Privacy Policy

Your privacy is fundamental to the therapeutic relationship. This policy explains how TrustRoom collects, uses, and protects your information.

Last updated: March 17, 2026

1. Introduction & Scope

TrustRoom Connect, Inc. (“TrustRoom,” “we,” “us,” or “our”) provides a HIPAA-compliant platform that facilitates secure communication, care plan management, and clinical analytics between licensed mental health providers (“Providers”) and their patients (“Patients”). This Privacy Policy & Notice of Privacy Practices explains how we collect, use, disclose, retain, and protect your information.

This policy applies to:

  • Patients who use TrustRoom’s patient application
  • Providers who use TrustRoom’s provider portal
  • Parents or legal guardians who provide consent for minor patients
  • Visitors to our website at trustroomconnect.com

Our HIPAA Role. TrustRoom operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). We process Protected Health Information (“PHI”) on behalf of Providers (who are Covered Entities) pursuant to Business Associate Agreements (“BAAs”).

BAA Supremacy. If there is any conflict between this Privacy Policy and an applicable Business Associate Agreement, the terms of the BAA shall control with respect to Protected Health Information.

TrustRoom is NOT a healthcare provider. We do not provide medical advice, diagnoses, or treatment. The therapeutic relationship exists solely between the Provider and the Patient. TrustRoom is a technology platform that supports that relationship.

TrustRoom is NOT a crisis service. If you are experiencing a medical emergency, call 911. If you are in crisis, contact the 988 Suicide & Crisis Lifeline by calling or texting 988.

2. Information We Collect

2.1 Information Provided by Patients

  • Account Information: Name, email address, date of birth. Account creation, identity verification.
  • Messages & Communications: Text messages, voice recordings sent to your therapist. Facilitating the therapeutic relationship.
  • Care Plan Responses: Answers to care plan exercises, schedule completions. Treatment tracking and progress monitoring.
  • Mood & Wellness Data: Mood logs, wellness scores, self-reported health data. Symptom tracking under therapist supervision.
  • Clinical Assessment Responses: Responses to validated measures (e.g., PHQ-9, GAD-7, ORS/SRS). Measurement-based care and outcome tracking.
  • Audio & Video Recordings: Voice messages; session recordings (when integrated with your therapist’s video platform). Clinical documentation and transcription.

2.2 Information Provided by Providers

  • Professional Information: Name, email, NPI number, license type, credentials, practice name. Account creation, identity verification, regulatory compliance.
  • Clinical Notes: Session notes, treatment observations. Clinical documentation.
  • Billing & Subscription Data: Payment method (processed by Stripe), subscription tier. Platform billing and payment processing.
  • OAuth Credentials: Authorized connections to Google, Zoom, and Microsoft video conferencing and calendar platforms. Integration with recording, transcription, and scheduling workflows.

Psychotherapy Notes Disclaimer: TrustRoom stores clinical records, treatment notes, and communications — not “psychotherapy notes” as defined under HIPAA (45 C.F.R. § 164.501). Psychotherapy notes are a therapist’s private annotations kept separate from the medical record and receive heightened HIPAA protections. Providers are responsible for maintaining any psychotherapy notes outside of TrustRoom and should not enter psychotherapy notes into the platform.

2.3 Information Related to Minors (Ages 13–17)

When a Provider adds a patient who is a minor (ages 13–17), we collect:

  • Parent/Guardian Contact: Parent/guardian email address. Sending consent requests.
  • Verification Data: Hashed date of birth (one-way hash; we do not store the raw value). Identity verification for consent signing.
  • Consent Records: Signed consent document, timestamp, IP address, document hash. Legal compliance and audit trail.

We do not knowingly collect information from children under 13 years of age. If a Provider requires services for a child under 13, the Provider is responsible for obtaining all necessary consents under the Children’s Online Privacy Protection Act (“COPPA”) and applicable state law.

