Privacy Policy

Privacy Policy — Peerakeet, Inc.

Version 1.0

Effective Date: January 1, 2025

Last Updated: January 1, 2025

This Privacy Policy ("Policy") describes how Peerakeet, Inc. ("Peerakeet," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Peerakeet mobile application, website, and related services (collectively, the "Service"). This Policy is designed to comply with applicable privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) where applicable, the Family Educational Rights and Privacy Act (FERPA) where applicable, and state privacy laws.

By using the Service, you consent to the collection and use of your information as described in this Policy. If you do not agree with this Policy, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly:

  • Account Information: Email address, password (hashed and encrypted), display name, date of birth, and account preferences.
  • Profile Information: Self-descriptions, life topics, interests, recovery stage information, coping tools, boundaries, strengths, and other profile content you choose to share.
  • Health and Wellness Information: Journal entries, emotional check-ins, mood assessments, craving scales, wellbeing measurements, reflections, and other health-related content you create through the Service.
  • Communication Data: Messages sent to other users, reports submitted, feedback provided, and communications with our support team.
  • Consent Records: Records of your acceptance of Terms of Service, Privacy Policy, Community Guidelines, and other legal agreements, including timestamps and version numbers.

1.2 Information Collected Automatically:

  • Usage Data: Information about how you interact with the Service, including features used, time spent, pages viewed, and navigation patterns.
  • Device Information: Device type, operating system, unique device identifiers, mobile network information, and device settings.
  • Log Data: Server logs, IP addresses, access times, error reports, and performance data.
  • Location Data: General location information (city, state, country) derived from IP address, if applicable. We do not collect precise GPS location data.

1.3 Information from Third Parties:

  • Authentication Providers: If you sign in using Google or Apple, we may receive basic profile information (name, email) from those providers.
  • Telehealth Partners: Information shared by certified peer support specialists or telehealth platforms in connection with telehealth services.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Provision: To provide, operate, maintain, and improve the Service, including peer matching, messaging, journaling, check-ins, and telehealth coordination.

2.2 Safety and Moderation: To detect, prevent, and address safety concerns, harmful content, violations of our Terms or Community Guidelines, and potential risks to users. This includes using AI-assisted moderation tools to analyze message content for safety risks.

2.3 Communication: To send you service-related notifications, updates, security alerts, and administrative messages. We may also send you optional promotional communications if you have opted in.

2.4 Personalization: To personalize your experience, including matching you with appropriate peers, recommending content, and customizing features.

2.5 Analytics and Improvement: To analyze usage patterns, conduct research, improve our algorithms, and develop new features. This may include aggregated, de-identified data analysis.

2.6 Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our Terms and policies; to protect the rights, property, or safety of Peerakeet, our users, or others; and to respond to legal claims.

2.7 Business Operations: To manage our business operations, including customer support, fraud prevention, security monitoring, and audit purposes.

3. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

3.1 With Your Consent: We may share your information when you have given us explicit consent to do so, such as when you choose to connect with a peer or participate in telehealth services.

3.2 Service Providers and Business Associates: We may share information with third-party service providers and business associates who perform services on our behalf, such as cloud hosting, data analytics, AI processing, email delivery, and customer support. All service providers are contractually obligated to:

  • Protect your information in accordance with applicable privacy laws, including HIPAA where applicable
  • Implement appropriate security safeguards (including SOC 2-compliant controls where applicable)
  • Use your information only for the specific services provided to Peerakeet
  • Not use your information for their own purposes or to train AI models
  • Maintain Business Associate Agreements (BAAs) when handling protected health information
  • Comply with data breach notification requirements
  • Undergo regular security assessments and audits

We carefully vet all service providers and maintain ongoing oversight of their security practices. We maintain Business Associate Agreements (BAAs) with all service providers that handle protected health information, ensuring HIPAA compliance throughout our service chain.

