Privacy Policy

Effective Date: December 28, 2025

Pendulum ("Pendulum," "we," "us," or "our") is committed to protecting privacy and handling data responsibly.

This Privacy Policy describes how we collect, use, and protect information in connection with the Pendulum service (the "Service").

1. Scope

This Policy applies to:

• visitors to our website
• users of the Service
• clients accessing the Service through a practice

If you are a client (patient), your practice controls your record and disclosures. This Policy does not replace your practice's privacy notice or legal obligations.

This Policy does not replace or modify HIPAA obligations. Where HIPAA applies, it governs.

2. Information We Collect

2.1 Account Information

• name
• email address
• role within a practice
• authentication credentials (handled by identity providers)

2.2 Practice Data and PHI

When acting as a Business Associate, Pendulum may process Protected Health Information ("PHI") on behalf of practices.

Practice Data can include:

• clinical records and progress notes
• treatment plans and intake summaries
• measures (e.g., PHQ-9, GAD-7)
• attachments and form responses
• psychotherapy notes (segregated)

2.3 AI Drafts (If Enabled)

If AI features are enabled, we store AI draft text as part of the clinical record workflow. Drafts are labeled and require clinician review before saving.

2.4 Audio and Transcription Data (If Enabled)

If audio or transcription features are enabled with consent, we may process recordings and transcripts. Draft-only mode deletes audio by default after draft creation, and transcripts are not retained by default.

2.5 Audit and Access Metadata

We maintain audit logs for PHI access and actions. Audit logs contain metadata only (IDs, timestamps, action types) and do not include PHI content.

2.6 Usage and Technical Data

• IP address
• device and browser information
• timestamps and access metadata

We do not collect analytics that inspect or store PHI.

3. How We Use Information

We use information to:

• provide and operate the Service
• authenticate users
• enforce access controls and minimum-necessary access
• maintain security and audit trails
• comply with legal obligations
• improve reliability and performance (without inspecting PHI)

4. De-identified and Aggregated Data

We may create de-identified or aggregated data in accordance with applicable law and use it to operate, secure, improve, and analyze the Service. We do not attempt to re-identify de-identified data, and we may share de-identified or aggregated data for analytics, benchmarking, or research purposes.

5. How We Share Information

We do not sell personal data or use PHI for advertising.

We may share information:

• with service providers who support the Service (e.g., hosting, database, authentication, storage, billing)
• with approved vendors under BAAs when they may handle PHI (for example, hosting and database providers)
• when required by law
• to protect the rights and safety of users and the Service

Current service providers include:

• Vercel (hosting and Blob storage)
• Neon (database hosting)
• Clerk (authentication and user management)
• Resend (email delivery for non-PHI communications)
• Payment processors (billing and subscription metadata only)

Email is used for account and administrative communications only and does not include PHI.

Service providers are contractually required to protect data.

If a service provider may handle PHI, we require a BAA and do not send PHI without approved terms. We will update this Policy if the list of service providers changes materially.

Third-party services and links are governed by their own terms and privacy practices.

6. HIPAA and PHI

When handling PHI, Pendulum:

• acts as a Business Associate
• implements safeguards required by HIPAA
• uses PHI only as permitted by agreement and law

Clients should direct questions about their PHI to their practice.

7. AI Processing

If AI features are enabled:

• AI is used only to assist users with drafts
• outputs are drafts and require human review
• AI does not provide diagnosis, treatment advice, or risk scoring
• PHI is not used to train models
• retention is limited and controlled

AI is opt-in at the practice level and clinician level. If an AI provider is not BAA-approved with no-retention and no-training terms, PHI is not sent and the feature remains disabled for PHI.

8. Audio and Transcription Data

If audio or transcription features are enabled:

• use requires explicit consent
• recordings are controlled by practice policy and user action
• recording is manual and visibly indicated
• retention is limited and configurable

Pendulum does not enable background or automatic recording. Retained transcripts require additional consent, are excluded from exports by default, and are restricted to the author clinician.

9. Exports and Disclosures

Pendulum does not email PHI. Disclosures occur through explicit, authenticated export flows with scope selection, preview, confirmation, and audit logging. Psychotherapy notes are excluded by default.

10. Security and Logging

We use industry-standard security measures, including:

• encryption in transit and at rest
• access controls
• audit logging
• least-privilege principles

We avoid logging PHI in analytics, errors, or request/response bodies and use structured logs with redaction by default.

Despite safeguards, no system can guarantee absolute security.

11. Data Retention

Data is retained according to:

• practice instructions
• contractual obligations
• legal requirements

Practices control retention of clinical data. Audio is deleted by default in draft-only mode unless retained mode is explicitly enabled with consent.

12. Your Rights

Depending on your role and jurisdiction, you may have rights to:

• access information
• correct information
• request deletion (subject to legal obligations)

Clients should contact their practice directly.

13. Children's Privacy

The Service is not directed to children under 13.

Practices are responsible for obtaining appropriate consents when working with minors.

14. International Use

The Service is hosted in the United States.

By using the Service, you consent to processing in the U.S.

15. Changes

We may update this Policy periodically. Updates will be posted with a revised effective date.

16. Contact

For privacy questions or concerns, contact: privacy@pendulum.clinic