2.4 Information Collected Automatically

  • Device Information: Device type, operating system, browser type. Platform compatibility and security.
  • Usage Data: Features accessed, session duration, timestamps. Service improvement and troubleshooting.
  • Push Notification Tokens: Device tokens for delivering notifications. Delivering PHI-free notification alerts.
  • IP Address: Public IP at time of consent or account action. Non-repudiation and fraud prevention.

We do NOT collect geolocation data, biometric templates, neural data, or data from wearable devices.

Biometric Authentication Note. Our mobile application supports Face ID and Touch ID for convenient login. Biometric verification is performed entirely on your device using Apple’s Secure Enclave or the Android Keystore. We never receive, transmit, or store biometric templates.

3. How We Use Your Information

3.1 Treatment & Healthcare Operations

We use your information to:

  • Facilitate secure, asynchronous communication between Patients and Providers
  • Deliver and manage personalized care plans
  • Support measurement-based care with validated clinical instruments
  • Generate session transcriptions from audio and video recordings
  • Process and deliver care plan reminders and notifications

3.2 AI-Powered Clinical Analytics

TrustRoom uses artificial intelligence to support Providers in delivering better care. Our AI features operate as follows:

What AI does:

  • Analyzes patient messages to identify recurring clinical themes (e.g., anxiety, sleep, relationships) and overall sentiment patterns
  • Generates transcriptions of audio and voice messages
  • Produces clinical summaries to help Providers visualize patient progress over time
  • Creates semantic search capabilities so Providers can efficiently locate relevant information within a patient’s history

What AI does NOT do:

  • AI does not generate diagnoses, prescriptions, or clinical recommendations
  • AI does not communicate directly with Patients
  • AI does not make treatment decisions — all clinical judgment rests with the Provider
  • AI does not access more information than is necessary for its specific function

Safeguards:

  • AI processing is performed within HIPAA-compliant cloud infrastructure protected by Business Associate Agreements
  • Our AI infrastructure provider does not retain patient data after processing — inputs and outputs are not used to train third-party models
  • All AI-generated insights are reviewed independently by the Provider before any clinical action is taken
  • AI outputs are subject to safety guardrails that prevent generation of harmful, off-label, or clinically inappropriate content
  • AI is designed to augment — not replace — the professional judgment of licensed clinicians

Your Right to Opt Out of AI Processing. Patients may opt out of AI analysis at any time by requesting their Provider disable AI processing for their account. Opting out will not affect your access to the platform or the quality of care you receive. When AI processing is disabled, your messages will not be analyzed for themes, sentiment, or clinical patterns, and no AI-generated summaries will be created.

3.3 De-Identified Data

We may use de-identified data — information from which all patient identifiers have been permanently removed following the HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)(2)) — for the following purposes:

  • Improving the accuracy and quality of our AI analysis capabilities
  • Conducting aggregate research and developing industry benchmarks
  • Product development and platform improvement

De-identified data cannot reasonably be used to identify any individual. We implement technical and administrative safeguards to prevent re-identification and do not attempt to re-identify de-identified data. De-identified data is no longer Protected Health Information under HIPAA.

We may retain de-identified audio data solely for the purpose of improving AI transcription accuracy. Access to de-identified audio is restricted to authorized personnel within our clinical review team. De-identified audio is never sold, licensed, or shared externally.

3.4 Communication Preferences

We may send you transactional communications related to your account, including:

  • Care plan reminders and notification alerts (PHI-free)
  • Service updates and security notices
  • Policy change notifications

You may manage your notification preferences — including opting out of non-essential email communications — at any time through your account settings or by contacting us. Certain communications required by law (e.g., breach notifications, policy updates) cannot be opted out of.

3.5 Administrative & Operational

  • Processing payments and managing billing through our payment processor
  • Responding to support requests
  • Complying with legal obligations and regulatory requirements
  • Maintaining audit trails as required by HIPAA

4. How We Share Your Information

4.1 With Your Therapist

Patient information — including messages, care plan responses, mood data, audio recordings, and AI-generated clinical insights — is shared with the Provider who manages your care. This sharing is necessary for treatment purposes under HIPAA.

