Privacy policy

Psyche Assess ("we", "us") operates the assessment platform at psycheassess.com. For the purposes of GDPR, we act as a processor for clinician customers (controllers). Clinical customers determine the lawful basis for processing their clients' data.

From clinicians: name, work email, registration number (AHPRA / NPI / HCPC), billing details, audit-log metadata of actions taken in the app.
From clients of clinicians: identifying information and assessment responses that the clinician chooses to enter. We minimise: clinicians may operate in pseudonymous mode and hold PII in their EHR rather than in Psyche Assess.

You select your region (EU, US, or AU) at signup. Your data physically remains in that region. We do not transfer PHI across region boundaries for processing.

See Security & compliance for technical and organisational measures. Highlights: per-tenant encryption keys, row-level security, append-only audit log, MFA-required clinician access, no third-party trackers behind auth.

We maintain a public list of subprocessors that touch customer data:

• AWS — hosting (region-pinned).
• WorkOS — SSO / SCIM / authentication.
• Deepgram — speech-to-text for PsycheNote AI (audio not retained).
• Anthropic / Azure OpenAI — LLM provider for note generation.
• Postmark — transactional email.
• Twilio — SMS reminders.
• Stripe — billing.
• Sentry — error tracking (PHI-scrubbed).

Each has a current BAA or DPA on file. We notify customers in advance of changes.

You may request access, rectification, erasure, or portability of your data at any time. For data held on behalf of a clinician customer, please contact your clinician first; we facilitate requests through them.

Audit-log entries: 7 years immutable. Clinical data: per region's clinical-record retention law (HIPAA 6y, NHS 8y+, AU 7y). On account deletion we crypto-shred per-tenant keys after a 30-day grace period.

Privacy questions: privacy@psycheassess.com. EU representative under GDPR Article 27 to be appointed pre-launch.