Notice of Privacy Practices

Self Shelf is a digital mental health platform connecting clients with licensed clinicians. As a covered entity under HIPAA, we are required to maintain the privacy of protected health information (PHI), provide you with notice of our legal duties and privacy practices, and notify you following a breach of unsecured PHI.

We are required by law to follow the terms of the privacy notice currently in effect. We reserve the right to change this notice. Any revised notice will be posted on this page with an updated effective date.

• Intake & Profile Information Name, date of birth, contact details, presenting concerns, therapy goals, support preferences, and self-reported mental health history collected during onboarding.
• Journal Entries Personal reflections, mood logs, and written entries you create in the journal feature.
• Session Notes Clinician-authored clinical notes created after or during therapy sessions. These are accessible only to your clinician and are not shared with you by default unless requested.
• AI Coach Conversations Messages exchanged in the AI Coach feature. Important: these conversations are currently processed by Anthropic and are not covered by a HIPAA BAA. Do not share PHI in AI Coach chats.
• Clinician Credential & Verification Documents License numbers, NPI, DEA registration, insurance certificates, and identity documents submitted during the credentialing process. Stored in encrypted private storage.

• Treatment We share your information with your treating clinician to provide, coordinate, and manage your mental health care. Your clinician may review your intake information, journal insights, and session history.
• Payment We may use your information to process billing and verify insurance coverage. Payment processing is handled by secure third-party processors and does not include clinical notes.
• Healthcare Operations Internal activities such as quality assessment, credential verification of clinicians, compliance reviews, and improving platform safety.
• Required by Law / Safety We may disclose PHI when required by law, in response to court orders or subpoenas, or to prevent serious and imminent threat to health or safety (including mandatory reporting obligations).
• We Do Not Sell Your Information We do not sell, rent, or disclose your PHI for marketing purposes. We do not share your clinical data with advertisers or data brokers under any circumstances.

• Encryption at Rest All database tables and file storage are encrypted using AES-256 via Supabase infrastructure (AWS us-east-1). Credential documents are stored in a private, non-public bucket.
• Encryption in Transit All data transmitted between your browser and our servers uses HTTPS (TLS 1.2+). API calls to third-party services also use HTTPS.
• Access Controls (Row Level Security) Database Row Level Security (RLS) policies ensure each user can only access their own data. Clinicians can only see records belonging to their clients. Admin access is audited.
• Session Timeout Sessions automatically expire after 15 minutes of inactivity, with a 60-second warning before sign-out. This prevents unauthorized access on shared devices.
• Audit Logging All credential verification events are logged in an append-only audit table (therapist_id, event_type, timestamp, IP address). Only platform administrators may read audit logs.
• Signed URLs for Documents Credential documents are never served publicly. Access is granted via short-lived signed URLs (5-minute expiry) generated on demand for authorized reviewers only.

• Supabase — BAA Available (Supabase Pro) Database, authentication, and file storage. A HIPAA BAA is available on Supabase Pro ($25/mo). Required before the platform can be used in production for PHI storage.
• Resend — BAA Available on Business Plan Email notification service used for clinician verification emails. Zero PHI is included in email bodies — only portal links. BAA available on paid Resend plans.
• Anthropic (AI Coach) — No BAA Currently Available The AI Coach feature uses Anthropic's Claude API. Anthropic does not currently offer a HIPAA BAA. Do not share PHI (diagnoses, session details, client names, medication) in AI Coach conversations. This feature is intended for general wellness support only until a BAA is available.
• NPPES CMS NPI Registry — Public Directory National Provider Identifier verification queries use the public CMS NPPES API. No PHI is transmitted — only NPI numbers (publicly listed identifiers) are sent.

If you have questions about this notice or wish to exercise your rights, contact our Privacy Officer. If you believe your rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services — we will not retaliate against you for doing so.