4.2 With Service Providers

We engage carefully selected service providers to operate the TrustRoom platform. Each provider that may access PHI is bound by a Business Associate Agreement.

  • Cloud Infrastructure: Computing, data storage, serverless functions, backups. BAA in place.
  • AI Processing: Clinical theme analysis, audio transcription, text embeddings, summarization. Covered under cloud infrastructure BAA.
  • Authentication: User authentication, role-based access controls. Covered under cloud infrastructure BAA.
  • Email Delivery: Transactional emails (consent requests, password resets, notifications). BAA in place.
  • Payment Processing: Subscription billing, payment method handling. BAA available; cardholder data not stored by TrustRoom.
  • Video Platform Integration: Session recording download, scheduling sync (Provider-authorized). BAA required from Provider’s video platform.
  • Calendar Integration: Appointment scheduling and sync (Provider-authorized). Governed by Provider’s existing agreements.

4.3 Third-Party Platform Integrations

TrustRoom allows Providers to connect their accounts with third-party video conferencing and calendar platforms. These integrations are Provider-initiated and Provider-controlled. Each integration uses OAuth 2.0, an industry-standard authorization protocol, and requests only the minimum permissions necessary. Providers may disconnect any integration at any time through Settings > Integrations in the Provider Portal.

Google Workspace (Calendar & Meet)

When a Provider connects their Google account, TrustRoom requests access to the following Google data:

  • Email address (scope: userinfo.email) — to identify which Google account is connected
  • Calendar events, read-only (scope: calendar.readonly) — to display upcoming patient sessions on the Provider dashboard
  • Calendar event details, read-only (scope: calendar.events.readonly) — to read event times, titles, and attendees to populate session cards
  • Google Meet conference information, read-only (scope: meetings.space.readonly) — to access meeting transcript entries for session summarization

How we use Google data: Calendar events are read to display a Provider’s upcoming sessions and to surface a patient card 30 minutes before each scheduled appointment. Google Meet transcript entries are processed through our AI pipeline to generate clinical session summaries for Provider review. Google data is stored in encrypted Firestore collections, access-controlled per Provider, and is never shared with other Providers or third parties.

How to revoke access: Providers may disconnect their Google account at any time via Settings > Integrations > Google > Disconnect in the Provider Portal. Providers may also revoke access directly from their Google Account Permissions page.

Google API Services User Data Policy. TrustRoom’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We limit our use of Google user data to the purposes described in this privacy policy
  • We do not transfer Google user data to third parties except as necessary to provide or improve our services, to comply with applicable laws, or as part of a merger or acquisition with adequate data protection
  • We do not use Google user data for serving advertisements
  • We do not allow humans to read Google user data unless we have the user’s affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and de-identified for internal operations

Zoom

When a Provider connects their Zoom account, TrustRoom requests the following permissions:

  • User profile, read-only (scope: user:read) — to identify which Zoom account is connected
  • Meeting details, read-only (scope: meeting:read) — to access meeting metadata for scheduling context
  • Cloud recordings, read-only (scope: recording:read) — to download session recordings for transcription and clinical documentation

How we use Zoom data: Meeting recordings are downloaded, transcribed via our AI pipeline, and stored as clinical documentation accessible only to the connected Provider. We do not retain raw recording files after transcription is complete; only the resulting transcript and clinical summary are stored. Zoom data is stored in encrypted Firestore collections, access-controlled per Provider.

How to revoke access: Providers may disconnect their Zoom account via Settings > Integrations > Zoom > Disconnect in the Provider Portal. Providers may also revoke access from the Zoom App Marketplace installed apps page.

