Your data, guarded.
Peacefull is a clinician-supervised behavioral health product. The information you share with us is protected health information (PHI) under HIPAA when you use it in a clinical context, and we treat the rest of your data with the same seriousness.
Last updated: April 2026
Three categories.
Account and identity.
Name, email, date of birth (to verify you are 18+), authentication factors, and — if you are working with a clinician through Peacefull — the practice association that allows us to share context with them.
Clinical and therapeutic content.
The conversations you have with the Peacefull companion, assessments you complete, and any notes you choose to share with your clinician. Treated as PHI, encrypted, and guarded by row-level security.
Technical and usage.
Device type, approximate location from IP, session timestamps, and diagnostic telemetry used to keep the product reliable and safe. Never sold. Never brokered to advertisers.
Only for the work at hand.
To provide the service.
Supporting you between sessions, generating clinician-visible patterns you have opted to share, and routing escalations when safety signals fire.
To keep it safe.
Fraud prevention, abuse detection, and the clinical safety audits that gate every model update.
To meet legal obligations.
HIPAA, state privacy laws, duty-to-warn where applicable, and valid legal process. We publish the volume of requests in an annual transparency report.
Not for advertising.
We do not sell your data. We do not broker it. We do not train public foundation models on PHI. Ever.
A short list.
Your clinician and practice.
Only the context you have explicitly opted to share. Sharing is off by default and reversible at any time.
Subprocessors under BAA.
Infrastructure and security vendors we rely on — hosting, observability, model inference. Each is covered by a Business Associate Agreement and published on our security page.
Legal process.
Where compelled by valid law. We challenge overbroad requests and notify affected users where we are legally permitted to do so.
Never advertisers.
No ad networks, no data brokers, no analytics vendors with re-identification rights.
What you can ask us to do.
Access and export.
You can request a copy of your data in a portable format, any time, at no cost.
Correction.
If something is wrong, tell us. We will correct it or note the dispute in the record.
Deletion.
You can ask us to delete your account and associated data. Some records may be retained where required by law, in the most minimal form permitted.
Withdraw sharing.
You can turn off clinician-visible context at any time. Past shares cannot be unsent, but future ones stop immediately.
Reach the privacy team at privacy@peacefull-ai.io. We respond within 30 days. For HIPAA-specific rights — including breach notification, accounting of disclosures, and requests to restrict uses of your PHI — see the Notice of Privacy Practices.
Kept only as long as it earns its place.
We retain PHI for the duration of the clinical relationship plus the minimum period required by applicable law. Technical data is aged out on defined schedules. The security controls behind all of this — row-level security, MFA, encryption, the audit log you can read — are documented on our security page.
Cookieless by default.
This site uses Vercel Analytics and Vercel Speed Insights, which are cookieless by design — they do not set tracking cookies, do not fingerprint devices, and do not link page views to identifiable users. Because we do not set tracking cookies, we do not show a cookie-consent banner.
Error monitoring (Sentry) runs on this marketing site so we can fix broken forms and pages fast. Sentry collects stack traces and browser metadata; we have disabled personal-data capture (request bodies, headers), and we do not capture session replay. On the clinical product, observability is scoped to BAA-covered subprocessors — see the security page.
Necessary cookies — used for keeping you signed in and for rate-limiting abuse on forms — are the only cookies we set. We do not sell or share personal information with advertisers under any definition.
Your rights under the CCPA / CPRA.
If you are a California resident, you have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act. Peacefull complies with both.
Right to know.
What personal information we collect, the sources, the purposes, and any third parties we share it with. Our categories are documented above.
Right to delete.
You can request deletion of personal information we hold. Some records may be retained where required by law (HIPAA-covered PHI, for example).
Right to correct.
Request correction of inaccurate personal information. We will correct, or note a dispute in the record, within 45 days.
Right to opt out of sale or sharing.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. The "Do Not Sell or Share My Personal Information" requirement therefore does not apply — but if our practices ever change, we will surface an opt-out link here and in-product before the change takes effect.
Right to limit sensitive personal information.
Mental-health information is sensitive personal information under CPRA. We use it solely for the service you are receiving — no inferences, no profiling, no advertising use.
Right to non-discrimination.
Exercising any of these rights will not change the price, quality, or availability of the service to you.
To exercise any of the rights above, email privacy@peacefull-ai.io. We respond within 45 days; if we need more time, we will tell you in writing within the first 45 days. You may also designate an authorized agent to submit a request on your behalf — we will verify the agent's authority before acting.
We will tell you, not hide it.
Material changes to this notice are announced in-product and via email to the account holder at least 30 days before they take effect. Prior versions are kept in our public legal changelog.