Privacy Policy

Last Updated: July 12, 2026 (Version 5)

1. Introduction

Mendly ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Mendly is operated by Mendly LLC, a Pennsylvania limited liability company.

By using Mendly, you agree to the collection and use of information in accordance with this Privacy Policy.

2. HIPAA & Protected Health Information

Mendly serves mental health professionals, and much of the information on the platform is protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). Your therapist or practice is the HIPAA covered entity responsible for your health information; Mendly LLC acts as their business associate.

We handle PHI in accordance with HIPAA and the Business Associate Agreement ("BAA") we enter into with each therapist customer, available at mendly.me/legal/baa. To the extent this Privacy Policy conflicts with the BAA with respect to PHI, the BAA controls.

If you are a patient and wish to access, amend, or request an accounting of disclosures of your health records, direct your request to your therapist — we support them in fulfilling those requests as required by HIPAA.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Therapist Accounts: Name, email address, password (managed by our authentication provider), organization name (optional)
  • Patient Accounts: Name, email address, password (managed by our authentication provider), therapist association

3.2 Usage Data

We automatically collect:

  • Log data (IP address, browser type, pages visited, time/date stamps)
  • Device information (device type, operating system)
  • Session data (login times, activity timestamps)

3.3 Application Data

Depending on how you use the service, we may collect:

  • Daily check-in and questionnaire responses
  • Patient information entered by your therapist (such as birthday, medications, and care team)
  • Progress tracking data and insights derived from check-ins
  • Any other content you submit to the platform

3.4 Billing Information

For therapist subscriptions, we collect:

  • Subscription plan and billing status
  • Payment records and invoices

Payments are processed by Stripe. Your full payment card details are provided directly to Stripe and are not stored on our servers. Stripe's handling of your information is described in its own privacy policy.

3.5 Phone Number and SMS Data

SMS notifications are not currently offered. If we enable SMS in the future, opting in would involve collecting:

  • Your mobile phone number
  • SMS consent status and timestamp
  • SMS message logs (message type, delivery status, timestamps)
  • Opt-in and opt-out records

For complete details, see our SMS Consent & Terms page.

3.6 Cookies and Tracking

We use:

  • Session cookies for authentication
  • CSRF tokens for security
  • Local storage for user preferences

We do not use third-party advertising or analytics trackers.

4. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Authenticate users and manage accounts
  • Process and store your data
  • Process subscription payments and manage billing
  • Send administrative emails (password resets, account notifications, reminders you enable)
  • Detect and prevent security threats, fraud, or abuse
  • Comply with legal obligations
  • Improve and develop the Service

5. Information Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

5.2 Third-Party Service Providers

We share data with service providers who help us operate:

  • Amazon Web Services (AWS): Application hosting, database, user authentication, and transactional email delivery. AWS is our primary infrastructure provider, and we have a business associate agreement with AWS covering PHI.
  • Stripe: Subscription payment processing (billing information only — Stripe does not receive patient health information)
  • Cloudflare: DNS services

These providers have access to your data only to perform services on our behalf and are obligated to protect it. Providers that handle PHI on our behalf are bound by business associate agreements as required by HIPAA.

5.3 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal process (subpoenas, court orders)
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Respond to government requests

5.4 Business Transfers

If Mendly is acquired or merged, your information may be transferred to the new owner, subject to the protections of this Privacy Policy and, for PHI, the BAA and HIPAA.

6. Data Storage and Security

6.1 Where We Store Data

Your data is stored on:

  • Amazon Web Services infrastructure (managed PostgreSQL database and cloud hosting)
  • Servers located in the United States

6.2 Security Measures

We implement security measures including:

  • Managed authentication through AWS Cognito, with multi-factor authentication required for all accounts
  • HTTPS/TLS encryption for data in transit
  • Encryption of data at rest
  • CSRF protection
  • Rate limiting on authentication and sensitive operations
  • Automatic session timeouts
  • Security headers (HSTS, CSP, X-Frame-Options)

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6.3 Data Retention

We retain data for as long as your account is active or as needed to provide the Service. You may request deletion at any time, as described in Section 7. PHI is returned or destroyed in accordance with the BAA when a therapist's account ends.

7. Your Rights and Choices

7.1 Access and Update

You can access and update your account information by logging in and visiting your profile/settings. Patients may also request access to their health records through their therapist, as described in Section 2.

7.2 Data Deletion

To delete your data:

  • Therapists: Email support@mendly.me to request account and data deletion
  • Patients: Contact your therapist, or email support@mendly.me — because your therapist controls your health records, we will coordinate the request with them

We will process deletion requests within 30 days.

7.3 Data Export

We do not currently offer automated data export. To request a copy of your data, email support@mendly.me.

7.4 Marketing Communications

We do not send marketing emails. All emails are transactional (password resets, account notifications, reminders you enable).

8. Children's Privacy

Patient accounts may be created for minors (under 18) with parent/guardian consent. The parent or legal guardian is responsible for:

  • Providing consent for the minor's account
  • Reviewing this Privacy Policy
  • Managing the minor's account and data

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Know if we sell or disclose your personal information (we do not sell)
  • Access your personal information
  • Delete your personal information
  • Opt-out of the sale of personal information (not applicable - we don't sell)
  • Non-discrimination for exercising your rights

Note that PHI governed by HIPAA is generally exempt from the CCPA; rights in your health records are provided under HIPAA through your therapist, as described in Section 2.

To exercise these rights, email support@mendly.me.

10. International Users

Mendly is operated from Pennsylvania, USA. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from your country.

11. Changes to This Privacy Policy

We may update this Privacy Policy. We will notify you of material changes by:

  • Posting the updated Privacy Policy on the Service
  • Updating the "Last Updated" date and version
  • Sending email notifications for significant changes

Continued use after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Email: support@mendly.me
Company: Mendly LLC
Location: Pennsylvania, USA

13. Data Breach Notification

In the event of a data breach that affects your information, we will provide notification consistent with the HIPAA Breach Notification Rule and applicable state law, including notifying affected therapist customers so they can fulfill their own notification obligations, and notifying affected users via email without undue delay.

By using Mendly, you acknowledge that you have read and understood this Privacy Policy.