Microsoft 365 (Outlook Calendar & Teams)

When a Provider connects their Microsoft account, TrustRoom requests the following permissions:

  • Offline access (scope: offline_access) — to maintain the connection without requiring re-authentication
  • Online meetings, read-only (scope: OnlineMeetings.Read) — to access meeting metadata for scheduling context
  • Meeting recordings, read-only (scope: OnlineMeetingRecording.Read.All) — to access Teams session recordings for transcription
  • Calendar events, read-only (scope: Calendars.Read) — to display upcoming patient sessions on the Provider dashboard

How we use Microsoft data: Outlook Calendar events are read to display upcoming sessions and surface patient cards before scheduled appointments. Teams meeting recordings are accessed for transcription and clinical summarization, accessible only to the connected Provider. Microsoft data is stored in encrypted Firestore collections, access-controlled per Provider.

How to revoke access: Providers may disconnect their Microsoft account via Settings > Integrations > Microsoft > Disconnect in the Provider Portal. Providers may also revoke access from their Microsoft Account App Permissions page.

General Integration Principles

All third-party integrations share the following principles:

  • Provider-controlled: Only the Provider initiates and authorizes each integration. Patients are not asked to connect third-party accounts.
  • Read-only access: We request only read-only permissions. We never modify, delete, or write data to any connected platform.
  • Minimum necessary: We request only the specific permissions required for calendar sync, session card display, and recording transcription.
  • Encrypted storage: All tokens and data received from third-party platforms are encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Revocable at any time: Providers may disconnect any integration immediately through the Provider Portal, which deletes stored tokens and ceases all data access.
  • No advertising or cross-platform tracking: Data from connected platforms is never used for advertising, marketing, or cross-platform user tracking.

4.4 Legal Disclosures

We may disclose your information when required by law, including:

  • Pursuant to a valid court order, subpoena, or legal process
  • To comply with government regulatory requirements
  • To prevent serious harm or protect public safety
  • As required by HIPAA, state health privacy laws, or other applicable regulations
  • To report suspected child abuse or neglect, as required by law

4.5 What We NEVER Do

  • We do not sell your personal information or PHI. We have not sold personal information in the preceding 12 months, and we will not sell it in the future.
  • We do not share your information with advertising networks or ad technology companies.
  • We do not use cookies, analytics, or tracking technologies to monitor patient activity within our clinical applications for marketing or advertising purposes.
  • We do not use PHI for marketing without your express written authorization.
  • We do not disclose your information to your employer, insurance company, or any other party without your consent or as required by law.

5. HIPAA Notice of Privacy Practices

As a Business Associate, we support your Provider’s obligations under HIPAA. Under HIPAA, you have the following rights with respect to your Protected Health Information:

  • Right to Access: You may inspect and obtain a copy of your PHI maintained by TrustRoom, including in electronic format. Contact your Provider or email privacy@trustroomconnect.com.
  • Right to Amendment: You may request that we correct PHI you believe is inaccurate or incomplete. Submit a written request to your Provider or to us.
  • Right to Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI. Contact privacy@trustroomconnect.com.
  • Right to Request Restrictions: You may request that we restrict certain uses or disclosures of your PHI. Submit a written request; we may not be able to agree to all restrictions.
  • Right to Confidential Communications: You may request that we communicate with you in a specific manner or at a specific location. Contact your Provider or email us.
  • Right to Be Notified of a Breach: You have the right to be notified if your unsecured PHI is breached. We will notify you and applicable regulators per our Incident Response Plan.
  • Right to Data Portability: You may request an export of your clinical records in portable format (PDF). Contact your Provider, who can generate exports via the platform.

To exercise any of these rights, please contact us using the information in Section 15 below. We will respond within 30 days of receiving your request, with a single 30-day extension available if reasonably necessary (with written notice of the delay).

6. Substance Use Disorder Records (42 CFR Part 2)

If your Provider’s practice is a Part 2 program, or if substance use disorder (“SUD”) treatment records are shared with TrustRoom in the course of providing services, those records receive additional protections under 42 CFR Part 2, as amended effective February 16, 2026.

