Skip to main content

Privacy Policy

Privacy Policy — Peerakeet, Inc.

Version 1.4

Effective Date: April 1, 2026

Last Updated: April 1, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Privacy Policy and Notice of Privacy Practices ("Policy") describes how Peerakeet, Inc. ("Peerakeet," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Peerakeet mobile application, web portal, website, and related services (collectively, the "Service"). This Policy also serves as our Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (HIPAA) and is designed to comply with applicable privacy laws, including HIPAA, the federal confidentiality regulations for substance use disorder records (42 CFR Part 2), the Family Educational Rights and Privacy Act (FERPA) where applicable, and state privacy laws.

Our Duty to Protect Your Information: Peerakeet is required by law to maintain the privacy and security of your protected health information (PHI), to provide you with this notice of our legal duties and privacy practices, and to follow the terms of the notice currently in effect. When Peerakeet facilitates peer support services — including telehealth sessions, session documentation, clinical assessments, and care coordination — it maintains protections consistent with HIPAA and 42 CFR Part 2 for all health information created or received through those services, regardless of Peerakeet's formal regulatory classification. We will notify you promptly if a breach occurs that may have compromised the privacy or security of your information.

By using the Service, you consent to the collection and use of your information as described in this Policy. If you do not agree with this Policy, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly:

  • Account Information: Email address, password (hashed and encrypted), display name, date of birth, and account preferences.
  • Profile Information: Self-descriptions, life topics, interests, recovery stage information, coping tools, boundaries, strengths, and other profile content you choose to share.
  • Health and Wellness Information: Journal entries, emotional check-ins, mood assessments, craving scales, wellbeing measurements, reflections, clinical assessments (such as BARC-10, PHQ-9, SBIRT, and Felt Safety assessments), peer baseline assessments, wellness plans (including recovery goals, crisis plans, and emergency contact information you provide), and other health-related content you create through the Service.
  • Telehealth and Scheduling Data: Session bookings, availability preferences, session types, session durations, and related scheduling information for telehealth services. If you use telehealth features, we may also collect your legal name, phone number, mailing address, and state of residence through a telehealth intake form.
  • Communication Data: Messages sent to other users (including in-app chat with peers), community posts, reports submitted, feedback provided, and communications with our support team.
  • Peer Support Documentation: If you receive services from a certified peer support specialist, your peer may create session notes, progress observations, risk assessments, and goal-tracking records related to your care. This documentation is part of your service record and may be shared with your peer's supervising organization.
  • Organization and Enrollment Data: If you enroll with a partner organization, we collect enrollment information including your name, date of birth, phone number, state, and support preferences. Your organization may assign you to specific peer support specialists and maintain records of your participation.
  • Consent Records: Records of your acceptance of Terms of Service, Privacy Policy, Community Guidelines, and other legal agreements, including timestamps and version numbers.
  • Emergency Contact Information: If you choose to provide emergency contacts (such as through a wellness plan or crisis plan), we store their name, phone number, and relationship to you.
  • Professional Credential Information (Peer Support Specialists): If you are a certified peer support specialist using the Service, we collect your professional credentials (certification type, issuing body, credential number, issue and expiration dates), continuing education records, supervision logs, signed attestations, and credential documentation you upload.
  • Payment and Billing Information: If you subscribe to a paid plan, we collect billing-related identifiers through our payment processor (Stripe). We do not store your payment card details directly; Stripe handles all sensitive payment data under PCI-DSS compliance. We store only Stripe customer identifiers, subscription status, and plan details.

1.2 Information Collected Automatically:

  • Usage Data: Information about how you interact with the Service, including features used, time spent, pages viewed, navigation patterns, and in-app activity events (such as check-in completions, session participation, and feature usage).
  • Device Information: Device type, operating system, unique device identifiers, push notification tokens, mobile network information, app version, and device settings.
  • Log Data: Server logs, IP addresses, access times, error reports, and performance data.
  • Location Data: General location information (city, state, country) derived from IP address, if applicable. If you use the trip logging feature for mileage reimbursement, we collect precise GPS location data (including latitude, longitude, speed, and accuracy) to calculate trip distances. This data is collected only while you are actively logging a trip and is stored in association with your account.

