C. 20201
Toll-free: 1-800-368-1019 · TDD: 1-800-537-7697
Web: hhs.gov/hipaa/filing-a-complaint
You will not be penalised for filing a complaint.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights in relation to your personal information:
Know what personal information we collect about you, why we collect it, and who we share it with. You may request up to two disclosures in any 12-month period.
Request deletion of personal information we have collected from you, subject to certain exceptions (e.g. legal retention obligations).
Request correction of inaccurate personal information we maintain about you.
We do not sell or share your personal information for cross-context behavioural advertising. No opt-out mechanism is required.
Limit the use and disclosure of sensitive personal information to purposes necessary to provide services to you.
We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA/CPRA rights, contact the controller using the details in this notice. We will respond within 45 days (extendable by a further 45 days with notice). Requests are free of charge, up to twice per 12-month period.
To submit a complaint regarding our handling of your California privacy rights, contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.