Additional protections for SUD records include:

  • SUD treatment records require your explicit written consent for use and disclosure, except in limited circumstances (medical emergencies, scientific research without identifying information, qualified audits or evaluations, or as authorized by a court order under Subpart E).
  • SUD treatment records and testimony relaying their contents shall not be used in any civil, criminal, administrative, or legislative proceedings against you without your written consent or a qualifying court order.
  • If SUD records are disclosed to TrustRoom as a Business Associate pursuant to your consent for treatment, payment, and healthcare operations, TrustRoom may further use such records consistent with HIPAA and this Notice.
  • You may revoke your consent for SUD record disclosure at any time. Revocation will not affect disclosures already made in reliance on your prior consent.

For Providers: If your practice treats patients with substance use disorders, you may be required to update your own Notice of Privacy Practices to address 42 CFR Part 2 requirements. Contact us at compliance@trustroomconnect.com for guidance and sample language.

7. Data Retention & Disposal

We retain your information only as long as necessary to fulfill the purposes described in this policy or as required by law.

  • Patient messages, care plans, clinical content: Treatment + 15 years (state medical record retention laws).
  • Audio and video recordings: Treatment + 15 years (state medical record retention laws).
  • Audit logs (PHI access records): 6 years (HIPAA § 164.530(j)).
  • Incident reports and risk assessments: 6 years (HIPAA).
  • Business Associate Agreements: Relationship + 6 years (HIPAA).
  • Subscription and billing records: 7 years (tax and accounting requirements).
  • De-identified analytics: Indefinite (no legal restriction; not PHI).

Record Export

Providers may generate clinical record exports on behalf of their patients at any time through the platform. Exports are available in PDF format and include messages, clinical notes, care plans, and mood data. Patients may also request records through our records retrieval process by contacting us at records@trustroomconnect.com.

Archival & Deletion

When a patient account is closed or offboarded:

  1. A complete record export is generated and archived to secure, encrypted long-term storage
  2. Active data is removed from production systems after archive confirmation
  3. Archived records are retained for the minimum legally required retention period, then securely destroyed via cryptographic erasure

Requesting Deletion

You may request deletion of your data by contacting us. Please note that we may be unable to delete certain records that are required to be retained under HIPAA, state medical record laws, or other legal obligations. We will inform you of any such limitations when we process your request.

8. Data Security

We implement comprehensive technical, administrative, and physical safeguards to protect your information, including:

Technical Safeguards:

  • Encryption at rest using AES-256 for all data stores
  • Encryption in transit using TLS 1.2 or higher for all communications
  • Role-based access controls ensuring Providers can only access data for their own patients
  • Immutable audit logging of all PHI access events
  • Automated session timeouts after periods of inactivity
  • PHI-free push notifications — notification alerts never contain health information

Administrative Safeguards:

  • Formal information security policies and procedures (POL-001 through POL-009)
  • Workforce security training requirements
  • Incident response plan with defined escalation procedures
  • Regular risk assessments and vulnerability management

Infrastructure:

  • All data is processed and stored within the United States
  • Cloud infrastructure hosted by providers who maintain SOC 2 Type II, HITRUST, and ISO 27001 certifications
  • All infrastructure providers are bound by Business Associate Agreements
  • No external analytics, error tracking, or monitoring tools that operate outside of BAA-covered infrastructure

For more information about our security practices, visit our Security page.

Regulatory Updates. We actively monitor changes to healthcare privacy and security regulations, including anticipated updates to the HIPAA Security Rule. We are committed to implementing any new requirements within the timelines established by the U.S. Department of Health and Human Services.