1.3 Information from Third Parties:

  • Authentication Providers: If you sign in using Google or Apple, we may receive basic profile information (name, email) from those providers.
  • Telehealth Partners: Information shared by certified peer support specialists or telehealth platforms in connection with telehealth services.

2. How We Use Your Information

Minimum Necessary Standard: Peerakeet applies the HIPAA minimum necessary standard to all uses and disclosures of protected health information. We request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose.

We use the information we collect for the following purposes:

2.1 Service Provision: To provide, operate, maintain, and improve the Service, including peer matching, messaging, journaling, check-ins, and telehealth coordination.

2.2 Safety and Moderation: To detect, prevent, and address safety concerns, harmful content, violations of our Terms or Community Guidelines, and potential risks to users. This includes using AI-assisted moderation tools to analyze message and feed content for safety risks when you have granted consent for AI processing of user-generated content.

2.3 Communication: To send you service-related notifications, updates, security alerts, and administrative messages. We may also send you optional promotional communications if you have opted in.

2.4 Personalization: To personalize your experience, including matching you with appropriate peers, recommending content, and customizing features.

2.5 Analytics and Improvement: To analyze usage patterns, conduct research, improve our algorithms, and develop new features. Analytics data is de-identified in accordance with HIPAA Safe Harbor standards — it does not contain your name, treatment program, or any identifiers that could link you to substance use disorder services. De-identified analytics data is used for aggregate reporting (such as overall feature adoption, session counts, and engagement trends) and is not subject to HIPAA or 42 CFR Part 2 restrictions.

2.6 Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our Terms and policies; to protect the rights, property, or safety of Peerakeet, our users, or others; and to respond to legal claims.

2.7 Business Operations: To manage our business operations, including customer support, fraud prevention, security monitoring, and audit purposes.

3. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

3.1 With Your Consent: We may share your information when you have given us explicit consent to do so, such as when you choose to connect with a peer or participate in telehealth services.

3.2 Service Providers and Business Associates: We may share information with third-party service providers and business associates who perform services on our behalf, such as cloud hosting, data analytics, AI processing, email delivery, and customer support. All service providers are contractually obligated to:

  • Protect your information in accordance with applicable privacy laws, including HIPAA where applicable
  • Implement appropriate security safeguards (including SOC 2-compliant controls where applicable)
  • Use your information only for the specific services provided to Peerakeet
  • Not use your information for their own purposes or to train AI models
  • Maintain Business Associate Agreements (BAAs) when handling protected health information
  • Comply with data breach notification requirements
  • Undergo regular security assessments and audits

Our key service providers include:

  • Google Cloud Platform (Firebase): Cloud hosting, database, authentication, file storage, and serverless functions. Covered by a BAA for HIPAA compliance.
  • Google Vertex AI: AI-powered content moderation and safety monitoring. Covered by a BAA as part of Google Cloud.
  • Zoom: Video conferencing for telehealth sessions. Peer support specialists connect their Zoom accounts; meeting credentials are encrypted and stored securely.
  • Stripe: Payment processing for subscriptions and billing. Stripe handles payment card data directly under PCI-DSS compliance; we store only Stripe customer and subscription identifiers, not payment card details.
  • Resend: Transactional email delivery for account notifications and invitations. No protected health information is transmitted via email.
  • Expo: Mobile app distribution and push notification delivery. Push notification content does not contain protected health information.

We carefully vet all service providers and maintain ongoing oversight of their security practices. We maintain Business Associate Agreements (BAAs) with all service providers that handle protected health information, ensuring HIPAA compliance throughout our service chain.

3.3 AI and Moderation Services: We use AI services (including Google Vertex AI) for content moderation and safety monitoring. These services:

  • Operate under Business Associate Agreements (BAAs) to ensure HIPAA compliance
  • Process message content in real-time to detect safety risks and harmful content
  • Do NOT use your data to train their AI models
  • Do NOT retain your data beyond what is necessary for processing
  • Implement SOC 2-compliant security controls
  • Process data only for the specific moderation and safety services provided to Peerakeet
  • Are contractually prohibited from using your data for any other purpose

Transparency: We use AI to help keep the community safe. In some cases, automated safety measures may temporarily restrict content pending review to protect users from immediate harm. AI-flagged content is reviewed by human moderators, and AI systems assist but do not replace human judgment.