3.3 AI and Moderation Services: We use third-party AI services (including Groq and Llama Guard) for content moderation and safety monitoring. These services:

  • Operate under Business Associate Agreements (BAAs) to ensure HIPAA compliance
  • Process message content in real-time to detect safety risks and harmful content
  • Do NOT use your data to train their AI models
  • Do NOT retain your data beyond what is necessary for processing
  • Implement SOC 2-compliant security controls
  • Process data only for the specific moderation and safety services provided to Peerakeet
  • Are contractually prohibited from using your data for any other purpose

Transparency: We use AI to help keep the community safe, but all AI-flagged content is reviewed by human moderators before any action is taken. AI systems assist but do not replace human judgment.

3.4 Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Peerakeet, our users, or others.

3.5 Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

3.6 Aggregated and De-Identified Data: We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you for research, analytics, reporting to partner organizations, or other legitimate business purposes.

3.7 Emergency Situations: We may share information if we believe it is necessary to prevent imminent harm to you or others, including contacting emergency services or crisis intervention resources.

4. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. Our security program is designed to meet HIPAA security requirements and SOC 2 Type II standards.

4.1 HIPAA Security Safeguards

When we handle protected health information (PHI), we implement HIPAA-compliant safeguards:

Administrative Safeguards:

  • Designated security officer and privacy officer
  • Workforce training on HIPAA and security policies
  • Access management procedures and role-based access controls
  • Incident response and breach notification procedures
  • Regular security risk assessments
  • Business Associate Agreements with all service providers handling PHI

Physical Safeguards:

  • Secure data centers with physical access controls
  • Workstation security and device encryption
  • Media controls and secure disposal procedures
  • Facility access controls and monitoring

Technical Safeguards:

  • Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Access controls with unique user identification and authentication
  • Audit controls to record and examine access to PHI
  • Integrity controls to prevent unauthorized alteration or destruction of PHI
  • Transmission security measures

4.2 SOC 2 Compliance

Peerakeet maintains security controls designed to meet SOC 2 Type II standards, which include:

Security: Protection against unauthorized access

  • Multi-factor authentication for administrative access
  • Strong password policies and credential management
  • Network security controls and firewalls
  • Regular security monitoring and threat detection

Availability: System availability and performance

  • Redundant systems and infrastructure
  • Regular backups and disaster recovery procedures
  • Uptime monitoring and incident response
  • Capacity planning and performance monitoring

Processing Integrity: System processing is complete, valid, accurate, timely, and authorized

  • Data validation and error handling
  • Quality assurance and testing procedures
  • Change management and version control

Confidentiality: Confidential information is protected

  • Encryption of sensitive data
  • Access controls and data classification
  • Confidentiality agreements with personnel
  • Secure data transmission and storage

Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments

  • Privacy notice and consent management
  • Data retention and disposal policies
  • Access rights and data subject request procedures
  • Privacy impact assessments

4.3 Technical Security Measures

We implement the following technical security measures:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher, and sensitive data is encrypted at rest using AES-256 or equivalent encryption
  • Access Controls: Multi-factor authentication, role-based access controls, and principle of least privilege
  • Monitoring: 24/7 security monitoring, intrusion detection, and automated threat response
  • Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning
  • Incident Response: Documented incident response procedures and breach notification processes
  • Backup and Recovery: Regular encrypted backups and tested disaster recovery procedures
  • Secure Infrastructure: Google Cloud Platform with SOC 2, ISO 27001, and HIPAA-compliant data centers

4.4 Organizational Security Measures

  • Employee Training: Regular training on data privacy, security, HIPAA compliance, and SOC 2 requirements
  • Background Checks: Security screening for personnel with access to sensitive information
  • Policies and Procedures: Comprehensive security policies, procedures, and documentation
  • Third-Party Assessments: Regular security audits and assessments by independent third parties
  • Compliance Monitoring: Ongoing monitoring and auditing of security controls

4.5 Transparency and Your Role

We are committed to transparency about our security practices. If you have questions about how we protect your information, please contact us at support@peerakeet.com.

