Privacy Policy

Last Updated: November 8, 2025

IMPORTANT NOTICE - NOT HIPAA COMPLIANT

Mendly is NOT HIPAA compliant and is for DEMONSTRATION purposes only.

  • DO NOT enter real patient Protected Health Information (PHI)
  • This service does not meet HIPAA security and privacy requirements
  • Use only test/demo data for evaluation purposes

1. Introduction

Mendly ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Mendly is operated by an individual developer based in Pennsylvania, USA. This is a demonstration version and is NOT HIPAA compliant.

By using Mendly, you agree to the collection and use of information in accordance with this Privacy Policy.

2. HIPAA Non-Compliance Notice

IMPORTANT: Mendly is NOT HIPAA compliant.

  • This service does NOT meet the technical, physical, or administrative safeguards required by HIPAA
  • We do NOT have a Business Associate Agreement (BAA) in place
  • This platform is NOT suitable for storing, transmitting, or processing Protected Health Information (PHI)
  • DO NOT enter real patient data, medical records, diagnoses, treatment plans, or any PHI
  • Use only fictional, test, or demonstration data
  • We plan to become HIPAA compliant in the future when there is sufficient interest

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Therapist Accounts: Name, email address, password (encrypted), organization name (optional)
  • Patient Accounts: Name, email address, password (encrypted), therapist association

3.2 Usage Data

We automatically collect:

  • Log data (IP address, browser type, pages visited, time/date stamps)
  • Device information (device type, operating system)
  • Session data (login times, activity timestamps)

3.3 Application Data

Depending on how you use the service, we may collect:

  • Questionnaire responses
  • Progress notes and assessments
  • Patient-therapist communications
  • Appointment and session data
  • Any other content you submit to the platform

REMINDER: Only use test/demo data. Never enter real PHI.

3.4 Cookies and Tracking

We use:

  • Session cookies for authentication
  • CSRF tokens for security
  • Local storage for user preferences

4. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Authenticate users and manage accounts
  • Process and store your demo/test data
  • Send administrative emails (password resets, account notifications)
  • Detect and prevent security threats, fraud, or abuse
  • Comply with legal obligations
  • Improve and develop the Service

5. Information Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

5.2 Third-Party Service Providers

We share data with service providers who help us operate:

  • Supabase: Database and authentication (data storage)
  • Vercel: Web hosting and deployment
  • Cloudflare: CDN, DDoS protection, and security
  • Resend: Transactional email delivery

These providers have access to your data only to perform services on our behalf and are obligated to protect it.

5.3 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal process (subpoenas, court orders)
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Respond to government requests

5.4 Business Transfers

If Mendly is acquired or merged, your information may be transferred to the new owner.

6. Data Storage and Security

6.1 Where We Store Data

Your data is stored on:

  • Supabase servers (cloud-based PostgreSQL database)
  • Server locations may be in the United States or other regions

6.2 Security Measures

We implement security measures including:

  • Password encryption (bcrypt hashing)
  • HTTPS/TLS encryption for data in transit
  • CSRF protection
  • Rate limiting on authentication
  • Session timeouts (30 minutes of inactivity)
  • Security headers (HSTS, CSP, X-Frame-Options)

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6.3 Data Retention

We currently retain data indefinitely unless you request deletion. When we become HIPAA compliant, we will implement appropriate retention and destruction policies.

7. Your Rights and Choices

7.1 Access and Update

You can access and update your account information by logging in and visiting your profile/settings.

7.2 Data Deletion

To delete your data:

  • Therapists: Email welcome@mendly.me to request account and data deletion
  • Patients: Email welcome@mendly.me to request data deletion

We will process deletion requests within 30 days.

7.3 Data Export

We do not currently offer automated data export. To request a copy of your data, email welcome@mendly.me.

7.4 Marketing Communications

We do not send marketing emails. All emails are transactional (password resets, account notifications).

8. Children's Privacy

Patient accounts may be created for minors (under 18) with parent/guardian consent. The parent or legal guardian is responsible for:

  • Providing consent for the minor's account
  • Reviewing this Privacy Policy
  • Understanding that only demo/test data should be used
  • Managing the minor's account and data

We do not knowingly collect real PHI from minors.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Know if we sell or disclose your personal information (we do not sell)
  • Access your personal information
  • Delete your personal information
  • Opt-out of the sale of personal information (not applicable - we don't sell)
  • Non-discrimination for exercising your rights

To exercise these rights, email welcome@mendly.me.

10. International Users

Mendly is operated from Pennsylvania, USA. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from your country.

11. Changes to This Privacy Policy

We may update this Privacy Policy. We will notify you of material changes by:

  • Posting the updated Privacy Policy on the Service
  • Updating the "Last Updated" date
  • Sending email notifications for significant changes

Continued use after changes constitutes acceptance of the updated Privacy Policy.

12. Future HIPAA Compliance

When Mendly becomes HIPAA compliant, we will:

  • Implement all required technical, physical, and administrative safeguards
  • Establish Business Associate Agreements (BAAs) with all subcontractors
  • Update this Privacy Policy to reflect HIPAA compliance
  • Require all users to accept a new Privacy Policy and Terms of Service
  • Implement proper data retention and destruction policies
  • Provide breach notification procedures

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Email: welcome@mendly.me
Service: Mendly
Location: Pennsylvania, USA

14. Data Breach Notification

In the event of a data breach that affects your information, we will notify affected users via email within a reasonable timeframe. However, as we are not HIPAA compliant, we do not follow HIPAA breach notification procedures.

By using Mendly, you acknowledge that you have read and understood this Privacy Policy.