You can grant or deny AI processing consent in-app and update your decision at any time in `Settings > Privacy Preferences`.

3.4 Partner Organizations: If you enroll with or are referred by a partner organization (such as a recovery center, treatment program, or college recovery program), certain information may be shared with that organization and its authorized staff, including:

  • Your enrollment status and participation records
  • Session attendance and scheduling information
  • Session notes and clinical documentation created by your assigned peer support specialist
  • Assessment results and wellness plan progress
  • Risk flags or safety concerns identified during your care

This sharing is necessary to coordinate your care and is conducted in accordance with HIPAA and applicable state laws. Your peer support specialist's supervising organization may have access to documentation created during your sessions for quality assurance and supervision purposes.

3.5 Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Peerakeet, our users, or others. For records protected by 42 CFR Part 2, disclosure in response to legal process requires a court order meeting the specific requirements of 42 CFR 2.61 and is not compellable by subpoena, search warrant, or other legal mandate alone, except as specifically provided under 42 CFR Part 2.

3.6 Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

3.7 Aggregated and De-Identified Data: We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you for research, analytics, reporting to partner organizations, or other legitimate business purposes.

3.8 Emergency Situations: We may share information if we believe it is necessary to prevent imminent harm to you or others, including contacting emergency services or crisis intervention resources.

4. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. Our security program is designed to meet HIPAA security requirements and SOC 2 Type II standards.

4.1 HIPAA Security Safeguards

When we handle protected health information (PHI), we implement HIPAA-compliant safeguards:

Administrative Safeguards:

  • Designated security officer and privacy officer
  • Workforce training on HIPAA and security policies
  • Access management procedures and role-based access controls
  • Incident response and breach notification procedures
  • Regular security risk assessments
  • Business Associate Agreements with all service providers handling PHI

Physical Safeguards:

  • Secure data centers with physical access controls
  • Workstation security and device encryption
  • Media controls and secure disposal procedures
  • Facility access controls and monitoring

Technical Safeguards:

  • Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Access controls with unique user identification and authentication
  • Audit controls to record and examine access to PHI
  • Integrity controls to prevent unauthorized alteration or destruction of PHI
  • Transmission security measures

4.2 SOC 2 Compliance

Peerakeet is working toward SOC 2 Type II certification. Our security controls are designed with SOC 2 principles in mind, though we have not yet been independently audited. These controls include:

Security: Protection against unauthorized access

  • Multi-factor authentication for administrative access
  • Strong password policies and credential management
  • Network security controls and firewalls
  • Regular security monitoring and threat detection

Availability: System availability and performance

  • Redundant systems and infrastructure
  • Regular backups and disaster recovery procedures
  • Uptime monitoring and incident response
  • Capacity planning and performance monitoring

Processing Integrity: System processing is complete, valid, accurate, timely, and authorized

  • Data validation and error handling
  • Quality assurance and testing procedures
  • Change management and version control

Confidentiality: Confidential information is protected

  • Encryption of sensitive data
  • Access controls and data classification
  • Confidentiality agreements with personnel
  • Secure data transmission and storage

Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments

  • Privacy notice and consent management
  • Data retention and disposal policies
  • Access rights and data subject request procedures
  • Privacy impact assessments

4.3 Technical Security Measures

We implement the following technical security measures:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher, and sensitive data is encrypted at rest using AES-256 or equivalent encryption
  • Access Controls: Multi-factor authentication, role-based access controls, and principle of least privilege
  • Monitoring: Continuous automated security monitoring, intrusion detection, and alert-based incident response
  • Vulnerability Management: Regular security assessments and vulnerability scanning, with penetration testing conducted as appropriate
  • Incident Response: Documented incident response procedures and breach notification processes
  • Backup and Recovery: Regular encrypted backups and tested disaster recovery procedures
  • Secure Infrastructure: Google Cloud Platform with SOC 2, ISO 27001, and HIPAA-compliant data centers