9. Children’s Privacy

Patients Ages 13–17

TrustRoom supports the treatment of minors ages 13–17 under the supervision of a licensed Provider when the following conditions are met:

  1. The Provider initiates the minor’s account and determines that TrustRoom is clinically appropriate
  2. A parent or legal guardian provides informed consent through our secure consent workflow, which includes:
    • Identity verification via date-of-birth confirmation
    • Review and electronic signature of a consent document covering telehealth services, privacy practices, and platform usage
    • All consent events are recorded with server-side timestamps, IP addresses, and document hashes for legal non-repudiation

Parental access to a minor’s therapy communications may be limited to protect the therapeutic relationship, in accordance with applicable state and federal laws governing minor mental health treatment.

Children Under 13

We do not knowingly collect personal information from children under 13 years of age. If we learn that we have collected information from a child under 13 without proper parental consent, we will promptly delete that information.

10. Cookies & Tracking Technologies

Clinical Applications (Provider Portal & Patient App)

Our clinical applications use essential cookies only — cookies that are strictly necessary for authentication, security, and platform functionality. We do not use:

  • Advertising or marketing cookies
  • Analytics or behavioral tracking cookies
  • Third-party tracking pixels or beacons
  • Cross-site tracking technologies

Marketing Website (trustroomconnect.com)

Our marketing website uses essential cookies for basic site functionality. We do not use third-party analytics services, advertising pixels, or social media tracking on our marketing website.

Global Privacy Control

We respect browser-based privacy signals, including the Global Privacy Control (“GPC”). When we detect a GPC signal, we treat it as a valid request to opt out of the sale or sharing of personal information.

Third-Party Links

Our platform and website may contain links to third-party websites or services (e.g., crisis hotlines, regulatory complaint portals). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and the Confidentiality of Medical Information Act (“CMIA”).

HIPAA Exemption

Under CCPA § 1798.145(c)(1), medical information that is collected and maintained in accordance with HIPAA is exempt from most CCPA obligations. This means that Protected Health Information processed by TrustRoom under a Business Associate Agreement — including patient messages, clinical notes, care plan data, mood logs, and audio recordings — is governed by HIPAA, not the CCPA. The CCPA rights below apply primarily to non-clinical personal information such as account profile data, usage data, and marketing website interactions.

Your CCPA/CPRA Rights

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to HIPAA retention requirements and other legal obligations.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit the use or disclosure of your Sensitive Personal Information (as defined by the CPRA) to purposes necessary to provide services.
  • Right to Data Portability: You may request your personal information in a portable and readily usable format that can be transmitted to another entity.
  • Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No action is required on your part.
  • Right of Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Sensitive Personal Information

Under the CPRA, health-related data collected by TrustRoom constitutes Sensitive Personal Information (“SPI”). We use SPI only as necessary to provide our services as described in this policy. You may request that we limit our use of SPI by contacting us using the information in Section 15.

Automated Decision-Making Technology

TrustRoom uses automated processing (AI) to analyze clinical themes and sentiment in patient messages to support Provider decision-making. This processing is subject to the following:

  • You may request information about the logic involved in the automated processing
  • You may opt out of automated processing by contacting your Provider
  • Automated processing does not produce decisions with legal or similarly significant effects on you — all clinical decisions are made by your Provider

California Confidentiality of Medical Information Act (CMIA)

Under California Civil Code § 56 et seq., TrustRoom is considered a provider of health care for purposes of mental health digital services. We comply with CMIA requirements, including:

  • We will not use or disclose your medical information without your authorization, except as expressly permitted by law
  • We will not use manipulative or deceptive user interfaces (“dark patterns”) to obtain consent
  • We maintain safeguards that meet or exceed CMIA requirements for the confidentiality of medical information

Exercising Your California Rights

To submit a verifiable consumer request, contact us at privacy@trustroomconnect.com or at the address in Section 15. We will verify your identity before processing your request and will respond within 45 days, with the option to extend by an additional 45 days if reasonably necessary.

We do not use authorized agents at this time. We have not sold personal information in the preceding 12 months.

12. New York Privacy Rights

If you are a New York resident, you have additional protections under the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”).

Data Covered

The SHIELD Act protects “private information,” which includes medical information (any information concerning your medical history, mental or physical condition, or treatment by a healthcare professional) and health insurance information. All patient data maintained by TrustRoom for New York residents falls within these protections.