Your Responsibilities: While we implement comprehensive security measures, you also play an important role in protecting your information:

  • Use a strong, unique password for your account
  • Enable multi-factor authentication if available
  • Do not share your account credentials with anyone
  • Log out from your account at the end of each session
  • Report any suspected security incidents immediately

Security Incidents: In the event of a security incident that may affect your information, we will notify you and relevant authorities as required by law, including HIPAA breach notification requirements where applicable.

However, no method of transmission over the internet or electronic storage is 100% secure. While we implement industry-standard security measures and comply with applicable regulations, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Active Accounts: We retain information for active accounts and for a reasonable period after account inactivity.
  • Deleted Accounts: When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain information for legal, regulatory, or safety purposes.
  • Legal Requirements: We may retain certain information as required by law, regulation, or for legitimate business purposes (such as fraud prevention or dispute resolution).
  • Backup Systems: Information may persist in backup systems for a limited period after deletion, but will not be actively accessed or used.

6. Your Rights and Choices

You have certain rights regarding your personal information, subject to applicable law:

6.1 Access: You may request access to the personal information we hold about you by contacting support@peerakeet.com.

6.2 Correction: You may update or correct your account information and profile content directly through the Service or by contacting us.

6.3 Deletion: You may request deletion of your account and personal information by emailing support@peerakeet.com. We will process deletion requests within 30 days, subject to legal retention requirements.

6.4 Data Portability: You may request a copy of your data in a portable format by contacting support@peerakeet.com.

6.5 Opt-Out: You may opt out of promotional communications by following the unsubscribe instructions in emails or adjusting your notification preferences in the Service.

6.6 HIPAA Rights: If applicable, you have rights under HIPAA regarding your protected health information (PHI), including:

  • Right to Access: You may request access to your PHI, including copies of your health information
  • Right to Amend: You may request amendments to your PHI if you believe it is inaccurate or incomplete
  • Right to Accounting of Disclosures: You may request an accounting of certain disclosures of your PHI
  • Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI (though we are not required to agree to all restrictions)
  • Right to Request Confidential Communications: You may request that we communicate with you in a certain way or at a certain location
  • Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

To exercise any of these HIPAA rights, contact support@peerakeet.com or our Privacy Officer. We will respond to your request within the timeframes required by HIPAA (generally 30 days, with a possible 30-day extension if needed).

6.7 State Privacy Rights: Depending on your location, you may have additional rights under state privacy laws (such as the California Consumer Privacy Act). To exercise these rights, contact support@peerakeet.com.

We will respond to your requests within a reasonable timeframe and in accordance with applicable law. We may require verification of your identity before processing certain requests.

7. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at support@peerakeet.com.

8. International Data Transfers

The Service is operated from the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States and processing in accordance with this Policy.

9. Third-Party Services

The Service may contain links to third-party websites, services, or applications. This Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.

10. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: (a) posting the updated Policy on the Service; (b) sending an email to the address associated with your account; or (c) providing notice through the Service. Material changes will be effective thirty (30) days after such notice is provided, unless a different effective date is specified.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the modified Policy, you must stop using the Service and may delete your account.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

General Inquiries:

Email: support@peerakeet.com

Privacy Officer (HIPAA and Privacy Matters):

Email: privacy@peerakeet.com (or support@peerakeet.com with "Privacy Officer" in the subject line)

Mail: Peerakeet, Inc.

[Address]

[City, State ZIP Code]

Security Concerns:

If you have concerns about security or suspect a security incident, please contact us immediately at security@peerakeet.com (or support@peerakeet.com with "Security" in the subject line).

For HIPAA-related inquiries or to exercise HIPAA rights: Please contact our Privacy Officer at the above address or email. We will respond to HIPAA requests within the timeframes required by law.

Compliance Information:

  • HIPAA Compliance: We maintain HIPAA-compliant safeguards and Business Associate Agreements as described in this Policy
  • SOC 2: We maintain security controls designed to meet SOC 2 Type II standards
  • Data Protection: We comply with applicable federal and state privacy laws

We are committed to transparency and will respond to your inquiries promptly and thoroughly.

12. Acknowledgment

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.