4.4 Organizational Security Measures

  • Employee Training: Regular training on data privacy, security, HIPAA compliance, and SOC 2 requirements
  • Background Checks: Security screening for personnel with access to sensitive information, as appropriate and required
  • Policies and Procedures: Comprehensive security policies, procedures, and documentation
  • Third-Party Assessments: Regular security audits and assessments by independent third parties
  • Compliance Monitoring: Ongoing monitoring and auditing of security controls

4.5 Transparency and Your Role

We are committed to transparency about our security practices. If you have questions about how we protect your information, please contact us at support@peerakeet.com.

Your Responsibilities: While we implement comprehensive security measures, you also play an important role in protecting your information:

  • Use a strong, unique password for your account
  • Enable multi-factor authentication if available
  • Do not share your account credentials with anyone
  • Log out from your account at the end of each session
  • Report any suspected security incidents immediately

Security Incidents: In the event of a security incident that may affect your information, we will notify you and relevant authorities as required by law, including HIPAA breach notification requirements where applicable.

However, no method of transmission over the internet or electronic storage is 100% secure. While we implement industry-standard security measures and comply with applicable regulations, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Active Accounts: We retain information for active accounts and for a reasonable period after account inactivity.
  • Deleted Accounts: When you delete your account in-app (`Settings > Delete Account`) or by contacting support, we will delete or anonymize your personal information within 30 days, except where we are required to retain information for legal, regulatory, or safety purposes.
  • Legal Requirements: We may retain certain information as required by law, regulation, or for legitimate business purposes (such as fraud prevention or dispute resolution).
  • Backup Systems: Information may persist in backup systems for a limited period after deletion, but will not be actively accessed or used.

6. Your Rights and Choices

You have certain rights regarding your personal information, subject to applicable law:

6.1 Access: You may request access to the personal information we hold about you by contacting support@peerakeet.com.

6.2 Correction: You may update or correct your account information and profile content directly through the Service or by contacting us.

6.3 Deletion: You may delete your account directly in-app (`Settings > Delete Account`) or request deletion by emailing support@peerakeet.com. We will process deletion requests within 30 days, subject to legal retention requirements.

6.4 Data Portability: You may request a copy of your data in a portable format by contacting support@peerakeet.com.

6.5 Opt-Out: You may opt out of promotional communications by following the unsubscribe instructions in emails or adjusting your notification preferences in the Service.

6.6 Consent Management (Analytics and AI): You can grant, deny, or revoke analytics consent and AI processing consent at any time in `Settings > Privacy Preferences`. If AI processing consent is denied, features that require moderation of user-generated content (such as public posting and chat messaging) may be unavailable until consent is restored.

6.7 HIPAA Rights: If applicable, you have rights under HIPAA regarding your protected health information (PHI), including:

  • Right to Access: You may request access to your PHI, including copies of your health information
  • Right to Amend: You may request amendments to your PHI if you believe it is inaccurate or incomplete
  • Right to Accounting of Disclosures: You may request an accounting of certain disclosures of your PHI
  • Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI (though we are not required to agree to all restrictions)
  • Right to Request Confidential Communications: You may request that we communicate with you in a certain way or at a certain location
  • Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

To exercise any of these HIPAA rights, contact support@peerakeet.com or our Privacy Officer. We will respond to your request within the timeframes required by HIPAA (generally 30 days, with a possible 30-day extension if needed).