Security Standards

TrustRoom’s HIPAA-compliant security program satisfies the SHIELD Act’s requirement for “reasonable safeguards,” including administrative, technical, and physical protections for private information.

Breach Notification

In the event of a data breach affecting your private information, we will notify you within 30 days of discovering the breach, as required by the SHIELD Act (as amended December 2024). We will also notify the New York State Attorney General, the Department of State, and the Division of State Police, as required by law.

13. Additional State Privacy Laws

TrustRoom monitors and complies with applicable state privacy laws as they take effect. The following laws may apply to you based on your state of residence:

  • Washington: My Health My Data Act (MHMDA) — Opt-in consent for health data collection; separate consent for sharing. Covered by our registration and consent flows.
  • Texas: Texas Responsible AI Governance Act (TRAIGA) — Plain-language disclosure when AI is used in diagnosis or treatment decisions. AI is disclosed in this policy; providers informed via platform.
  • Illinois: HB 1806 / Wellness & Oversight Act — AI prohibited from making independent therapeutic decisions; patient notification required. AI does not make treatment decisions; providers control all use.
  • Colorado: Colorado Privacy Act (CPA) — Disclosure and opt-out mechanisms for AI use in healthcare. AI opt-out available; disclosed in this policy.
  • Virginia: Consumer Data Protection Act (VCDPA) — Right to access, correct, delete; opt-out of targeted advertising. We do not engage in targeted advertising.
  • Connecticut: CT Data Privacy Act (CTDPA) — Similar to VCDPA; proposed AI safeguards for mental health. Compliance through existing privacy practices.
  • Oregon: Oregon Consumer Privacy Act (OCPA) — Right to know, delete, correct; right to data portability. Record export available upon request.

If you reside in a state with specific privacy legislation and wish to exercise your rights, please contact us using the information in Section 15. We will process your request in accordance with applicable law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  1. Email Notification: We will email registered users about material changes before they take effect.
  2. In-App Notice: Active users will be presented with an updated terms acceptance screen upon their next login, which must be accepted before continuing to use the platform.
  3. Website Update: The “Last Updated” date at the top of this page will reflect the most recent revision.
  4. Version Tracking: Each version is numbered and recorded in our quality management system. All consent acceptance events — including version numbers, timestamps, and IP addresses — are retained in our immutable audit log.

We encourage you to review this policy periodically. Your continued use of TrustRoom after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree to the changes, you should discontinue use and contact us to request deletion of your information.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your rights, or have concerns about how your information is handled:

Privacy Officer

TrustRoom Connect, Inc.

Email: privacy@trustroomconnect.com

General Compliance Inquiries

Email: compliance@trustroomconnect.com

Filing a Complaint

If you believe your privacy rights have been violated, you may:

  1. Contact us directly at the addresses above
  2. File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
    Online: hhs.gov/hipaa/filing-a-complaint
    Phone: 1-800-368-1019
  3. File a complaint with the California Attorney General (for California residents):
    Online: oag.ca.gov
  4. File a complaint with the New York State Attorney General (for New York residents):
    Online: ag.ny.gov

We will not retaliate against you for filing a complaint.

16. Definitions

  • Business Associate (BA): An entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.
  • Covered Entity: A health care provider, health plan, or health care clearinghouse subject to HIPAA.
  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form.
  • Sensitive Personal Information (SPI): As defined by the CPRA: personal information revealing health data, precise geolocation, racial or ethnic origin, or other categories specified in Cal. Civ. Code § 1798.140(ae).
  • De-Identified Data: Health information that has been stripped of all 18 HIPAA identifiers per the Safe Harbor method (45 C.F.R. § 164.514(b)(2)) and for which the entity has no actual knowledge it could identify an individual.
  • Automated Decision-Making Technology (ADMT): Technology that processes personal information using computation to make or substantially facilitate a decision.