How BridgeCalm Protects Your Data: HIPAA, Encryption, and Our Privacy Commitments

When you open a mental health app and type how you're really feeling, you're sharing something personal. You should know exactly what happens to that information — who can see it, where it's stored, and whether it could ever be used against you.

This page explains BridgeCalm's approach to privacy and data security in plain language. If you're a therapist evaluating BridgeCalm for your practice, we've included the technical specifics you'll need.

Why privacy matters more in mental health

Mental health data is among the most sensitive information a person can generate. Your mood entries, conversations with Jan, assessment scores, and progress records paint an intimate picture of your inner life.

The U.S. Department of Health and Human Services applies specific protections to mental health information under HIPAA (the Health Insurance Portability and Accountability Act). These protections recognize that mental health data requires a higher standard of care than general health records.

But here's what many people don't realize: most consumer wellness apps are not covered by HIPAA. HIPAA applies to "covered entities" (healthcare providers, insurers) and their "business associates." Once your data flows through an app that doesn't fall into either category, HIPAA protections no longer apply.

BridgeCalm is designed to operate as a business associate when connected to a therapist's practice, which means we maintain HIPAA-compliant protections across the entire data flow — from your phone to your therapist's dashboard.

What HIPAA compliance means in practice

HIPAA compliance isn't a checkbox — it's a set of ongoing requirements defined by the HHS Privacy Rule and Security Rule. For BridgeCalm, this means:

Data encryption. All data is encrypted both in transit (while being sent between your phone and our servers) and at rest (while stored). This uses industry-standard AES-256 encryption — the same standard used by banks and government agencies.

Access controls. Your data is accessible only to you and, if you choose to connect with a therapist, to your specific therapist. BridgeCalm employees cannot read your conversations with Jan, your mood entries, or your assessment scores.

Business Associate Agreements. When a therapist's practice uses BridgeCalm, we enter into a formal Business Associate Agreement (BAA) as required by HHS. This legally binds us to the same privacy standards as the therapist's own practice.

Breach notification. In the unlikely event of a data breach, we follow the HIPAA Breach Notification Rule — affected users and relevant authorities are notified within the required timeframe.

Audit trails. All access to patient data is logged and auditable, as required by the HIPAA Security Rule.

What we will never do

Some commitments are simple enough to state plainly:

• We will never sell your data. Not to advertisers. Not to data brokers. Not to researchers. Not to anyone. Ever.
• We will never use your conversations to train AI models. Your words stay yours.
• We will never share identified data with third parties without your explicit, informed consent.
• We will never serve you ads. BridgeCalm is supported by subscriptions, not advertising.

For therapists: technical details

If you're evaluating BridgeCalm for your practice, here are the specifics you'll want for your compliance review:

Infrastructure. BridgeCalm uses Supabase with PostgreSQL, hosted on SOC 2 Type II compliant infrastructure. All database connections are encrypted via TLS 1.3.

Authentication. Role-based access control ensures therapists see only their own patients' data. Patient data is isolated at the database level.

Data residency. All data is stored in the United States.

Data retention. Patient data is retained for 30 days after account cancellation, then permanently deleted. Patients can export their full data (mood logs, chat transcripts, progress data) at any time before deletion.

Therapist data access. Therapists see patient self-reports only — mood entries, exercise completion, assessment scores, and Jan-generated summaries. All data is labeled as "patient self-report" in the portal interface, consistent with APA guidance on digital mental health tools.

BAA availability. Business Associate Agreements are available for all therapist-tier subscriptions.

AI safety and regulatory positioning

BridgeCalm's AI wellness companion, Jan, operates within strict boundaries:

Jan is not a therapist. Jan does not diagnose, create treatment plans, or make clinical decisions. She is a wellness companion that guides users through evidence-based exercises (CBT, DBT, ACT), tracks mood, and facilitates skill practice. This positioning is deliberate and aligns with emerging state-level regulation.

Crisis routing, not crisis handling. Jan monitors for crisis indicators during conversations. When detected, Jan immediately surfaces professional crisis resources (988 Suicide & Crisis Lifeline, Crisis Text Line) rather than attempting to provide crisis intervention. This is a hard boundary — Jan will never attempt to handle a mental health emergency.

Regulatory alignment. BridgeCalm proactively monitors regulatory developments in AI and mental health:

• NIST AI Risk Management Framework — BridgeCalm aligns with the NIST AI RMF across its four core functions (Govern, Map, Measure, Manage). We document AI system inputs and outputs, measure for bias, and maintain human oversight.

• Illinois HB 1806 — Illinois prohibits AI from providing therapy or therapeutic decision-making. BridgeCalm is designed to operate below this threshold as a wellness support tool, not a therapeutic intervention.

• California SB 243 — California's AI chatbot safeguards law requires protections for minors, including disclosure requirements and suicide/self-harm protocols. BridgeCalm's crisis routing system and age-appropriate content policies are designed with these requirements in mind.

• FDA SaMD guidance — BridgeCalm is not currently classified as a Software as a Medical Device under FDA digital health guidance. We monitor FDA developments to ensure we remain within the appropriate regulatory category for a wellness tool.

Your data, your control

You can export all of your BridgeCalm data at any time — mood logs, chat transcripts, assessment scores, and progress records. If you cancel your subscription, your data is retained for 30 days (in case you return), then permanently deleted.

If you connect with a therapist through BridgeCalm, you control that connection. You can revoke therapist access to your data at any time from your account settings.

Mental health should never require you to trade your privacy. BridgeCalm is built on the belief that you can get better between sessions and keep your personal information exactly where it belongs — with you.

Sources

• U.S. Department of Health and Human Services. "HIPAA and Mental Health." hhs.gov
• U.S. Department of Health and Human Services. "HIPAA Privacy Rule." hhs.gov
• U.S. Department of Health and Human Services. "Access Right, Health Apps, and APIs." hhs.gov
• U.S. Department of Health and Human Services. "HIPAA Privacy Rule and Sharing Info Related to Mental Health." PDF
• American Psychiatric Association. "HIPAA for Psychiatrists." psychiatry.org
• National Institute of Standards and Technology. "AI Risk Management Framework." nist.gov
• NIST AI RMF 1.0 Core Document. PDF
• Illinois IDFPR. "Gov. Pritzker Signs Legislation Prohibiting AI Therapy in Illinois." idfpr.illinois.gov
• California Legislature. "SB 243 — Companion Chatbot Safeguards." leginfo.legislature.ca.gov
• U.S. Food and Drug Administration. "Digital Health Center of Excellence." fda.gov