6.8 Federal Substance Use Disorder Confidentiality (42 CFR Part 2):

If you receive peer support services through Peerakeet that relate to substance use disorder treatment, your records are protected by federal law and regulations governing the Confidentiality of Substance Use Disorder Patient Records, 42 CFR Part 2. This means:

  • Your records are confidential. Information about your participation in substance use disorder-related services, and any information that could identify you as a participant, cannot be disclosed without your written consent except as permitted by federal law.
  • Your consent covers treatment, payment, and health care operations (TPO). By accepting this Privacy Policy, you — as identified by your account name and registration information — consent to the disclosure of your substance use disorder treatment records by Peerakeet. This includes session notes, assessments (such as BARC-10, PHQ-9, SBIRT, and Felt Safety assessments), attendance records, wellness plan data, and related peer support documentation. These records may be disclosed to: (a) the service providers listed in Section 3.2 of this Policy, for the purposes described therein; and (b) partner organizations described in Section 3.4, if applicable to your enrollment. The purposes of these disclosures include providing treatment (peer support services and telehealth coordination), processing payment (insurance billing and subscription management), and health care operations (quality improvement, supervision of peer support specialists, internal analytics for service improvement, and compliance monitoring). This consent is provided via electronic signature in accordance with the E-SIGN Act (15 U.S.C. 7001 et seq.) and UETA, satisfies the requirements of 42 CFR 2.31, and remains in effect for as long as you maintain an active account, unless you revoke it in writing.
  • Your records cannot be used against you. Information from your substance use disorder records cannot be used in any civil, criminal, administrative, or legislative proceedings against you without your written consent or a court order meeting the specific requirements of 42 CFR 2.61.
  • Re-disclosure is restricted. Any information disclosed under this consent is subject to federal re-disclosure restrictions. Recipients of your information are prohibited from further disclosing it except as permitted by 42 CFR Part 2. All disclosures of your substance use disorder records are accompanied by the re-disclosure prohibition notice required by 42 CFR 2.32.
  • Analytics data is de-identified. Peerakeet collects engagement analytics (such as feature usage, session duration, and activity counts) to improve the Service. This analytics data is de-identified in accordance with HIPAA Safe Harbor standards (45 CFR 164.514(b)(2)) — it does not contain your name, organization, or any identifiers that could link you to substance use disorder treatment. De-identified data is not subject to 42 CFR Part 2 restrictions.
  • You may revoke consent. You may revoke this consent at any time by contacting privacy@peerakeet.com in writing. Revocation will not affect any disclosures made prior to revocation. If you revoke consent for TPO uses, we may be unable to continue providing the Service and your account may be closed.

To exercise any rights under 42 CFR Part 2, contact our Privacy Officer at privacy@peerakeet.com.

6.9 State Privacy Rights: Depending on your location, you may have additional rights under state privacy laws (such as the California Consumer Privacy Act). To exercise these rights, contact support@peerakeet.com.

We will respond to your requests within a reasonable timeframe and in accordance with applicable law. We may require verification of your identity before processing certain requests.

7. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at support@peerakeet.com.

8. International Data Transfers

The Service is operated from the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States and processing in accordance with this Policy.

9. Third-Party Services

The Service may contain links to third-party websites, services, or applications. This Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.

10. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: (a) posting the updated Policy on the Service; (b) sending an email to the address associated with your account; or (c) providing notice through the Service. Material changes will be effective thirty (30) days after such notice is provided, unless a different effective date is specified.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the modified Policy, you must stop using the Service and may delete your account.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

General Inquiries:

Email: support@peerakeet.com

Privacy Officer (HIPAA and Privacy Matters):

Email: privacy@peerakeet.com (or support@peerakeet.com with "Privacy Officer" in the subject line)

Mail: Peerakeet, Inc.

1 Point Street, Apt 701

Providence, RI 02903

Security Concerns:

If you have concerns about security or suspect a security incident, please contact us immediately at security@peerakeet.com (or support@peerakeet.com with "Security" in the subject line).

For HIPAA-related inquiries or to exercise HIPAA rights: Please contact our Privacy Officer at the above address or email. We will respond to HIPAA requests within the timeframes required by law.

Compliance Information:

  • HIPAA Compliance: We maintain HIPAA-compliant safeguards and Business Associate Agreements as described in this Policy
  • 42 CFR Part 2 Compliance: We comply with federal regulations governing the confidentiality of substance use disorder patient records
  • SOC 2: We are pursuing SOC 2 Type II certification and maintain security controls designed to meet SOC 2 Type II standards
  • Data Protection: We comply with applicable federal and state privacy laws

We are committed to transparency and will respond to your inquiries promptly and thoroughly.

12. Acknowledgment

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.